1099 2008 Printable Form - Excel

Document Sample
1099 2008 Printable Form - Excel Powered By Docstoc
					The Shared Assessments Program

INDUSTRY RELEVANCE DOCUMENT:
MAPPING OF THE SHARED ASSESSMENTS SIG TO THE AUP, ISO

Summary
This document provides a linkage between the Shared Assessments Standardized Information Gathering (SIG) Questionnaire and c
standards. This linkage is presented in the form of a "map" that highlights the overlap between the SIG's controls questions

Scope
The scope of this document is limited to:
1. The Shared Assessments Agreed Upon Procedures (AUP)
2. ISO 27002
3. Control Objectives for Information and related Technology (COBIT) 4.1
4. PCI Data Security Standard (PCI DSS) 1.2
5. Federal Financial Institutions Examination Council (FFIEC) IT Examination Booklets

NOTE: Because the FFIEC Handbooks' numbers are limited, we have created the following identifiers for use in this document. T
Number, Bullet, then Hyphen. For example, Outsourcing, Tier One, Objective one is numbered as "O.

The book name abbreviations are as follows:




The Shared Assessments Program                           Page 1 of 191                                           Introduction
SIG Question # SIG Question Text                                                                  AUP 5.0 Relevance                                      ISO 27002:2005 Relevance                     COBIT 4.0 Relevance           PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
               A. Risk Assessment and Treatment
                                                                                                                                                                                                                                                        IS.1.3.1
                                                                                                                                                                                                                                                        BCP.1.2.1
                                                                                                                                                                                                                                                        BCP.1.3.5
                                                                                                  A.1 IT & Infrastructure Risk Governance                                                                                                               MGMT.1.6.1.1
A.1            Is there a risk assessment program?                                                and Context                             4.1            Assessing Security Risks             N/A                                   12.1.2    12.1.2    OPS.1.3            PO9.4

                                                                                                                                                         Allocation of information security           Organisational placement of                       O.1.3.7            PO4.4, PO4.6, PO4.8,
A.1.1          Is there an owner to maintain and review the Risk Management program?              N/A                                       6.1.3        responsibilities                     PO4.4   the IT function               12.4      12.4      IS.1.3.3.2         PO4.9, PO4.10
                                                                                                                                                                                                                                                        IS.1.3.3
                                                                                                                                                                                                                                                        IS.1.3.3.1
                                                                                                                                                                                                                                                        IS.1.3.3.6
                                                                                                                                                                                                                                                        IS.1.3.3.7
                                                                                                                                                                                                                                                        IS.2.M.10.6
                                                                                                                                                                                                                                                        OPS.1.3.1
                                                                                                  A.1 IT & Infrastructure Risk Governance                                                                                                               FEDLINE.1.5.2.
A.1.2          Does the risk assessment program include:                                          and Context                             4.1            Assessing Security Risks             N/A                                   N/A       N/A       3 RPS.2.N.2.4      PO9.4
                                                                                                                                                                                                      IT and business risk                              IS.1.3.1.3
                                                                                                  A.2 IT & Infrastructure Risk Assessment                Business Continuity And Risk                 management alignment                              D&A.1.4.1.1        PO9.1, PO9.2, PO9.4,
A.1.2.1        A risk assessment?                                                                 Life Cycle                                14.1.2       Assessment                           PO9.1   management process            N/A       N/A       AUDIT.1.7.1.1      DS4.1, DS4.3
A.1.2.1.1      Has the risk assessment been conducted within the last 12 months?                  N/A                                       N/A                                               N/A                                   N/A       N/A       IS.2.I.1.1         N/A
                                                                                                  A.1 IT & Infrastructure Risk Governance
A.1.2.2        Risk Governance?                                                                   and Context                               N/A                                               N/A                                   N/A       N/A       N/A                N/A
                                                                                                  A.1 IT & Infrastructure Risk Governance                                                                                                               IS.1.3.1.1
A.1.2.3        Range of business assets?                                                          and Context                               N/A                                               N/A                                   N/A       N/A       MGMT.1.5.2.1       N/A
                                                                                                  A.2 IT & Infrastructure Risk Assessment
                                                                                                  Life Cycle, K.2 Threat Type
A.1.2.3.1      Do the assets include the following:                                               Assessment                                4.1          Assessing Security Risks             N/A                                   N/A       N/A       N/A                PO9.4
A.1.2.3.1.1    People?                                                                            N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.3.1.2    Process?                                                                           N/A                                       N/A                                               N/A                                   N/A       N/A       IS.1.3.4           N/A
A.1.2.3.1.3    Information (physical and electronic)?                                             N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.3.1.4    Technology (applications, middleware, servers, storage, network)?                  N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.3.1.5    Physical (buildings, energy)?                                                      N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.3.1.6    IT system management software (BSM, CMDB, Firewalls, IDS/IPS, etc.)?               N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.3.1.7    Servers?                                                                           N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.3.1.8    Storage?                                                                           N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.3.1.9    Communications?                                                                    N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.3.1.10   Physical facilities?                                                               N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
                                                                                                  A.1 IT & Infrastructure Risk Governance
A.1.2.4        Range of threats?                                                                  and Context                               4.1          Assessing Security Risks             N/A                                   N/A       N/A       IS.1.3.1.2         PO9.4
                                                                                                  A.2 IT & Infrastructure Risk Assessment
A.1.2.4.1      Do the threats include the following:                                              Life Cycle                                N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.4.1.1    Malicious?                                                                         N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.4.1.2    Natural?                                                                           N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.4.1.3    Accidental?                                                                        N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.2.4.1.4    Business changes (e.g., transaction volume)?                                       N/A                                       N/A                                               N/A                                   N/A       N/A       RPS.1.1.4.1        N/A
                                                                                                  A.1 IT & Infrastructure Risk Governance
A.1.2.5        Risk scoping?                                                                      and Context                               4.1          Assessing Security Risks             N/A                                   N/A       N/A       N/A                PO9.4
                                                                                                  A.1 IT & Infrastructure Risk Governance
A.1.2.6        Risk context?                                                                      and Context                               4.1          Assessing Security Risks             N/A                                   N/A       N/A       N/A                PO9.4
                                                                                                  A.1 IT & Infrastructure Risk Governance
A.1.2.7        Risk training plan?                                                                and Context                               4.1          Assessing Security Risks             N/A                                   N/A       N/A       N/A                PO9.4
                                                                                                  A.1 IT & Infrastructure Risk Governance
A.1.2.8        Risk scenarios?                                                                    and Context                               4.1          Assessing Security Risks             N/A                                   N/A       N/A       N/A                PO9.4
               Have scenarios been created for a variety of events with a range of possible
A.1.2.8.1      threats that could impact the range of assets?                                     N/A                                       N/A                                               N/A                                   N/A       N/A       MGMT.1.5.2.1       N/A
               Do the scenarios include threat types impacting all assets resulting in business
A.1.2.8.2      impact?                                                                            N/A                                       N/A                                               N/A                                   N/A       N/A       IS.1.3.1.4         N/A
                                                                                                  A.1 IT & Infrastructure Risk Governance
A.1.2.9        Risk evaluation criteria?                                                          and Context                               4.1          Assessing Security Risks             N/A                                   N/A       N/A       N/A                PO9.4
                                                                                                  A.1 IT & Infrastructure Risk Governance
A.1.2.10       Alignment with industry standards (e.g., CobiT®, etc)?                             and Context                               N/A                                               N/A                                   N/A       N/A       IS.1.2.7           N/A
                                                                                                  A.1 IT & Infrastructure Risk Governance                                                                                                               D&A.1.4.1.2
A.1.3          Is there a formal strategy for each identified risk?                               and Context                               4.2          Treating Security Risks              N/A                                   N/A       N/A       MGMT.1.5.2.3       PO9.4
A.1.3.1        Does the strategy include:                                                         N/A                                       N/A                                               N/A                                   N/A       N/A       D&A.1.4.1.3        N/A
A.1.3.1.1      Risk acceptance?                                                                   N/A                                       4.2.b        Treating Security Risks              N/A                                   N/A       N/A       N/A                PO9.4

A.1.3.1.1.1    Is accepted risk reviewed on a periodic basis to ensure continued disposition?     N/A                                       4.1          Assessing Security Risks             N/A                                   N/A       N/A       N/A                PO9.4
A.1.3.1.2      Risk avoidance?                                                                    N/A                                       4.2.c        Treating Security Risks              N/A                                   N/A       N/A       N/A                PO9.4
A.1.3.1.3      Risk transfer?                                                                     N/A                                       4.2.d        Treating Security Risks              N/A                                   N/A       N/A       N/A                PO9.4
A.1.3.1.4      Insurance?                                                                         N/A                                       4.2.d        Treating Security Risks              N/A                                   N/A       N/A       N/A                PO9.4
               Is there a process in place that provides for responses to risk as assigned that   A.2 IT & Infrastructure Risk Assessment
A.1.4          include:                                                                           Life Cycle                                N/A                                               PO9.5   Risk response                 N/A       N/A       IS.1.3.3.4         N/A
A.1.4.1        Assignment of ownership?                                                           N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.4.2        Action plan?                                                                       N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.4.3        Status of response action items to closure?                                        N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
A.1.4.4        Status updates to management?                                                      N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A
                                                                                                  A.2 IT & Infrastructure Risk Assessment                                                             Maintenance and monitoring of
A.1.5          Is there a process to monitor all identified risks on an ongoing basis?            Life Cycle                                N/A                                               PO9.6   a risk action plan            N/A       N/A       MGMT.1.5.3         N/A
A.1.5.1        Does the process include the following:                                            N/A                                       N/A                                               N/A                                   N/A       N/A       N/A                N/A



The Shared Assessments Program                                                                                                                    Page 2 of 191                                                                                                    SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                                    AUP 5.0 Relevance                                      ISO 27002:2005 Relevance         COBIT 4.0 Relevance   PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
A.1.5.1.1        A monitoring plan?                                                   N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
A.1.5.1.2        Monitoring data reviewed by management?                              N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
A.1.5.1.3        Action initiated where conditions are outside of defined controls?   N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
A.1.5.1.4        Report status on actions initiation?                                 N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
                                                                                      A.2 IT & Infrastructure Risk Assessment
A.1.5.2          Has the process been executed in the last 12 months?                 Life Cycle                                N/A                                     N/A                         N/A       N/A       N/A                N/A
                                                                                      A.2 IT & Infrastructure Risk Assessment
A.1.5.3          Has the process been updated in the last 12 months?                  Life Cycle                                N/A                                     N/A                         N/A       N/A       RPS.2.N.2.6        N/A
                                                                                      A.2 IT & Infrastructure Risk Assessment
A.1.5.3.1        Does the process update take into consideration the following:       Life Cycle                                N/A                                     N/A                         N/A       N/A       IS.1.3.3.3         N/A
A.1.5.3.1.1      Changes in the environment?                                          N/A                                       N/A                                     N/A                         N/A       N/A       IS.1.2.5           N/A
A.1.5.3.1.2      Data from monitoring?                                                N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
                                                                                      A.2 IT & Infrastructure Risk Assessment
A.1.6            Are controls identified for each risk discovered?                    Life Cycle                                4.2          Treating Security Risks    N/A                         N/A       N/A       IS.1.3.2           PO9.4
A.1.6.1          Are controls classified as:                                          N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
A.1.6.1.1        Preventive?                                                          N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
A.1.6.1.2        Detective?                                                           N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
A.1.6.1.3        Corrective?                                                          N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
A.1.6.1.4        Predictive?                                                          N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
A.1.7            Are controls evaluated during the following:                         N/A                                       N/A                                     N/A                         N/A       N/A       N/A                N/A
A.1.7.1          Project requirements specification phase?                            N/A                                       4.2          Treating Security Risks    N/A                         N/A       N/A       N/A                PO9.4
A.1.7.2          Project design phase?                                                N/A                                       4.2          Treating Security Risks    N/A                         N/A       N/A       N/A                PO9.4




The Shared Assessments Program                                                                                                        Page 3 of 191                                                                                SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                                    ISO 27002:2005 Relevance                          COBIT 4.0 Relevance       PCI 1.1      PCI 1.2      FFIEC              COBIT 4.1 Relevance

               B. Security Policy
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1            Is there an information security policy?                                            N/A                                     5.1.1        Information Security Policy Document     PO6.1    environment               12.1         12.1         IS.1.4.1           ME2.1

                                                                                                                                                                                                                                                                                 PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                                 PO6.3, PO9.4, DS5.2,
                                                                                                   B.2 Information Security Policy                                                                        Technological direction                             MGMT.1.5.1.4       DS5.3, ME2.2, ME2.5,
B.1.1          Which of the following leadership levels approve the information security policy:   Maintenance                             5.1.2        Review of Information Security Policy    PO3.1    planning                  N/A          N/A          AUDIT.1.2.3        ME2.7, ME4.7
B.1.1.1        Board of directors?                                                                 N/A                                     N/A                                                   N/A                                N/A          N/A          IS.1.4.2.7         N/A
B.1.1.2        CEO?                                                                                N/A                                     N/A                                                   N/A                                N/A          N/A          N/A                N/A
B.1.1.3        C-level executive?                                                                  N/A                                     N/A                                                   N/A                                N/A          N/A          N/A                N/A
B.1.1.4        Senior leader?                                                                      N/A                                     N/A                                                   N/A                                N/A          N/A          N/A                N/A
B.1.1.5        Other (Please explain in the "Additional Information" column)?                      N/A                                     N/A                                                   N/A                                N/A          N/A          N/A                N/A
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.2          Has the security policy been published?                                             N/A                                     5.1.1        Information Security Policy Document     PO6.1    environment               12.1         12.1         N/A                ME2.1

                                                                                                                                                                                                                                                                                 PO3.1, PO5.3, PO5.4,
                                                                                                                                                        Review of Information Security Policy,                                                                                   PO6.3, PO9.4, DS5.2,
                                                                                                                                           5.1.2,       Allocation of information security                Technological direction                                                DS5.3, ME2.2, ME2.5,
B.1.3          Is there an owner to maintain and review the policy?                                B.1 Information Security Policy Content 6.1.3        responsibilities                         PO3.1    planning                  12.5.1       12.5.1       IS.1.4.2           ME2.7, ME4.7
B.1.3.1        Does security own the content of the policy?                                        N/A                                     N/A                                                   N/A                                N/A          N/A          N/A                N/A
B.1.4          Do information security policies contain the following:                             N/A                                     N/A                                                   N/A                                N/A          #N/A         N/A                N/A
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.1        Definition of information security?                                                 N/A                                     5.1.1.a      Information Security Policy Document     PO6.1    environment               N/A          N/A          N/A                ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.2        Objectives?                                                                         N/A                                     5.1.1.a      Information Security Policy Document     PO6.1    environment               N/A          N/A          N/A                ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.3        Scope?                                                                              N/A                                     5.1.1.a      Information Security Policy Document     PO6.1    environment               N/A          N/A          N/A                ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.4        Importance of security as an enabling mechanism?                                    N/A                                     5.1.1.a      Information Security Policy Document     PO6.1    environment               N/A          N/A          N/A                ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.5        Statement of Management Intent?                                                     N/A                                     5.1.1.b      Information Security Policy Document     PO6.1    environment               N/A          N/A          N/A                ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.6        Risk assessment?                                                                    N/A                                     5.1.1.c      Information Security Policy Document     PO6.1    environment               N/A          N/A          IS.1.3.3.5         ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.7        Risk management?                                                                    N/A                                     5.1.1.c      Information Security Policy Document     PO6.1    environment               12.1.2       N/A          N/A                ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.8        Legislative, regulatory, and contractual compliance requirements?                   N/A                                     5.1.1.d.1    Information Security Policy Document     PO6.1    environment               N/A          N/A          N/A                ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control     12.1.1,                                      PO6.5, DS5.2, DS5.3,
B.1.4.9        Security awareness training/education?                                              N/A                                     5.1.1.d.2    Information Security Policy Document     PO6.1    environment               12.6         N/A          N/A                ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                               IS.1.4.1.12        PO6.5, DS5.2, DS5.3,
B.1.4.10       Business continuity?                                                                N/A                                     5.1.1.d.3    Information Security Policy Document     PO6.1    environment               N/A          N/A          BCP.1.4.3.1        ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.11       Penalties for non-compliance with corporate policies?                               N/A                                     5.1.1.d      Information Security Policy Document     PO6.1    environment               N/A          N/A          IS.1.4.2.2         ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.12       Responsibilities for information security management?                               N/A                                     5.1.1.e      Information Security Policy Document     PO6.1    environment               N/A          N/A          N/A                ME2.1
                                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                          IT policy and control                                                  PO6.5, DS5.2, DS5.3,
B.1.4.13       References to documentation to support policies?                                    N/A                                     5.1.1.f      Information Security Policy Document     PO6.1    environment               N/A          N/A          N/A                ME2.1

B.1.5          Are the following topics covered by policies:                                       B.1 Information Security Policy Content N/A                                                   N/A                                N/A          N/A          N/A                N/A
                                                                                                                                                                                                                                    12.1.1,      12.1.1,
B.1.5.1        Acceptable use?                                                                     N/A                                     7.1.3        Acceptable use of assets                 PO4.10   Supervision               12.3.5       12.3.5       IS.1.4.1.1.1       PO4.10, PO6.2
                                                                                                                                                                                                                                    8, 12.1.1,   8, 12.1.1,
B.1.5.2        Access control?                                                                     N/A                                     N/A                                                   N/A                                12.5.5       12.5.5       IS.1.4.1.1         N/A
B.1.5.3        Application security?                                                               N/A                                     N/A                                                   N/A                                6, 12.1.1    6, 12.1.1    IS.1.4.1.3.3       N/A
B.1.5.4        Change control?                                                                     N/A                                     N/A                                                   N/A                                6, 12.1.1    6, 12.1.1    IS.1.4.1.8         N/A
B.1.5.5        Clean desk?                                                                         N/A                                     N/A                                                   N/A                                N/A          N/A          N/A                N/A
                                                                                                                                                                                                                                                              IS.1.4.1.1
                                                                                                                                                                                                                                                              IS.1.4.1.2.3
                                                                                                                                                                                                                                    2, 4,        2, 4,        IS.1.4.1.3.3
B.1.5.6        Computer and communication systems access and use?                                  N/A                                     N/A                                                   N/A                                12.1.1       12.1.1       IS.1.4.1.4.3       N/A
                                                                                                                                                                                                                                    3.1,         3.1,
B.1.5.7        Data handling?                                                                      N/A                                     N/A                                                   N/A                                12.1.1       12.1.1       IS.1.4.1.10        N/A




The Shared Assessments Program                                                                                                                   Page 4 of 191                                                                                                           SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                        AUP 5.0 Relevance                              ISO 27002:2005 Relevance                        COBIT 4.0 Relevance       PCI 1.1       PCI 1.2       FFIEC            COBIT 4.1 Relevance

B.1.5.8        Desktop computing?                                       N/A                               N/A                                                  N/A                               2, 12, 1, 1   2, 12, 1, 1   IS.1.4.1.4       N/A
B.1.5.9        Disaster recovery?                                       N/A                               N/A                                                  N/A                               N/A           #N/A          IS.1.4.1.12      N/A
B.1.5.10       Email?                                                   N/A                               N/A                                                  N/A                               N/A           N/A           N/A              N/A
B.1.5.11       Constituent accountability?                              N/A                               N/A                                                  N/A                               N/A           N/A           N/A              N/A

                                                                                                                                                                                                 3.4.1, 4.1,   3.4.1, 4.1,
B.1.5.12       Encryption?                                              N/A                               N/A                                                  N/A                               12.1.1.       12.1.1.     IS.1.4.1.6         N/A
B.1.5.13       Exception process?                                       N/A                               N/A                                                  N/A                               N/A           N/A         N/A                N/A
B.1.5.14       Information classification?                              N/A                               N/A                                                  N/A                               N/A           N/A         N/A                N/A

B.1.5.15       Internet/Intranet access and use?                        N/A                               N/A                                                  N/A                               4, 12, 1, 14, 12, 1, 1 IS.1.4.1.2            N/A
                                                                                                                                                                                                 12.3.8,    12.3.8,
B.1.5.16       Mobile computing?                                        N/A                               N/A                                                  N/A                               12.1.1     12.1.1      IS.1.4.1.4            N/A
                                                                                                                                                                                                 1, 2,      1, 2,
B.1.5.17       Network security?                                        N/A                               N/A                                                  N/A                               12.1.1     12.1.1      IS.1.4.1.2            N/A
                                                                                                                                                                                                                        IS.1.4.1.3.2
B.1.5.18       Operating system security?                               N/A                               N/A                                                  N/A                               2.2,12.1.1 2.2,12.1.1 IS.1.4.1.4.2           N/A
                                                                                                                                                                                                 12.4,      12.4,
                                                                                                                                                                                                 12.7,      12.7,
B.1.5.19       Personnel security and termination?                      N/A                               N/A                                                  N/A                               12.1.1     12.1.1      IS.1.4.1.9            N/A
B.1.5.20       Physical access?                                         N/A                               N/A                                                  N/A                               9, 12.1.1 9, 12.1.1 IS.1.4.1.5               N/A
B.1.5.21       Policy maintenance?                                      N/A                               N/A                                                  N/A                               12.1       12.1        N/A                   N/A
B.1.5.22       Privacy?                                                 N/A                               N/A                                                  N/A                               N/A        N/A         N/A                   N/A
                                                                                                                                                                                                 12.3.8,    12.3.8,
                                                                                                                                                                                                 12.3.9,    12.3.9,
                                                                                                                                                                                                 12.10.1, 12.10.1,
B.1.5.23       Remote access?                                           N/A                               N/A                                                  N/A                               12.1.1     12.1.1      IS.1.4.1.2.4          N/A
                                                                                                                                                                                                 12.1.1,    12.1.1,
B.1.5.24       Security incident and privacy event management?          N/A                               N/A                                                  N/A                               12.5.3     12.5.3      N/A                   N/A
                                                                                                                                                                                                 9.10,      9.10,
B.1.5.25       Secure disposal?                                         N/A                               N/A                                                  N/A                               12.1.1     12.1.1      IS.1.4.1.10           N/A
B.1.5.26       Use of personal equipment?                               N/A                               N/A                                                  N/A                               N/A        N/A         N/A                   N/A

B.1.5.27       Vulnerability management?                                N/A                               N/A                                                  N/A                               11, 12.1.1 11, 12.1.1 N/A                    N/A

                                                                                                                                                                                                                                              PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                              PO6.3, PO9.4, DS5.2,
                                                                        B.2 Information Security Policy                                                                Technological direction                                                DS5.3, ME2.2, ME2.5,
B.1.6          Have the policies been reviewed in the last 12 months?   Maintenance                       5.1.2        Review of Information Security Policy   PO3.1   planning                  N/A           N/A           IS.1.4.2.7       ME2.7, ME4.7

                                                                                                                                                                                                                                              PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                              PO6.3, PO9.4, DS5.2,
                                                                                                          5.1.2,                                                       Technological direction                                                DS5.3, ME2.2, ME2.5,
B.1.7          Is there a process to review published policies?         N/A                               6.1.8        Review of Information Security Policy   PO3.1   planning                  12.1.3        12.1.3        IS.1.7.1         ME2.7, ME4.7
B.1.7.1        Does the review of policies include the following:       N/A                               N/A                                                  N/A                               N/A           N/A           IS.1.4.2.6       N/A

                                                                                                                                                                                                                                              PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                              PO6.3, PO9.4, DS5.2,
                                                                                                                                                                       Technological direction                                                DS5.3, ME2.2, ME2.5,
B.1.7.1.1      Feedback from interested parties?                        N/A                               5.1.2.a      Review of Information Security Policy   PO3.1   planning                  N/A           N/A           N/A              ME2.7, ME4.7

                                                                                                                                                                                                                                              PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                              PO6.3, PO9.4, DS5.2,
                                                                                                                                                                       Technological direction                                                DS5.3, ME2.2, ME2.5,
B.1.7.1.2      Results of independent reviews?                          N/A                               5.1.2.b      Review of Information Security Policy   PO3.1   planning                  N/A           N/A           N/A              ME2.7, ME4.7

                                                                                                                                                                                                                                              PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                              PO6.3, PO9.4, DS5.2,
                                                                                                                                                                       Technological direction                                                DS5.3, ME2.2, ME2.5,
B.1.7.1.3      Status of preventative or corrective actions?            N/A                               5.1.2.c      Review of Information Security Policy   PO3.1   planning                  N/A           N/A           N/A              ME2.7, ME4.7

                                                                                                                                                                                                                                              PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                              PO6.3, PO9.4, DS5.2,
                                                                                                                                                                       Technological direction                                                DS5.3, ME2.2, ME2.5,
B.1.7.1.4      Results of previous management reviews?                  N/A                               5.1.2.d      Review of Information Security Policy   PO3.1   planning                  N/A           N/A           N/A              ME2.7, ME4.7

                                                                                                                                                                                                                                              PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                              PO6.3, PO9.4, DS5.2,
                                                                                                                                                                       Technological direction                                                DS5.3, ME2.2, ME2.5,
B.1.7.1.5      Process performance?                                     N/A                               5.1.2.e      Review of Information Security Policy   PO3.1   planning                  N/A           N/A           N/A              ME2.7, ME4.7

                                                                                                                                                                                                                                              PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                              PO6.3, PO9.4, DS5.2,
                                                                                                                                                                       Technological direction                                                DS5.3, ME2.2, ME2.5,
B.1.7.1.6      Policy compliance?                                       N/A                               5.1.2.e      Review of Information Security Policy   PO3.1   planning                  N/A           N/A           N/A              ME2.7, ME4.7




The Shared Assessments Program                                                                                  Page 5 of 191                                                                                                         SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                     AUP 5.0 Relevance                              ISO 27002:2005 Relevance                         COBIT 4.0 Relevance       PCI 1.1   PCI 1.2   FFIEC            COBIT 4.1 Relevance

                                                                                                                                                                                                                                                                    PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                    PO6.3, PO9.4, DS5.2,
                                                                                                                                                                                                     Technological direction                                        DS5.3, ME2.2, ME2.5,
B.1.7.1.7      Changes that could affect the approach to managing information security?              N/A                               5.1.2.f      Review of Information Security Policy   PO3.1    planning                  N/A       N/A       N/A              ME2.7, ME4.7

                                                                                                                                                                                                                                                                    PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                    PO6.3, PO9.4, DS5.2,
                                                                                                                                                                                                     Technological direction                                        DS5.3, ME2.2, ME2.5,
B.1.7.1.8      Trends related to threats and vulnerabilities?                                        N/A                               5.1.2.g      Review of Information Security Policy   PO3.1    planning                  N/A       N/A       N/A              ME2.7, ME4.7

                                                                                                                                                                                                                                                                    PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                    PO6.3, PO9.4, DS5.2,
                                                                                                                                                                                                     Technological direction                                        DS5.3, ME2.2, ME2.5,
B.1.7.1.9      Reported information security incidents?                                              N/A                               5.1.2.h      Review of Information Security Policy   PO3.1    planning                  N/A       N/A       N/A              ME2.7, ME4.7

                                                                                                                                                                                                                                                                    PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                    PO6.3, PO9.4, DS5.2,
                                                                                                                                                                                                     Technological direction                                        DS5.3, ME2.2, ME2.5,
B.1.7.1.10     Recommendations provided by relevant authorities?                                     N/A                               5.1.2.i      Review of Information Security Policy   PO3.1    planning                  N/A       N/A       N/A              ME2.7, ME4.7

                                                                                                                                                                                                                                                                    PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                    PO6.3, PO9.4, DS5.2,
                                                                                                     B.2 Information Security Policy                                                                 Technological direction                                        DS5.3, ME2.2, ME2.5,
B.1.7.2        Is a record of management review maintained?                                          Maintenance                       5.1.2        Review of Information Security Policy   PO3.1    planning                  N/A       N/A       N/A              ME2.7, ME4.7
B.1.7.3        Is there a process to assess the risk presented by exceptions to the policy?          N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.1.7.4        Is there a process to approve exceptions to the policy?                               N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.1.7.4.1      Does security own the approval process?                                               N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                                   IS.1.4.2.1 E-
B.2            Is there an Acceptable Use Policy?                                                    N/A                               7.1.3        Acceptable use of assets                PO4.10   Supervision               12.3.5    12.3.5    BANK.1.4.2.10    PO4.10, PO6.2
B.2.1          Has the Acceptable Use Policy been reviewed within the last 12 months?                N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
               Are constituents required to review and accept the policy at least every 12           B.3. Employee Acknowledgment of                                                                                                               IS.1.4.2.5
B.2.2          months?                                                                               Acceptable                        N/A                                                  N/A                                N/A       N/A       IS.2.A.2.7     N/A
                                                                                                                                                                                                                                                                  PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                     IT policy and control                                        PO6.5, DS5.2, DS5.3,
B.3            Are any policy(ies) process(es) or procedure(s) communicated to constituents?         N/A                               5.1.1        Information Security Policy Document    PO6.1    environment               N/A       N/A       N/A            ME2.1
                                                                                                                                                                                                                                                                  PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                     IT policy and control                         MGMT.1.2.1.15. PO6.5, DS5.2, DS5.3,
B.3.1          Is the information security policy communicated to constituents?                      N/A                               5.1.1        Information Security Policy Document    PO6.1    environment               12.1      N/A       1              ME2.1
               Is the information security policy communicated via the following; to the following
B.3.1.1        constituents:                                                                         N/A                               N/A                                                  N/A                                N/A       N/A       IS.1.4.2.4       N/A
B.3.1.1.1      Email:                                                                                N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.1.1    Full time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.1.2    Part time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.1.3    Contractors?                                                                          N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.1.4    Temporary workers?                                                                    N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.2      Intranet or Bulletin Board:                                                           N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.2.1    Full time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.2.2    Part time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.2.3    Contractors?                                                                          N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.2.4    Temporary workers?                                                                    N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.3      Documentation Repository:                                                             N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.3.1    Full time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.3.2    Part time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.3.3    Contractors?                                                                          N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.3.4    Temporary workers?                                                                    N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.4      Instructor Lead Training:                                                             N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.4.1    Full time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.4.2    Part time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.4.3    Contractors?                                                                          N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.4.4    Temporary workers?                                                                    N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.5      Web Based Training:                                                                   N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.5.1    Full time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.5.2    Part time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.5.3    Contractors?                                                                          N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.5.4    Temporary workers?                                                                    N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.6      Physical media (e.g., paper, CD, etc.):                                               N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.6.1    Full time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.6.2    Part time employees?                                                                  N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.6.3    Contractors?                                                                          N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A
B.3.1.1.6.4    Temporary workers?                                                                    N/A                               N/A                                                  N/A                                N/A       N/A       N/A              N/A




The Shared Assessments Program                                                                                                               Page 6 of 191                                                                                                  SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                       AUP 5.0 Relevance                ISO 27002:2005 Relevance                     COBIT 4.0 Relevance            PCI 1.1   PCI 1.2   FFIEC            COBIT 4.1 Relevance

               C. Organizational Security

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
               Is there an information security function responsible for security initiatives within                                    Management commitment to                     Monitoring of future trends and                    IS.1.7.4         PO6.3, PO6.4, PO6.5,
C.1            the organization?                                                                       N/A                 6.1.1        information security                 PO3.3   regulations                     N/A      N/A       MGMT.1.6.1.6     DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                    IS.1.7.5         PO6.3, PO6.4, PO6.5,
C.2            Is there an individual or group responsible for security within the organization?       N/A                 6.1.1        information security                 PO3.3   regulations                     12.5     12.5      MGMT.1.2.1.1     DS5.1
                                                                                                                                        Management commitment to
C.2.1          Does this individual or group have the following responsibilities:                      N/A                 N/A          information security                 N/A                                    N/A       N/A       D&A.1.3.1        N/A

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.1        Identify information security goals that meet organizational requirements?              N/A                 6.1.1.a      information security                 PO3.3   regulations                     N/A      N/A       N/A              DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.2        Integrate information security controls into relevant processes?                        N/A                 6.1.1.a      information security                 PO3.3   regulations                     N/A      N/A       N/A              DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.3        Formulate, review and approve information security policies?                            N/A                 6.1.1.b      information security                 PO3.3   regulations                     12.5.1   12.5.1    N/A              DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.4        Review the effectiveness of information security policy implementation?                 N/A                 6.1.1.c      information security                 PO3.3   regulations                     N/A      N/A       N/A              DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.5        Approve major initiatives to enhance information security?                              N/A                 6.1.1.d      information security                 PO3.3   regulations                     N/A      N/A       N/A              DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.6        Provide needed information security resources?                                          N/A                 6.1.1.e      information security                 PO3.3   regulations                     N/A      N/A       N/A              DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.7        Approve assignment of specific roles and responsibilities for information security? N/A                     6.1.1.f      information security                 PO3.3   regulations                     N/A      N/A       IS.1.4.2.3       DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.8        Initiate plans and programs to maintain information security awareness?                 N/A                 6.1.1.g      information security                 PO3.3   regulations                     N/A      N/A       N/A              DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.9        Ensure the implementation of information security controls is co-coordinated?           N/A                 6.1.1.h      information security                 PO3.3   regulations                     N/A      N/A       N/A              DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.10       Develop and maintain an overall security plan?                                          N/A                 6.1.1        information security                 PO3.3   regulations                     N/A      N/A       N/A              DS5.1

                                                                                                                                                                                                                                                         PO3.3, PO3.5, PO4.3,
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.8,
                                                                                                                                        Management commitment to                     Monitoring of future trends and                                     PO6.3, PO6.4, PO6.5,
C.2.1.11       Review advice external information security specialists?                                N/A                 6.1.1        information security                 PO3.3   regulations                     N/A      N/A       N/A              DS5.1
                                                                                                                                                                                                                                                         PO4.4, PO4.5, PO4.6,
                                                                                                                                                                                                                                                         PO4.8, PO4.10,
                                                                                                                                                                                     Organisational placement of                                         PO6.5, DS5.1, DS5.2,
C.2.1.12       Coordination of information security from different parts of the organization?          N/A                 6.1.2        Information security co-ordination   PO4.4   the IT function                N/A       N/A       N/A              DS5.3

                                                                                                                                                                                                                                                         PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                         PO6.3, PO9.4, DS5.2,
                                                                                                                                        Review Of The Information Security           Technological direction                                             DS5.3, ME2.2, ME2.5,
C.2.1.13       Review and monitor information security / privacy incidents or events?                  N/A                 5.1.2.h      Policy                               PO3.1   planning                       N/A       N/A       IS.2.M.1.2       ME2.7, ME4.7




The Shared Assessments Program                                                                                                   Page 7 of 191                                                                                                   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                     AUP 5.0 Relevance                ISO 27002:2005 Relevance                             COBIT 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance

               Assets and security processes with each particular system are identified and                                           Allocation of information security                   Organisational placement of                                                PO4.4, PO4.6, PO4.8,
C.2.1.13.1     clearly defined?                                                                      N/A                 6.1.3.a      responsibilities                          PO4.4      the IT function                     N/A       N/A       N/A                PO4.9, PO4.10

                                                                                                                                      Allocation of information security                   Organisational placement of                                                PO4.4, PO4.6, PO4.8,
C.2.1.13.2     Definition of authorization levels?                                                   N/A                 6.1.3.c      responsibilities                          PO4.4      the IT function                     N/A       N/A       N/A                PO4.9, PO4.10

                                                                                                                                      Allocation of information security                   Organisational placement of                                                PO4.4, PO4.6, PO4.8,
C.2.1.13.3     Implementation / execution of security processes in support of policies?              N/A                 6.1.3.b      responsibilities                          PO4.4      the IT function                     N/A       N/A       N/A                PO4.9, PO4.10

                                                                                                                                      Allocation of information security                   Organisational placement of                                                PO4.4, PO4.6, PO4.8,
C.2.1.13.4     Monitor significant changes in the exposure of information assets?                    N/A                 6.1.3.b      responsibilities                          PO4.4      the IT function                     12.5.2    12.5.2    N/A                PO4.9, PO4.10

                                                                                                                                      Allocation of information security                   Organisational placement of                                                PO4.4, PO4.6, PO4.8,
C.2.2          Are information security responsibilities allocated to an individual or group?        N/A                 6.1.3        responsibilities                          PO4.4      the IT function                     N/A       N/A       N/A                PO4.9, PO4.10
                                                                                                                                                                                                                                                                      PO4.3, PO4.4, PO4.9,
                                                                                                                                      Authorization process for information                                                                                           AI1.4, AI2.4, AI7.6,
C.2.3          Is there an authorization process for new information processing facilities?          N/A                 6.1.4        processing facilities                     PO4.3      IT steering committee               N/A       N/A       N/A                DS5.7
                                                                                                                                                                                                                                                                      PO4.15, DS4.1,
               Is a process or procedure maintained that specifies when and by whom                                                                                                                                                                                   DS4.2, ME3.1, ME3.3,
C.2.4          authorities should be contacted?                                                      N/A                 6.1.6        Contact with Authorities                  PO4.15     Relationships                       N/A       N/A       N/A                ME3.4
               Are contacts with information security special interest groups, specialist security
C.2.5          forums, or professional associations maintained?                                      N/A                 6.1.7        Contact with special interest groups      PO4.15     Relationships                       N/A       N/A       IS.1.6.3           PO4.15, DS4.1, DS4.2

               Is there an independent third party review of the information security program? (If                                    Independent review of information                                                                                               PO6.4, DS5.5, ME2.2,
C.2.6          so, note the firm in the "Additional Information" column.)?                         N/A                   6.1.8        security                                  PO6.4      Policy rollout                      N/A       N/A       IS.2.M.12          ME2.5, ME4.7

                                                                                                                                      Independent review of information                                                                                               PO6.4, DS5.5, ME2.2,
C.2.6.1        If so, is there a remediation plan to address findings?                               N/A                 6.1.8        security                                  PO6.4      Policy rollout                      N/A       N/A       N/A                ME2.5, ME4.7


                                                                                                                                                                                                                                                                     PO4.8, PO6.2, ME2.1,
               Is there an individual or group responsible for ensuring compliance with security                                      Compliance with security policies and                Responsibility for risk, security                                         ME2.2, ME2.3, ME2.4,
C.2.7          policies?                                                                             N/A                 15.2.1       standards                                 PO4.8      and compliance                      12.6.2    N/A       N/A               ME2.5, ME2.6, ME2.7
C.2.8          Are key Information Technology constituents identified?                               N/A                 N/A                                                    PO4.13     Key IT personnel                    N/A       #N/A      IS.1.6.7          N/A
C.2.8.1        Are there backup plans in place for replacement of key IT constituents?               N/A                 N/A                                                    PO4.13     Key IT personnel                    N/A       N/A       IS.1.6.7          N/A
                                                                                                                                                                                                                                                                     PO4.6, PO4.14,
               Does management require the use of confidentiality or non-disclosure                                                                                                                                                                                  PO8.3, AI5.1, AI5.2,
C.3            agreements?                                                                           N/A                 6.1.5        Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       IS.1.5.3 IS.2.F.3 DS5.2, DS5.3, DS5.4
C.3.1          Does the confidentiality or non-disclosure agreement contain the following:           N/A                 N/A                                                    N/A                                            N/A       N/A       IS.2.M.16         N/A
                                                                                                                                                                                                                                                                     PO4.6, PO4.14,
                                                                                                                                                                                                                                                                     PO8.3, AI5.1, AI5.2,
C.3.1.1        Definition of the information to be protected?                                        N/A                 6.1.5.a      Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       N/A               DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                                     PO4.6, PO4.14,
                                                                                                                                                                                                                                                                     PO8.3, AI5.1, AI5.2,
C.3.1.2        Expected duration of an agreement?                                                    N/A                 6.1.5.b      Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       N/A               DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                                     PO4.6, PO4.14,
                                                                                                                                                                                                                                                                     PO8.3, AI5.1, AI5.2,
C.3.1.3        Required actions when an agreement is terminated?                                     N/A                 6.1.5.c      Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       N/A               DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                                     PO4.6, PO4.14,
               Responsibilities and actions of signatories to avoid unauthorized information                                                                                                                                                                         PO8.3, AI5.1, AI5.2,
C.3.1.4        disclosure?                                                                           N/A                 6.1.5.d      Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       N/A               DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                                     PO4.6, PO4.14,
                                                                                                                                                                                                                                                                     PO8.3, AI5.1, AI5.2,
C.3.1.5        Ownership of information, trade secrets and intellectual property?                    N/A                 6.1.5.e      Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       N/A               DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                                     PO4.6, PO4.14,
               The permitted use of confidential information, and rights of the signatory to use                                                                                                                                                                     PO8.3, AI5.1, AI5.2,
C.3.1.6        information?                                                                          N/A                 6.1.5.f      Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       IS.2.M.17         DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                                     PO4.6, PO4.14,
                                                                                                                                                                                                                                                                     PO8.3, AI5.1, AI5.2,
C.3.1.7        The right to audit and monitor activities that involve confidential information?      N/A                 6.1.5.g      Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       N/A               DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                   IS.1.6.10         PO4.6, PO4.14,
               Process for notification and reporting of unauthorized disclosure or confidential                                                                                                                                                   IS.1.6.11.2       PO8.3, AI5.1, AI5.2,
C.3.1.8        information breaches?                                                                 N/A                 6.1.5.h      Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       IS.1.6.11.3       DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                                     PO4.6, PO4.14,
               Terms for information to be returned or destroyed when the agreement has                                                                                                                                                                              PO8.3, AI5.1, AI5.2,
C.3.1.9        expired?                                                                              N/A                 6.1.5.i      Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       N/A               DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                                     PO4.6, PO4.14,
                                                                                                                                                                                                                                                                     PO8.3, AI5.1, AI5.2,
C.3.1.10       Expected actions to be taken in case of a breach of this agreement?                   N/A                 6.1.5.j      Confidentiality agreements                PO4.6      Roles and responsibilities          N/A       N/A       N/A               DS5.2, DS5.3, DS5.4

               Is access to, Target Data provided to or the processing facilities utilized by                                                                                                                                                                         PO6.4, DS5.5, ME2.2,
C.4            external parties?                                                                     N/A                 6.2          External parties                          N/A                                            12.1      12.1      N/A                ME2.5, ME4.7

                                                                                                                                                                                                                                                   IS.1.5.1 IS.1.5.4
                                                                                                                                                                                                                                                   O.1.2.1 O.1.3.5
                                                                                                                                                                                                                                                   MGMT.1.6.1.5
                                                                                                                                                                                                                                                   O.1.2.1.2 E-      PO4.14, DS2.1,
                                                                                                                                      Identification of risks related to external          Contracted staff policies and                           BANK.1.4.2.13 DS2.3, DS5.4, DS5.9,
C.4.1          Is a risk assessment of external parties performed?                                   N/A                 6.2.1        parties                                     PO4.14   procedures                          N/A       N/A       RPS.1.2.1.5       DS5.11, DS12.3



The Shared Assessments Program                                                                                                 Page 8 of 191                                                                                                                  SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                  AUP 5.0 Relevance                             ISO 27002:2005 Relevance                             COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
C.4.1.1        Is access to Target Data prohibited prior to:                                      N/A                              N/A                                                    N/A                                          N/A       N/A       N/A                N/A
                                                                                                                                                                                                                                                                              PO4.14, DS2.1,
                                                                                                                                                Identification of risks related to external          Contracted staff policies and                         RPS.1.8.4          DS2.3, DS5.4, DS5.9,
C.4.1.1.1        Risk assessment being conducted?                                                 N/A                              6.2.1        parties                                     PO4.14   procedures                        N/A       N/A       RPS.1.11.1.3       DS5.11, DS12.3
                 Any findings of the external parties risk assessment are either remediated or
C.4.1.1.2        remediation plan is in place?                                                    N/A                              N/A                                                    N/A                                          N/A       N/A       N/A                N/A
                                                                                                                                                Addressing security when dealing with                Enterprise IT risk and internal
C.4.2            Are agreements in place when customers access Target Data?                       N/A                              6.2.2        customers                                 PO6.2      control framework                 N/A       N/A       N/A                PO6.2, DS5.4
                                                                                                                                                                                                                                                           IS.1.5.2 O.1.3.4
                                                                                                                                                                                                                                                           O.2.C.2 IS.2.J.1
                                                                                                                                                                                                                                                           D&A.1.6.1.11
                                                                                                                                                                                                                                                           WPS.1.2.2.1
                                                                                                                                                                                                                                                           WPS.1.2.2.3 E-
                                                                                                                                                                                                                                                           BANK.1.3.2.6   PO4.14, PO6.4,
                                                                                                                                                                                                                                                           RPS.1.1.5.6    PO8.3, AI5.2, DS2.2,
                 Do contracts with third party service providers who may have access to Target    C.2 Dependent Service Provider                Addressing security in third party                   Contracted staff policies and                         RPS.1.3.2.2    DS2.3, DS2.4, DS5.1,
C.4.2.1          Data include:                                                                    Agreements                       6.2.3        agreements                                PO4.14     procedures                        N/A       N/A       RPS.1.8.4      ME2.6
                                                                                                                                                                                                                                                                          PO4.14, DS2.1,
                                                                                                                                                Identification of risks related to external          Contracted staff policies and                                        DS2.3, DS5.4, DS5.9,
C.4.2.1.1        Non-Disclosure agreement?                                                        N/A                              6.2.1        parties                                     PO4.14   procedures                        N/A       N/A       N/A            DS5.11, DS12.3
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.2        Confidentiality Agreement?                                                       N/A                              6.2.3.b.7    agreements                                PO4.14     procedures                        N/A       N/A       RPS.2.O.4.8    ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.3        Media handling?                                                                  N/A                              6.2.3.b.7    agreements                                PO4.14     procedures                        N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                 Requirement of an awareness program to communicate security standards and                                                      Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.4        expectations?                                                                    N/A                              6.2.3.d      agreements                                PO4.14     procedures                        N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.5        Responsibilities regarding hardware and software installation and maintenance?   N/A                              6.2.3.f      agreements                                PO4.14     procedures                        N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.6        Clear reporting structure and agreed reporting formats?                          N/A                              6.2.3.g      agreements                                PO4.14     procedures                        N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.7        Clear and specified process of change management?                                N/A                              6.2.3.h      agreements                                PO4.14     procedures                        N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.8        Notification of change?                                                          N/A                              6.2.3.h      agreements                                PO4.14     procedures                        N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.9        A process to address any identified issues?                                      N/A                              6.2.3.h      agreements                                PO4.14     procedures                        N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.10       Access control policy?                                                           N/A                              6.2.3.i      agreements                                PO4.14     procedures                        N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                         IS.2.J.5       DS2.3, DS2.4, DS5.1,
C.4.2.1.11       Breach notification?                                                             N/A                              6.2.3.j      agreements                                PO4.14     procedures                        N/A       N/A       RPS.2.N.5.2.10 ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                         E-BANK.1.3.2.1 DS2.3, DS2.4, DS5.1,
C.4.2.1.12       Description of the product or service to be provided?                            N/A                              6.2.3.k      agreements                                PO4.14     procedures                        N/A       N/A       RPS.2.O.4.1    ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                 Description of the information to be made available along with its security                                                    Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.13       classification?                                                                  N/A                              6.2.3.k      agreements                                PO4.14     procedures                        N/A       N/A       RPS.2.N.5.2.4 ME2.6
                                                                                                                                                                                                                                                           O.1.3.4.1      PO4.14, PO6.4,
                                                                                                                                                                                                                                                           D&A.1.6.1.11.1 PO8.3, AI5.2, DS2.2,
                                                                                                                                               Addressing security in third party                    Contracted staff policies and                         AUDIT.2.F.2.7  DS2.3, DS2.4, DS5.1,
C.4.2.1.14       SLAs?                                                                            N/A                              6.2.3 l & m agreements                                 PO4.14     procedures                        N/A       N/A       RPS.2.O.4.2    ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                                        DS2.3, DS2.4, DS5.1,
C.4.2.1.15       Audit reporting?                                                                 N/A                              6.2.3.m      agreements                                PO4.14     procedures                        N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                                          PO4.14, PO6.4,
                                                                                                                                                                                                                                                                          PO8.3, AI5.2, DS2.2,
                                                                                                                                                Addressing security in third party                   Contracted staff policies and                         IS.2.M.10.2 E- DS2.3, DS2.4, DS5.1,
C.4.2.1.16       Ongoing monitoring?                                                              N/A                              6.2.3.n      agreements                                PO4.14     procedures                        N/A       N/A       BANK.1.3.3.1   ME2.6



The Shared Assessments Program                                                                                                           Page 9 of 191                                                                                                             SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                ISO 27002:2005 Relevance                      COBIT 4.0 Relevance             PCI 1.1   PCI 1.2   FFIEC          COBIT 4.1 Relevance
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                                      DS2.3, DS2.4, DS5.1,
C.4.2.1.17     A process to regularly monitor to ensure compliance with security standards?        N/A                 6.2.3.n      agreements                           PO4.14   procedures                      12.8      12.8      N/A            ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                                      DS2.3, DS2.4, DS5.1,
C.4.2.1.18     Onsite review?                                                                      N/A                 6.2.3.o      agreements                           PO4.14   procedures                      N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                      E-             PO4.14, PO6.4,
                                                                                                                                                                                                                                      BANK.1.3.2.17 PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                       RPS.2.N.5.2.18 DS2.3, DS2.4, DS5.1,
C.4.2.1.19     Right to audit?                                                                     N/A                 6.2.3.o      agreements                           PO4.14   procedures                      N/A       N/A       RPS.2.O.4.6    ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                                      DS2.3, DS2.4, DS5.1,
C.4.2.1.20     Right to inspect?                                                                   N/A                 6.2.3.o      agreements                           PO4.14   procedures                      N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                      E-             PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                       BANK.1.3.2.10 DS2.3, DS2.4, DS5.1,
C.4.2.1.21     Problem reporting and escalation procedures?                                        N/A                 6.2.3.p      agreements                           PO4.14   procedures                      N/A       N/A       RPS.2.N.5.2.11 ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                                      DS2.3, DS2.4, DS5.1,
C.4.2.1.22     Business resumption responsibilities?                                               N/A                 6.2.3.q      agreements                           PO4.14   procedures                      N/A       N/A       RPS.2.O.4.20   ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                      RPS.2.N.5.2.3 PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                       RPS.2.O.1.7    DS2.3, DS2.4, DS5.1,
C.4.2.1.23     Indemnification/liability?                                                          N/A                 6.2.3.r      agreements                           PO4.14   procedures                      N/A       N/A       RPS.2.O.4.10   ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                                      DS2.3, DS2.4, DS5.1,
C.4.2.1.24     Privacy requirements?                                                               N/A                 6.2.3.s      agreements                           PO4.14   procedures                      N/A       N/A       D&A.1.6.1.11.2 ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                      RPS.1.11.2.5   PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                       RPS.2.N.5.2.8 DS2.3, DS2.4, DS5.1,
C.4.2.1.25     Dispute resolution?                                                                 N/A                 6.2.3.s      agreements                           PO4.14   procedures                      N/A       N/A       RPS.2.O.4.12   ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                                      DS2.3, DS2.4, DS5.1,
C.4.2.1.26     Choice of law?                                                                      N/A                 6.2.3.s      agreements                           PO4.14   procedures                      N/A       N/A       RPS.2.O.4.18   ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                      E-             PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                       BANK.1.3.2.15 DS2.3, DS2.4, DS5.1,
C.4.2.1.27     Data ownership?                                                                     N/A                 6.2.3.t      agreements                           PO4.14   procedures                      N/A       N/A       RPS.2.O.4.7    ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                                      DS2.3, DS2.4, DS5.1,
C.4.2.1.28     Ownership of intellectual property?                                                 N/A                 6.2.3.t      agreements                           PO4.14   procedures                      N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                      E-             PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                       BANK.1.3.2.13 DS2.3, DS2.4, DS5.1,
C.4.2.1.29     Involvement of the third party with subcontractors?                                 N/A                 6.2.3.u      agreements                           PO4.14   procedures                      N/A       N/A       RPS.2.O.4.14   ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                       RPS.2.O.4.4    DS2.3, DS2.4, DS5.1,
C.4.2.1.29.1   Security controls these subcontractors need to implement?                           N/A                 6.2.3.u      agreements                           PO4.14   procedures                      N/A       N/A       RPS.2.O.4.15   ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
                                                                                                                                    Addressing security in third party            Contracted staff policies and                                      DS2.3, DS2.4, DS5.1,
C.4.2.1.30     Termination/exit clause?                                                            N/A                 6.2.3.v      agreements                           PO4.14   procedures                      N/A       N/A       RPS.2.N.5.2.18 ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
               Contingency plan in case either party wishes to terminate the relationship before                                    Addressing security in third party            Contracted staff policies and                       E-             DS2.3, DS2.4, DS5.1,
C.4.2.1.31     the end of the agreements?                                                          N/A                 6.2.3.v.1    agreements                           PO4.14   procedures                      N/A       N/A       BANK.1.3.2.11 ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
               Renegotiation of agreements if the security requirements of the organization                                         Addressing security in third party            Contracted staff policies and                                      DS2.3, DS2.4, DS5.1,
C.4.2.1.32     change?                                                                             N/A                 6.2.3.v.2    agreements                           PO4.14   procedures                      N/A       N/A       N/A            ME2.6
                                                                                                                                                                                                                                                     PO4.14, PO6.4,
                                                                                                                                                                                                                                                     PO8.3, AI5.2, DS2.2,
               Current documentation of asset lists, licenses, agreements or rights relating to                                     Addressing security in third party            Contracted staff policies and                                      DS2.3, DS2.4, DS5.1,
C.4.2.1.33     them?                                                                               N/A                 6.2.3.v.3    agreements                           PO4.14   procedures                      N/A       N/A       N/A            ME2.6
C.4.2.1.34     Compliance with security standards?                                                 N/A                 N/A                                               N/A                                      N/A       N/A       RPS.2.O.4.9    N/A
C.4.2.1.35     Insurance requirements?                                                             N/A                 N/A                                               N/A                                      N/A       N/A       RPS.2.O.4.16   N/A
               Requirements for dependent service providers located outside of the United
C.4.2.1.36     States?                                                                             N/A                 N/A                                               N/A                                      N/A       N/A       N/A             N/A
C.4.2.1.37     Constituent screening practices?                                                    N/A                 N/A                                               N/A                                      N/A       N/A       N/A             N/A




The Shared Assessments Program                                                                                               Page 10 of 191                                                                                                   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                     AUP 5.0 Relevance             ISO 27002:2005 Relevance                             COBIT 4.0 Relevance             PCI 1.1   PCI 1.2   FFIEC          COBIT 4.1 Relevance
                                                                                                                                                                                                                            IS.1.4.1.11
                                                                                                                                                                                                                            O.2.D.4        PO4.14, DS2.1,
                                                                                                                   Identification of risks related to external          Contracted staff policies and                       AUDIT.1.13.1   DS2.3, DS5.4, DS5.9,
C.4.3          Is there an independent audit performed on dependent third parties?   N/A                 6.2.1     parties                                     PO4.14   procedures                      12.8.1    12.8.1    RPS.1.11.2.3   DS5.11, DS12.3




The Shared Assessments Program                                                                              Page 11 of 191                                                                                                         SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                               AUP 5.0 Relevance                                    ISO 27002:2005 Relevance                        COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance

               D. Asset Management
                                                                                                                                                                                                                                                                             PO4.14, PO6.4,
                                                                                                                                                                                                                                                                             PO8.3, AI5.2, DS2.2,
                                                                                                                                                                                                                                                                             DS2.3, DS2.4, DS5.1,
D.1            Is there an asset management program?                                           N/A                                     7.1          Responsibility For Assets              N/A                                        N/A       N/A       N/A                ME2.6
                                                                                                                                                                                                    Enterprise information
D.1.1          Is there an asset management policy?                                            B.1 Information Security Policy Content 7.1.1        Inventory Of Assets                    PO2.1    architecture model                N/A       N/A       N/A                PO2.2, DS9.2, DS9.3

                                                                                                                                                                                                                                                                             PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                             PO6.3, PO9.4, DS5.2,
                                                                                                                                                    Review Of The Information Security              Technological direction                                                  DS5.3, ME2.2, ME2.5,
D.1.1.1        Has it been approved by management?                                             N/A                                     5.1.2        Policy                                 PO3.1    planning                          N/A       N/A       N/A                ME2.7, ME4.7
                                                                                                                                                                                                                                                                             PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                    IT policy and control                                                    PO6.5, DS5.2, DS5.3,
D.1.1.2        Has it been communicated to all constituents?                                   N/A                                     5.1.1        Information Security Policy Document   PO6.1    environment                       N/A       N/A       N/A                ME2.1

                                                                                                                                                    Allocation Of Information Security              Organisational placement of                                              PO4.4, PO4.6, PO4.8,
D.1.1.3        Is there an owner to maintain and review the policy?                            N/A                                     6.1.3        Responsibilities                       PO4.4    the IT function                   N/A       N/A       N/A                PO4.9, PO4.10
                                                                                                                                                                                                                                                          D&A.1.11.1.1
                                                                                                                                                                                                                                                          OPS.1.4.1
                                                                                                                                                                                                    Enterprise information                                OPS.2.12.A
D.1.2          Is there an inventory of hardware/software assets?                              D.1 Asset Accounting and Inventory      7.1.1        Inventory Of Assets                    PO2.1    architecture model                N/A       N/A       RPS.1.2.2.5        PO2.2, DS9.2, DS9.3
D.1.2.1        Does the inventory record the following attributes:                             N/A                                     N/A                                                 N/A                                        N/A       N/A       N/A                N/A
D.1.2.1.1      Asset control tag?                                                              N/A                                     N/A                                                 N/A                                        N/A       N/A       OPS.2.12.E.11      N/A
D.1.2.1.2      Operating system?                                                               N/A                                     N/A                                                 N/A                                        N/A       N/A       OPS.2.12.A.1.2     N/A
D.1.2.1.3      Physical location?                                                              N/A                                     N/A                                                 N/A                                        N/A       N/A       OPS.2.12.A.1.7     N/A
D.1.2.1.4      Serial number?                                                                  N/A                                     N/A                                                 N/A                                        N/A       N/A       OPS.2.12.A.3.3     N/A
D.1.2.1.5      System class?                                                                   N/A                                     N/A                                                 N/A                                        N/A       N/A       N/A                N/A
D.1.2.1.6      System owner?                                                                   N/A                                     N/A                                                 N/A                                        N/A       N/A       N/A                N/A
D.1.2.1.7      System steward?                                                                 N/A                                     N/A                                                 N/A                                        N/A       N/A       N/A                N/A
D.1.2.1.8      Business function supported?                                                    N/A                                     N/A                                                 N/A                                        N/A       N/A       OPS.2.12.A.1.6     N/A
D.1.2.1.9      Environment (dev, test, etc.)?                                                  N/A                                     N/A                                                 N/A                                        N/A       N/A       OPS.2.12.A.1.8     N/A
D.1.2.1.10     Host name?                                                                      N/A                                     N/A                                                 N/A                                        N/A       N/A       N/A                N/A
                                                                                                                                                                                                                                                          OPS.2.12.A.1.7
D.1.2.1.11     IP address?                                                                     N/A                                     N/A                                                 N/A                                        N/A       N/A       OPS.2.12.A.2.2     N/A
               Is there a detailed description of software licenses, (e.g., number of seats,                                                                                                                                                              D&A.1.6.1.10.6
D.1.3          concurrent users, etc.) ?                                                       D.1 Asset Accounting and Inventory      N/A                                                 N/A                                        N/A       N/A       OPS.2.12.A.3.6     N/A
D.1.4          Is ownership assigned for information assets?                                   N/A                                     7.1.2        Ownership Of Assets                    PO4.9    Data and system ownership         N/A       N/A       N/A                PO4.9, DS9.2
D.1.4.1        Is the asset owner responsible for the following:                               N/A                                     N/A                                                 N/A                                        N/A       N/A       N/A                N/A
D.1.4.1.1      Ensuring that information and assets are appropriately classified?              N/A                                     7.1.2.b      Ownership Of Assets                    PO4.9    Data and system ownership         N/A       N/A       N/A                PO4.9, DS9.2
D.1.4.1.2      Reviewing and approving access to those information assets?                     N/A                                     7.1.2.b      Ownership Of Assets                    PO4.9    Data and system ownership         N/A       N/A       N/A                PO4.9, DS9.2
               Establishing, documenting and implementing rules for the acceptable use of
D.1.4.1.3      information and assets?                                                         N/A                                     7.1.3        Acceptable Use Of Assets               PO4.10   Supervision                       N/A       N/A       N/A                PO4.10, PO6.2
D.2            Are information assets classified?                                              N/A                                     7.2.1        Classification Guidelines              PO2.3    Data classification scheme        N/A       N/A       N/A                PO2, AI2, DS9
D.2.1          Is there an information asset classification policy?                            N/A                                     7.2.1        Classification Guidelines              PO2.3    Data classification scheme        N/A       N/A       N/A                PO2, AI2, DS9
                                                                                                                                                                                                                                                                             PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                    IT policy and control                                                    PO6.5, DS5.2, DS5.3,
D.2.1.1        Has it been approved by management?                                             N/A                                     5.1.1        Information Security Policy Document   PO6.1    environment                       N/A       N/A       N/A                ME2.1
                                                                                                                                                                                                                                                                             PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                    IT policy and control                                                    PO6.5, DS5.2, DS5.3,
D.2.1.2        Has the policy been published?                                                  N/A                                     5.1.1        Information Security Policy Document   PO6.1    environment                       N/A       N/A       N/A                ME2.1
                                                                                                                                                                                                                                                                             PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                    IT policy and control                                                    PO6.5, DS5.2, DS5.3,
D.2.1.3        Has it been communicated to all constituents?                                   N/A                                     5.1.1        Information Security Policy Document   PO6.1    environment                       N/A       N/A       N/A                ME2.1
D.2.1.4        Is there an owner to maintain and review the policy?                            N/A                                     7.1.2        Ownership Of Assets                    PO4.9    Data and system ownership         N/A       N/A       N/A                PO4.9, DS9.2
                                                                                                                                                                                                    Configuration repository and
D.2.2          Is there a procedure for handling of information assets?                        G.13 Physical Media Tracking            7.2.2        Information Labeling And Handling      DS9.1    baseline                          N/A       N/A       IS.2.L.1.1         PO2, AI2, DS9
               Does the procedure address the handling of information assets in accordance
D.2.2.1        with the following classifications:                                             N/A                                     N/A                                                 N/A                                        N/A       N/A       IS.2.L.1.2         N/A
                                                                                                                                       7.1.2.b,     Ownership Of Assets, Information
D.2.2.1.1      Data access controls?                                                           N/A                                     10.7.3.b     Handling Procedures                    PO4.9    Data and system ownership         N/A       N/A       N/A                PO4.9, DS9.2
                                                                                                                                                                                                    Configuration repository and
D.2.2.1.2      Data in transit?                                                                G.14 Security of Media in Transit       7.2.2        Information Labeling And Handling      DS9.1    baseline                          N/A       N/A       N/A                PO2, AI2, DS9
                                                                                                                                       7.2.2,                                                       Configuration repository and
D.2.2.1.3      Data labeling?                                                                  N/A                                     10.7.3.a     Information Labeling And Handling      DS9.1    baseline                          N/A       N/A       N/A                PO6.2, DS11.6
                                                                                                                                                                                                                                                                             PO2.3, DS11.2,
D.2.2.1.4      Data on removable media?                                                        N/A                                     10.7.1       Management Of Removable Media          PO2.3    Data classification scheme        N/A       N/A       N/A                DS11.3, DS11.4
D.2.2.1.5      Data ownership?                                                                 N/A                                     7.1.2        Ownership Of Assets                    PO4.9    Data and system ownership         N/A       N/A       N/A                PO4.9, DS9.2
D.2.2.1.6      Data reclassification?                                                          N/A                                     7.1.2.b      Ownership Of Assets                    PO4.9    Data and system ownership         N/A       N/A       N/A                PO4.9, DS9.2
D.2.2.1.7      Data retention?                                                                 N/A                                     N/A                                                 N/A                                        N/A       N/A       N/A                N/A
                                                                                                                                       7.2.2,       Information Labeling And Handling,              Configuration repository and
D.2.2.1.8      Data destruction?                                                               N/A                                     10.7.2       Disposal Of Media                      DS9.1    baseline                          N/A       N/A       N/A                DS11.3, DS11.4
                                                                                                                                                                                                    Media library management
D.2.2.1.9      Data disposal?                                                                  N/A                                     10.7.2.b     Disposal Of Media                      DS11.3   system                            N/A       N/A       N/A                DS11.3, DS11.4
                                                                                                                                                    Policy On The Use Of Cryptographic              Enterprise IT risk and internal
D.2.2.1.10     Data encryption?                                                                N/A                                     12.3.1       Controls                               PO6.2    control framework                 4.01      4.01      IS.2.K.1           PO6, AI2, DS5
                                                                                                                                                                                                    Enterprise IT risk and internal
D.2.2.1.11     Data in storage?                                                                N/A                                     10.7.3.f     Information Handling Procedures        PO6.2    control framework                 N/A       N/A       IS.2.M.10.5        PO6.2, DS11.6
D.2.2.2        Is information reclassified at least annually?                                  N/A                                     7.2.1        Classification Guidelines              PO2.3    Data classification scheme        N/A       N/A       IS.2.L.1.4         PO2, AI2, DS9



The Shared Assessments Program                                                                                                               Page 12 of 191                                                                                                          SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                 AUP 5.0 Relevance                         ISO 27002:2005 Relevance                         COBIT 4.0 Relevance            PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance
               Are there procedures for information labeling and handling in accordance with the                                                                                            Configuration repository and
D.2.3          classification scheme?                                                            G.13 Physical Media Tracking   7.2.2      Information Labeling And Handling       DS9.1    baseline                       N/A       N/A       N/A             PO2, AI2, DS9

                                                                                                                                                                                                                                               IS.1.4.1.10
                                                                                                                                                                                                                                               IS.2.C.14
                                                                                                                                                                                                                                               IS.2.D.5 IS.2.E.2
                Are there procedures for the disposal and/or destruction of physical media (e.g.,                                                                                           Media library management                           IS.2.L.2.1
D.2.4           paper documents, CDs, DVDs, tapes, disk drives, etc.)?                              N/A                         10.7.2     Disposal Of Media                       DS11.3   system                         N/A       N/A       IS.2.L.2.1        DS11.3, DS11.4
                                                                                                                                                                                                                                               IS.2.E.2
                Are there procedures for the reuse of physical media (e.g., tapes, disk drives,                                            Secure Disposal Or Re-Use Of                                                                        IS.2.L.2.1
D.2.5           etc.)?                                                                              N/A                         9.2.6      Equipment                               DS11.4   Disposal                       N/A       N/A       IS.2.L.2.1        DS11.4
                                                                                                                                           Including Information Security In The                                                                                 PO3.1, PO9.1, PO9.2,
                Is there insurance coverage for business interruptions or general services                                                 Business Continuity Management                   Technological direction                            BCP.1.4.3.10      DS4.1, DS4.3, DS4.8,
D.3             interruption?                                                                       N/A                         14.1.1.d   Process                                 PO3.1    planning                       N/A       N/A       MGMT.1.3.8        DS8.3
                                                                                                                                           Including Information Security In The                                                                                 PO3.1, PO9.1, PO9.2,
                                                                                                                                           Business Continuity Management                   Technological direction                                              DS4.1, DS4.3, DS4.8,
D.3.1           If yes, are there limitations based on the cause of the interruption?               N/A                         14.1.1.d   Process                                 PO3.1    planning                       N/A       N/A       N/A               DS8.3
                                                                                                                                           Including Information Security In The                                                                                 PO3.1, PO9.1, PO9.2,
                                                                                                                                           Business Continuity Management                   Technological direction                                              DS4.1, DS4.3, DS4.8,
D.3.2           Is there insurance coverage for products and services provided to clients?          N/A                         14.1.1.d   Process                                 PO3.1    planning                       N/A       N/A       N/A               DS8.3




The Shared Assessments Program                                                                                                     Page 13 of 191                                                                                                      SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                 AUP 5.0 Relevance                                 ISO 27002:2005 Relevance                         COBIT 4.0 Relevance          PCI 1.1       PCI 1.2    FFIEC              COBIT 4.1 Relevance

               E. Human Resource Security
                                                                                                                                                                                                                                                           IS.2.M.15.1       PO4.6, PO4.8, PO6.3,
               Are security roles and responsibilities of constituents defined and documented in                                                                                                                                                           MGMT.1.6.1.2      PO7.1, PO7.2, PO7.3,
E.1            accordance with the organization‘s information security policy?                   B.1 Information Security Policy Content 8.1.1     Roles and responsibilities              PO4.6    Roles and responsibilities         12.04         12.04 WPS.2.2.1.3.1     DS5.4
                                                                                                                                                                                                                                                                             PO4.6, PO4.8, PO6.3,
               Are security roles and responsibilities of dependent service providers defined and                                                                                                                                                                            PO7.1, PO7.2, PO7.3,
E.1.1          documented in accordance with the organization‘s information security policy?      N/A                                    8.1.1     Roles and responsibilities              PO4.6    Roles and responsibilities         12.04         12.04 IS.2.M.15.1       DS5.4
                                                                                                                                                                                                                                                           IS.1.2.8.2
               Are background screenings of applicants performed to include criminal, credit,    E.2 Background Investigation Policy                                                                                                                       OPS.1.5.3.2       PO4.6, PO7.1, PO7.6,
E.2            professional / academic, references and drug screening?                           Content                                 8.1.2     Screening                               PO4.6    Roles and responsibilities         12.07         12.07 WPS.2.8.1.2       DS2.3
                                                                                                                                                                                                                                                                             PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                    IT policy and control                                                    PO6.5, DS5.2, DS5.3,
E.2.1          Is there a pre-screening policy?                                                  N/A                                     5.1.1     Information Security Policy Document    PO6.1    environment                  N/A           N/A        N/A                ME2.1

                                                                                                                                                                                                                                                                             PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                             PO6.3, PO9.4, DS5.2,
                                                                                                                                                                                                    Technological direction                                                  DS5.3, ME2.2, ME2.5,
E.2.1.1        Has it been approved by management?                                               N/A                                     5.1.2     Review of Information Security Policy   PO3.1    planning                     N/A           N/A        N/A                ME2.7, ME4.7
                                                                                                                                                                                                                                                                             PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                    IT policy and control                                                    PO6.5, DS5.2, DS5.3,
E.2.1.2        Is there an owner to maintain and review the policy?                              N/A                                     5.1.1     Information Security Policy Document    PO6.1    environment                  N/A           N/A        N/A                ME2.1
E.2.1.3        Is there an external background screening agency?                                 N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.4        Are the following background checks performed on:                                 N/A                                     N/A                                               N/A                                   N/A           N/A        IS.2.F.1           N/A
                                                                                                                                                                                                                                                                             PO4.6, PO7.1, PO7.6,
E.2.1.5        Criminal:                                                                         N/A                                     8.1.2.e   Screening                               PO4.6    Roles and responsibilities   N/A           N/A        N/A                DS2.3
E.2.1.5.1      Full time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.5.2      Part time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.5.3      Contractors?                                                                      N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.5.4      Temporary workers?                                                                N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
                                                                                                                                                                                                                                                                             PO4.6, PO7.1, PO7.6,
E.2.1.6        Credit:                                                                           N/A                                     8.1.2.e   Screening                               PO4.6    Roles and responsibilities   N/A           N/A        N/A                DS2.3
E.2.1.6.1      Full time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.6.2      Part time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.6.3      Contractors?                                                                      N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.6.4      Temporary workers?                                                                N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
                                                                                                                                                                                                                                                                             PO4.6, PO7.1, PO7.6,
E.2.1.7        Academic:                                                                         N/A                                     8.1.2.c   Screening                               PO4.6    Roles and responsibilities   N/A           N/A        N/A                DS2.3
E.2.1.7.1      Full time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.7.2      Part time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.7.3      Contractors?                                                                      N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.7.4      Temporary workers?                                                                N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
                                                                                                                                                                                                                                                                             PO4.6, PO7.1, PO7.6,
E.2.1.8        Reference:                                                                        N/A                                     8.1.2.a   Screening                               PO4.6    Roles and responsibilities   N/A           N/A        N/A                DS2.3
E.2.1.8.1      Full time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.8.2      Part time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.8.3      Contractors?                                                                      N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.8.4      Temporary workers?                                                                N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
                                                                                                                                                                                                                                                                             PO4.6, PO7.1, PO7.6,
E.2.1.9        Resume or curriculum vitae:                                                       N/A                                     8.1.2.b   Screening                               PO4.6    Roles and responsibilities   N/A           N/A        RPS.1.1.3.1.2      DS2.3
E.2.1.9.1      Full time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.9.2      Part time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.9.3      Contractors?                                                                      N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.9.4      Temporary workers?                                                                N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.10       Drug Screening:                                                                   N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.10.1     Full time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.10.2     Part time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.10.3     Contractors?                                                                      N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.2.1.10.4     Temporary workers?                                                                N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A

               Are new hires required to sign any agreements that pertain to non/disclosure,                                                                                                                                                              IS.2.A.8.1        PO4.6, PO7.1, PO7.3,
E.3            confidentiality, acceptable use or code of ethics upon hire?                      N/A                                     8.1.3     Terms and conditions of employment      PO4.6    Roles and responsibilities   N/A           N/A        IS.2.F.4 IS.2.F.2 DS2.3
E.3.1          Are the following agreements; signed by:                                          N/A                                     N/A                                               N/A                                   N/A           N/A        IS.2.A.8.2        N/A
                                                                                                 B.3. Employee Acknowledgment of
E.3.2          Acceptable Use:                                                                   Acceptable                              7.1.3     Acceptable use of assets                PO4.10   Supervision                  12.3.5        12.3.5     N/A                PO4.10, PO6.2
E.3.2.1        Full time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.3.2.2        Part time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.3.2.3        Contractors?                                                                      N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.3.2.4        Temporary workers?                                                                N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
                                                                                                                                                                                                                                                                             PO4.6, PO7.1, PO7.3,
E.3.3          Code of Conduct / Ethics:                                                         N/A                                     8.1.3     Terms and conditions of employment      PO4.6    Roles and responsibilities   N/A           N/A        N/A                DS2.3
E.3.3.1        Full time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.3.3.2        Part time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.3.3.3        Contractors?                                                                      N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.3.3.4        Temporary workers?                                                                N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
                                                                                                                                                                                                                                                                             PO4.6, PO7.1, PO7.3,
E.3.4          Non-Disclosure Agreement:                                                         N/A                                     8.1.3.a   Terms and conditions of employment      PO4.6    Roles and responsibilities   N/A           N/A        N/A                DS2.3
E.3.4.1        Full time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.3.4.2        Part time employees?                                                              N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A
E.3.4.3        Contractors?                                                                      N/A                                     N/A                                               N/A                                   N/A           N/A        N/A                N/A


The Shared Assessments Program                                                                                                              Page 14 of 191                                                                                                           SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                              ISO 27002:2005 Relevance                        COBIT 4.0 Relevance                 PCI 1.1      PCI 1.2   FFIEC            COBIT 4.1 Relevance
E.3.4.4        Temporary workers?                                                                  N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
                                                                                                   C.1 Employee Acceptance of                                                                                                                                                 PO4.6, PO7.1, PO7.3,
E.3.5          Confidentiality Agreement:                                                          Confidentiality                   8.1.3.a      Terms and conditions of employment     PO4.6    Roles and responsibilities          N/A          N/A       N/A              DS2.3
E.3.5.1        Full time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.5.2        Part time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.5.3        Contractors?                                                                        N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.5.4        Temporary workers?                                                                  N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
                                                                                                                                                                                                                                                                              PO4.6, PO7.1, PO7.3,
E.3.6          Information handling:                                                               N/A                               8.1.3.d      Terms and conditions of employment     PO4.6    Roles and responsibilities          N/A          N/A       N/A              DS2.3
E.3.6.1        Full time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.6.2        Part time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.6.3        Contractors?                                                                        N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.6.4        Temporary workers?                                                                  N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
                                                                                                                                                                                                  Malicious software prevention,
E.3.7          Prohibition of unauthorized software; use or installation:                          N/A                               10.4.1.a     Controls Against Malicious Code        DS5.9    detection and correction            N/A          N/A       N/A              DS5.9
E.3.7.1        Full time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.7.2        Part time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.7.3        Contractors?                                                                        N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.7.4        Temporary workers?                                                                  N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
               Are any agreements required to be re-read and re-accepted at least every 12
E.3.8          months?                                                                             N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.1        Are the following agreements required to be re-read and re-accepted by:             N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
                                                                                                   B.3. Employee Acknowledgment of
E.3.8.2        Acceptable Use:                                                                     Acceptable                        N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.2.1      Full time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.2.2      Part time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.2.3      Contractors?                                                                        N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.2.4      Temporary workers?                                                                  N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.3        Code of Conduct / Ethics:                                                           N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.3.1      Full time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.3.2      Part time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.3.3      Contractors?                                                                        N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.3.4      Temporary workers?                                                                  N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.4        Non-Disclosure Agreement:                                                           N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.4.1      Full time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.4.2      Part time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.4.3      Contractors?                                                                        N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.4.4      Temporary workers?                                                                  N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.5        Confidentiality Agreement:                                                          N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.5.1      Full time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.5.2      Part time employees?                                                                N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.5.3      Contractors?                                                                        N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
E.3.8.5.4      Temporary workers?                                                                  N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
                                                                                                                                                                                                                                                                              PO4.6, PO6.2, PO6.4,
                                                                                                                                                                                                                                                              IS.1.7.2 E-     PO7.2, PO7.4, PO7.7,
                                                                                                                                                                                                                                                              BANK.1.4.2.11   AI1.1, AI7.1, DS5.1,
                                                                                                   E.1 Security Awareness Training                Information security awareness,                                                                             E-              DS5.2, DS5.3, DS7.1,
E.4            Is there a security awareness training program?                                     Attendance                        8.2.2        education, and training                PO4.6    Roles and responsibilities                12.6         12.6 BANK.1.4.2.12   DS7.2
                                                                                                                                                                                                                                                                              PO4.6, PO6.2, PO6.4,
                                                                                                                                                                                                                                                                              PO7.2, PO7.4, PO7.7,
                                                                                                                                                                                                                                                                              AI1.1, AI7.1, DS5.1,
               Does the security awareness training include security policies, procedures and                                                     Information security awareness,                                                                            RPS.1.4.2        DS5.2, DS5.3, DS7.1,
E.4.1          processes?                                                                          N/A                               8.2.2        education, and training                PO4.6    Roles and responsibilities          N/A          N/A       RPS.2.N.10.1     DS7.2
                                                                                                                                                                                                                                                             E-
E.4.2          Does the security awareness training include a testing component?                   N/A                               N/A                                                 N/A                                          N/A          N/A       BANK.1.4.2.12    N/A
E.4.3          Do constituents participate in security awareness training?                         N/A                               N/A                                                 N/A                                          N/A          N/A       IS.1.7.3         N/A
E.4.3.1        Do they attend training:                                                            N/A                               N/A                                                 N/A                                          N/A          N/A       N/A              N/A
                                                                                                                                                                                                                                                                              PO4.6, PO6.2, PO6.4,
                                                                                                                                                                                                                                                                              PO7.2, PO7.4, PO7.7,
                                                                                                                                                                                                                                                                              AI1.1, AI7.1, DS5.1,
                                                                                                                                                  Information security awareness,                                                                                             DS5.2, DS5.3, DS7.1,
E.4.3.1.1      Upon hire?                                                                          N/A                               8.2.2        education, and training                PO4.6    Roles and responsibilities          N/A          N/A       N/A              DS7.2
                                                                                                                                                  Information security awareness,
                                                                                                                                     8.2.2,       education, and training, Management
E.4.3.1.2      At least annually?                                                                  N/A                               8.2.1        responsibilities                       PO4.6    Roles and responsibilities          N/A          N/A       N/A              N/A
                                                                                                                                                                                                                                                                              PO4.6, PO6.2, PO6.4,
                                                                                                                                                                                                                                                                              PO7.2, PO7.4, PO7.7,
                                                                                                                                                                                                                                                                              AI1.1, AI7.1, DS5.1,
                                                                                                                                                  Information security awareness,                                                                                             DS5.2, DS5.3, DS7.1,
E.4.4          Is security training commensurate with levels of responsibilities and access?       N/A                               8.2.2        education, and training                PO4.6    Roles and responsibilities          N/A          N/A       IS.1.2.8.1       DS7.2
                                                                                                                                                                                                                                                                              PO4.6, PO6.2, PO6.4,
                                                                                                                                                                                                                                                                              PO7.2, PO7.4, PO7.7,
                                                                                                                                                                                                                                                                              AI1.1, AI7.1, DS5.1,
                                                                                                                                                  Information security awareness,                                                                                             DS5.2, DS5.3, DS7.1,
E.4.5          Do constituents responsible for information security undergo additional training?   N/A                               8.2.2        education, and training                PO4.6    Roles and responsibilities          N/A          N/A       IS.1.2.8.1       DS7.2
               Are information security personnel required to obtain professional security
E.4.5.1        certifications (e.g., GSEC, CISSP, CISM, CISA)?                                     N/A                               6.1.7        Contact with special interest groups   PO4.15   Relationships                       N/A          N/A       N/A              PO4.15, DS4.1, DS4.2
               Is there a disciplinarily process for non-compliance with information security                                                                                                     Responsibility for risk, security
E.5            policy?                                                                             N/A                               8.2.3        Disciplinary process                   PO4.8    and compliance                      N/A          N/A       IS.1.7.6         PO4.8, PO7.8, DS5.6
E.6            Is there a constituent termination or change of status process?                     N/A                               8.3.1        Termination responsibilities           PO7.8    Job change and termination          N/A          N/A       OPS.1.5.3.5      PO4.8, PO7.8, DS5.6



The Shared Assessments Program                                                                                                             Page 15 of 191                                                                                                             SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                                                    AUP 5.0 Relevance                    ISO 27002:2005 Relevance                       COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC            COBIT 4.1 Relevance
E.6.1            Is there a documented termination or change of status policy or process?             N/A                        8.3.1     Termination responsibilities           PO7.8   Job change and termination        N/A       N/A       IS.1.4.1.1.2     PO4.8, PO7.8, DS5.6
E.6.1.1          Has it been approved by management?                                                  N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
E.6.1.2          Has the policy been published?                                                       N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                                                 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                                                                                 PO6.5, DS5.2, DS5.3,
E.6.1.3          Has it been communicated to appropriate constituents?                                N/A                        5.1.1     Information Security Policy Document   N/A                                       N/A       N/A       N/A              ME2.1
E.6.1.4          Is there an owner to maintain and review the policy?                                 N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
                 Does HR notify security / access administration of termination of constituents for                                                                                                                                             IS.2.A.5.1
E.6.2            access rights removal?                                                               H.2 Revoke System Access   8.3.3     Removal of access rights               PO7.8   Job change and termination        N/A       N/A       WPS.2.9.2.6      PO7.8, DS5.4
E.6.2.1          Is the termination notification provided:                                            N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
E.6.2.1.1        On the actual date?                                                                  N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
E.6.2.1.2        Two to seven days after termination?                                                 N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
E.6.2.1.3        Greater than seven days after termination?                                           N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
                 Does HR notify security / access administration of a constituent's change of                                                                                                                                                   IS.2.A.5.2
E.6.3            status for access rights removal?                                                    H.2 Revoke System Access   8.3.3     Removal of access rights               PO7.8   Job change and termination        N/A       N/A       WPS.2.9.2.6      PO7.8, DS5.4
E.6.3.1          Is the status change notification provided:                                          N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
E.6.3.1.1        On the actual date of the change of status?                                          N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
E.6.3.1.2        Two to seven days after the change of status?                                        N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
E.6.3.1.3        Greater than seven days after the change of status?                                  N/A                        N/A                                              N/A                                       N/A       N/A       N/A              N/A
                 Are constituents required to return assets (laptop, desktop, PDA, cell phones,
                 access cards, tokens, smart cards, keys, proprietary documentation) upon the                                                                                             Enterprise IT risk and internal
E.6.4            following:                                                                           N/A                        8.3.2     Return of assets                       PO6.2   control framework                 N/A       N/A       N/A              PO6.2, PO7.8
                                                                                                                                                                                          Enterprise IT risk and internal
E.6.4.1          Termination?                                                                         N/A                        8.3.2     Return of assets                       PO6.2   control framework                 N/A       N/A       N/A              PO6.2, PO7.8
                                                                                                                                                                                          Enterprise IT risk and internal
E.6.4.2          Change of Status?                                                                    N/A                        8.3.2     Return of assets                       PO6.2   control framework                 N/A       N/A       N/A              PO6.2, PO7.8




The Shared Assessments Program                                                                                                      Page 16 of 191                                                                                                       SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                     AUP 5.0 Relevance                                      ISO 27002:2005 Relevance                           COBIT 4.0 Relevance             PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance

               F. Physical and Environmental Security
                                                                                                                                                                                                                                                                   IS.2.E.1
                                                                                                                                                                                                                                                                   OPS.1.5.1.6
                                                                                                                                                                                                                                                                   OPS.1.5.1.8
                                                                                                                                                                                                                                                                   WPS.2.2.1.3.5
                                                                                                                                                                                                                                                                   AUDIT.2.D.1.10
                                                                                                                                                                                                                                                                   E-BANK.1.4.2.8 PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                               IT policy and control                               E-BANK.1.5.4   PO6.5, DS5.2, DS5.3,
F.1            Is there a physical security program?                                                 N/A                                       5.1.1        Information Security Policy Document      PO6.1    environment                     12.1      12.1      RPS.1.2.2.2    ME2.1
                                                                                                                                                                                                                                                                                  PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                               IT policy and control                                              PO6.5, DS5.2, DS5.3,
F.1.1          Is there a documented physical security policy?                                       B.1 Information Security Policy Content 5.1.1          Information Security Policy Document      PO6.1    environment                     N/A       N/A       N/A            ME2.1

                                                                                                                                                                                                                                                                                   PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                                   PO6.3, PO9.4, DS5.2,
                                                                                                                                                                                                               Technological direction                                             DS5.3, ME2.2, ME2.5,
F.1.1.1        Has it been approved by management?                                                   N/A                                       5.1.2        Review of Information Security Policy     PO3.1    planning                        N/A       N/A       N/A             ME2.7, ME4.7
                                                                                                                                                                                                                                                                                   PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                               IT policy and control                                               PO6.5, DS5.2, DS5.3,
F.1.1.2        Has the policy been published?                                                        N/A                                       5.1.1        Information Security Policy Document      PO6.1    environment                     N/A       N/A       N/A             ME2.1
                                                                                                                                                                                                                                                                                   PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                               IT policy and control                                               PO6.5, DS5.2, DS5.3,
F.1.1.3        Has it been communicated to appropriate constituents?                                 N/A                                       5.1.1        Information Security Policy Document      PO6.1    environment                     N/A       N/A       N/A             ME2.1

                                                                                                                                                                                                                                                                                   PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                                   PO6.3, PO9.4, DS5.2,
                                                                                                                                                                                                               Technological direction                                             DS5.3, ME2.2, ME2.5,
F.1.1.4        Is there an owner to maintain and review the policy?                                 N/A                                        5.1.2        Review of Information Security Policy     PO3.1    planning                        N/A       N/A       N/A             ME2.7, ME4.7
               Is there a documented policy or process that contains a right to search visitors or
F.1.2          constituents while in the facility?                                                  N/A                                        N/A                                                    N/A                                      N/A       N/A       N/A             N/A
               For the building or primary facility that stores Target Data (address noted in row 4
F.1.3          above), Is it located within 20 miles of:                                            N/A                                        N/A                                                    N/A                                      N/A       N/A       N/A             N/A
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.1        Nuclear power plant?                                                                  N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.2        Chemical plant, hazardous manufacturing or processing facility?                       N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.3        Natural gas, petroleum, or other pipeline?                                            N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.4        Tornado prone area?                                                                   N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.5        Airport?                                                                              N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.6        Railroad?                                                                             N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.7        Active fault line?                                                                    N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.8        Government building?                                                                  N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.9        Military base or facility?                                                            N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.10       Hurricane prone area?                                                                 N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.11       Volcano?                                                                              N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.12       Gas / Oil refinery?                                                                   N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.13       Coast, harbor, port?                                                                  N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.14       Forest fire prone area?                                                               N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.15       Flood prone area?                                                                     N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.16       Emergency response services (e.g., fire, police, etc.)?                               N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
                                                                                                                                                            Protecting against external and                    Protection against
F.1.3.17       Urban center or major city?                                                           N/A                                       9.1.4        environmental threats                     DS12.4   environmental factors           N/A       N/A       N/A             DS12.4

F.1.4          Are the following controls present in the building that contains the Target Data?     N/A                                     N/A                                                      N/A                                      N/A       N/A       N/A             N/A
                                                                                                     F.2 Physical Security Controls – Target
F.1.4.1        Signs or markings that identify the operations of the facility (e.g., data center)?   Data                                    9.1.3          Securing offices, rooms, and facilities   DS12.1   Site selection and layout       N/A       N/A       N/A             DS12.1, DS12.2
               Permit only authorized; photographic, video, audio or other recording equipment                                                                                                                 Contracted staff policies and
F.1.4.2        within the facility?                                                                  N/A                                       9.1.5        Working in secure areas                   PO4.14   procedures                      N/A       N/A       N/A             N/A
                                                                                                     F.2 Physical Security Controls – Target
F.1.4.3        Roof access secured and alarmed?                                                      Data                                      N/A                                                    N/A                                      N/A       N/A       N/A             N/A
F.1.5          Does the building reside on a campus?                                                 N/A                                       N/A                                                    N/A                                      N/A       N/A       N/A             N/A
F.1.5.1        Is the campus:                                                                        N/A                                       N/A                                                    N/A                                      N/A       N/A       N/A             N/A
F.1.5.1.1      Shared with other tenants?                                                            N/A                                       9.1.1.g      Physical security perimeter               DS12.1   Site selection and layout       N/A       N/A       N/A             DS12.1, DS12.2
F.1.5.1.2      Surrounded by a physical barrier?                                                     N/A                                       9.1.1.d      Physical security perimeter               DS12.1   Site selection and layout       N/A       N/A       N/A             DS12.1, DS12.2
F.1.5.1.3      Is the barrier monitored (e.g., guards, technology, etc)?                             N/A                                       9.1.1.d      Physical security perimeter               DS12.1   Site selection and layout       N/A       N/A       N/A             DS12.1, DS12.2
F.1.6          Does the perimeter of the building have:                                              N/A                                       N/A                                                    N/A                                      N/A       N/A       OPS.2.12.E.2    N/A


The Shared Assessments Program                                                                                                                       Page 17 of 191                                                                                                        SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                                                      AUP 5.0 Relevance                                    ISO 27002:2005 Relevance                        COBIT 4.0 Relevance          PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance
F.1.6.1          A physical barrier (e.g., fence or wall)?                                              N/A                                       9.1.1      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.6.1.1        Is the physical barrier monitored (e.g., guards, technology, etc)?                     N/A                                       9.1.1      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.7            Can vehicles come in close proximity to the building?                                  N/A                                       N/A                                               N/A                                   N/A       N/A       N/A             N/A
F.1.7.1          Can they come in close proximity via the following:                                    N/A                                       N/A                                               N/A                                   N/A       N/A       N/A             N/A
F.1.7.1.1        Adjacent roads?                                                                        N/A                                       9.1.1.d    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.7.1.2        Adjacent parking lots/garage to the campus?                                            N/A                                       9.1.1.d    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.7.1.3        Adjacent parking lots/garage to the building?                                          N/A                                       9.1.1      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.7.1.4        Parking garage connected to the building (e.g., underground parking)?                  N/A                                       9.1.1      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.8            Are barriers used to protect the building?                                             N/A                                       9.1.1      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9            Does the building that contains the Target Data:                                       N/A                                       N/A                                               N/A                                   N/A       N/A       N/A             N/A
F.1.9.1          Shared with other tenants?                                                             N/A                                       9.1.1.g    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.2          More than one floor?                                                                   N/A                                       9.1.1      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                                                                             Protecting against external and                 Protection against
F.1.9.3          Building and roof rated to withstand wind speeds greater then 100 mile per hour? N/A                                             9.1.4      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.E.1    DS12.4
                                                                                                                                                             Protecting against external and                 Protection of security
F.1.9.4          Roof rated to withstand loads greater than 200 Pounds per square foot?                 N/A                                       9.2.1      environmental threats                  DS5.7    technology                   N/A       N/A       OPS.2.12.E.1    DS5.7, DS12.4
F.1.9.5          Have a single point of entry?                                                          N/A                                       9.1.1      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.6          Have exterior windows?                                                                 N/A                                       9.1.1.b    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                        F.2 Physical Security Controls – Target
F.1.9.7          Have windows have contact alarms that will trigger if opened?                          Data                                      9.1.1.f    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       OPS.2.12.E.10   DS12.1, DS12.2
F.1.9.8          Have glass break detection?                                                            N/A                                       9.1.1.f    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.9          Have external lighting?                                                                N/A                                       9.1.1.b    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       OPS.2.12.E.4    DS12.1, DS12.2
F.1.9.10         Have concealed windows?                                                                N/A                                       9.1.1.b    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.11         Have glass walls or doors?                                                             N/A                                       9.1.1.b    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.12         Have glass break detection?                                                            N/A                                       9.1.1.f    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.13         Have external lighting on all doors?                                                   N/A                                       9.1.1.b    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       OPS.2.12.E.4    DS12.1, DS12.2
F.1.9.14         Have external hinge pins on any external doors?                                        N/A                                       N/A                                               N/A                                   N/A       N/A       N/A             N/A
                                                                                                        F.2 Physical Security Controls – Target
F.1.9.15         Use CCTV?                                                                              Data                                      N/A                                               N/A                                   N/A       N/A       IS.2.E.3.2      N/A
F.1.9.15.1       Monitored 24x7x365?                                                                    N/A                                       9.1.1.e    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.15.2       Pointed at entry points?                                                               N/A                                       N/A                                               N/A                                   N/A       N/A       N/A             N/A
F.1.9.15.3       Digitally recorded?                                                                    N/A                                       N/A                                               N/A                                   N/A       N/A       N/A             N/A
F.1.9.15.4       Stored for at least 90 days?                                                           N/A                                       N/A                                               N/A                                   N/A       N/A       N/A             N/A
                                                                                                        F.2 Physical Security Controls – Target
F.1.9.16         Have all entry and exits alarmed? If so, are they:                                     Data                                      9.1.1.f    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       OPS.2.12.E.10   DS12.1, DS12.2
F.1.9.16.1       Monitored 24x7x365?                                                                    N/A                                       9.1.1.e    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.17         Have and use prop alarms on all doors?                                                 N/A                                       9.1.1.f    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                        F.2 Physical Security Controls – Target
F.1.9.18         Have security guards? If so:                                                           Data                                      9.1.1.c    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       OPS.2.12.E.6    DS12.1, DS12.2
F.1.9.18.1       Are they contractors?                                                                  N/A                                       N/A                                               N/A                                   N/A       N/A       N/A             N/A
F.1.9.18.2       Do they monitor security systems and alarms?                                           N/A                                       9.1.1.e    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.18.3       Do they patrol the facility?                                                           N/A                                       9.1.1.f    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.18.4       Do they check doors/alarms during rounds?                                              N/A                                       9.1.1.b    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.9.18.5       Do they complete a guard report at the end of rounds?                                  N/A                                       N/A                                               N/A                                   N/A       N/A       N/A             N/A
F.1.9.19         Do emergency doors only permit egress?                                                 N/A                                       9.1.1.e    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                                                                                                                                                                              OPS.2.12.E.5
                                                                                                                                                                                                                                                              IS.2.E.3.2
F.1.9.20         Have restricted access to the facility?                                                N/A                                       9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       WPS.2.9.1.1     DS12.2, DS12.3
                 An electronic system (key card, token, fob, etc.) to control access to the facility?   F.2 Physical Security Controls – Target
F.1.9.20.1       If so, is there:                                                                       Data                                      9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                        F.2 Physical Security Controls – Target
F.1.9.20.2       A biometric reader at the points of entry to the facility?                             Data                                      9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
                 Are cipher locks (electronic or mechanical) used to control access to the facility?    F.2 Physical Security Controls – Target
F.1.9.20.3       If so, is there:                                                                       Data                                      9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
F.1.9.20.3.1     A process to change the code at least every 90 days?                                   N/A                                       N/A                                               N/A                                   N/A       N/A       N/A             N/A
                 Is the code changed whenever an authorized individual is terminated or
F.1.9.20.3.2     transferred to another role?                                                           N/A                                       8.3.3      Removal of access rights               PO7.8    Job change and termination   N/A       N/A       N/A             PO7.8, DS5.4
F.1.9.20.4       Is there a process for requesting access to the facility? If so, is there:             N/A                                       9.1.1.a    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       IS.2.E.3.1      DS12.1, DS12.2

                 Segregation of duties for issuing and approving access to the facility (e.g., keys,                                                                                                         Enterprise information                                           PO2.2, PO2.3, PO6.2,
F.1.9.20.4.1     badge, etc.)?                                                                          N/A                                       11.1.1.h   Access control policy                  PO2.1    architecture model           N/A       N/A       N/A             DS5.2, DS5.3, DS5.4
F.1.9.20.4.2     A process to review who has access to the facility at least every six months?          N/A                                       9.1.1      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
                 A process to collect access equipment (e.g., badges, keys, change pin numbers,
                 etc.) when a constituent is terminated or changes status and no longer require
F.1.9.20.4.3     access?                                                                                H.6 Revoke Physical Access              9.1.2.e      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       IS.2.E.3.3      DS12.2, DS12.3
F.1.9.20.4.4     A process to report lost or stolen access cards / keys?                                N/A                                     9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                        F.2 Physical Security Controls – Target
F.1.9.21         A mechanism to prevent tailgating / piggybacking?                                      Data                                    9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                                                                                                                                                                              OPS.2.12.E.9
F.1.9.22         Are visitors permitted in the facility?                                                N/A                                       9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       WPS.2.9.1.2     DS12.2, DS12.3
F.1.9.22.1       Are they required to sign in and out?                                                  N/A                                       9.1.2.a    Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
F.1.9.22.2       Are they required to provide a government issued ID?                                   N/A                                       9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
F.1.9.22.3       Are they escorted through secure areas?                                                N/A                                       9.1.2.c    Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                        F.2 Physical Security Controls – Target
F.1.9.22.4       Are visitor logs maintained for at least 90 days?                                      Data                                      9.1.2.a    Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
F.1.9.22.5       Are they required to wear badges distinguishing them from employees?                   N/A                                       9.1.2.c    Physical entry controls                N/A                                   N/A       #N/A      OPS.2.12.E.9    DS12.2, DS12.3
                                                                                                                                                             Public access, delivery, and loading                                                                             DS5.7, DS12.1,
F.1.10           Is there a loading dock at the facility?                                               N/A                                       9.1.6      areas                                  AI7.10   System distribution          N/A       N/A       N/A             DS12.3
                                                                                                                                                             Public access, delivery, and loading                                                                             DS5.7, DS12.1,
F.1.10.1         Do tenants share the use of the loading dock?                                          N/A                                       9.1.6.f    areas                                  AI7.10   System distribution          N/A       N/A       N/A             DS12.3


The Shared Assessments Program                                                                                                                        Page 18 of 191                                                                                                  SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                 AUP 5.0 Relevance                                      ISO 27002:2005 Relevance                        COBIT 4.0 Relevance          PCI 1.1   PCI 1.2   FFIEC          COBIT 4.1 Relevance
F.1.10.2       Does the loading dock area contain the following:                                 N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A            N/A
                                                                                                 F.1 Environmental Controls –                                                                           Protection of security                           OPS.1.7.1.6
F.1.10.2.1      Smoke detector?                                                                  Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.2.12.D.5   DS5.7, DS12.4
                                                                                                                                                                                                        Protection of security
F.1.10.2.2      Fire alarm?                                                                      N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A            DS5.7, DS12.4
                                                                                                 F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.1.10.2.3      Wet fire suppression?                                                            Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5   DS12.4
                                                                                                                                                        Protecting against external and                 Protection against
F.1.10.2.4      Fire extinguishers?                                                              N/A                                       9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       N/A            DS12.4
                                                                                                 F.2 Physical Security Controls – Target                Public access, delivery, and loading                                                                            DS5.7, DS12.1,
F.1.10.2.5      Security guards at points of entry?                                              Data                                      9.1.6.a      areas                                  AI7.10   System distribution          N/A       N/A       N/A            DS12.3
                                                                                                 F.2 Physical Security Controls – Target
F.1.10.2.6      CCTV monitoring the loading dock area?                                           Data                                      9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
F.1.10.2.6.1    Is the loading dock area monitored 24x7x365?                                     N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A            N/A
F.1.10.2.6.2    Is CCTV digital?                                                                 N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A            N/A
F.1.10.2.6.3    Is CCTV stored for 90 days or greater?                                           N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A            N/A
F.1.10.3        Is entry to the loading dock restricted?                                         N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.1.10.3.1      Badge readers at points of entry?                                                N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                                                                                                 F.2 Physical Security Controls – Target
F.1.10.3.2      Are biometric readers used at points of entry?                                   Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.1.10.3.3      Are there locked doors requiring a key or PIN at points of entry?                N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                Are cipher locks (electronic or mechanical) used to control access the loading
F.1.10.3.4      dock?                                                                            N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.1.10.3.4.1    Are the codes changed at least every 90 days?                                    N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A            N/A
                Is the code changed whenever an authorized individual is terminated or
F.1.10.3.4.2    transferred to another role?                                                     N/A                                       8.3.3        Removal of access rights               PO7.8    Job change and termination   N/A       N/A       N/A            PO7.8, DS5.4
                Is there a process for approving access to the loading dock from inside the
F.1.10.3.5      facility?                                                                        H.7 Physical Access Authorization         9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                Is there a process to review access to the loading dock at least every six
F.1.10.3.6      months?                                                                          N/A                                       9.1.2.e      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3

                Is there segregation of duties for issuing and approving access to the loading                                                                                                          Enterprise information                                          PO2.2, PO2.3, PO6.2,
F.1.10.3.7      dock via the use of badges/keys...?                                              N/A                                       11.1.1.h     Access control policy                  PO2.1    architecture model           N/A       N/A       N/A            DS5.2, DS5.3, DS5.4
F.1.10.3.8      Is there a process to report lost access cards / keys?                           N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                                                                                                 F.1 Environmental Controls –                                                                           Protection against
F.1.11          Is there a Battery/UPS Room?                                                     Computing Hardware                        9.2.2        Supporting utilities                   DS12.4   environmental factors        N/A       N/A       N/A            N/A
F.1.11.1        Does the battery room contain the following:                                     N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A            N/A
                                                                                                                                                                                                        Protection of security
F.1.11.1.1      Hydrogen sensors?                                                                N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A            DS5.7, DS12.4
F.1.11.1.2      Windows or glass walls along the perimeter?                                      N/A                                       9.1.1.b      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
                                                                                                 F.2 Physical Security Controls – Target                                                                Protection of security
F.1.11.1.3      Walls extending from true floor to true ceiling?                                 Data                                      9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A            DS5.7, DS12.4
                                                                                                 F.1 Environmental Controls –                                                                           Protection of security
F.1.11.1.4      Air conditioning?                                                                Computing Hardware                        9.2.1.f      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.1.7.1.3    DS5.7, DS12.4
                                                                                                 F.1 Environmental Controls –                                                                           Protection of security
F.1.11.1.5      Fluid or water sensor?                                                           Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.2.12.D.6   DS5.7, DS12.4
                                                                                                 F.1 Environmental Controls –                                                                           Protection of security
F.1.11.1.6      Heat detector?                                                                   Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A            DS5.7, DS12.4
                                                                                                                                                                                                        Protection of security
F.1.11.1.7      Plumbing above ceiling (excluding fire suppression system)?                      N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.1.7.1.7    DS5.7, DS12.4
                                                                                                 F.1 Environmental Controls –                                                                           Protection of security                           OPS.1.7.1.6
F.1.11.1.8      Smoke detector?                                                                  Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.2.12.D.5   DS5.7, DS12.4
                                                                                                                                                                                                        Protection of security
F.1.11.1.9      Fire alarm?                                                                      N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A            DS5.7, DS12.4
                                                                                                 F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.1.11.1.10     Wet fire suppression?                                                            Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5   DS12.4
                                                                                                 F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.1.11.1.11     Dry fire suppression?                                                            Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5   DS12.4
                                                                                                 F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.1.11.1.12     Chemical fire suppression?                                                       Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5   DS12.4
                                                                                                                                                        Protecting against external and                 Protection against
F.1.11.1.13     Fire extinguishers?                                                              N/A                                       9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       N/A            DS12.4
                                                                                                 F.2 Physical Security Controls – Target
F.1.11.1.14     CCTV monitoring entry to the battery/UPS room?                                   Data                                      9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
F.1.11.1.14.1   Is the battery/UPS room monitored 24x7x365?                                      N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A            N/A
F.1.11.1.14.2   Is CCTV digital?                                                                 N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A            N/A
F.1.11.1.14.3   Is CCTV stored for 90 days or greater?                                           N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A            N/A
F.1.11.2        Is access to the battery/UPS room restricted?                                    N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                                                                                                 F.2 Physical Security Controls – Target
F.1.11.2.1      Are logs kept of all access?                                                     Data                                      9.1.2.b      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       RPS.2.C.1.3    DS12.2, DS12.3
F.1.11.2.2      Are badge readers used at points of entry?                                       N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                                                                                                 F.2 Physical Security Controls – Target
F.1.11.2.3      Are biometric readers used at points of entry?                                   Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.1.11.2.4      Are there locked doors requiring a key or PIN at points of entry?                N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                Are cipher locks (electronic or mechanical) used to control access to the        F.2 Physical Security Controls – Target
F.1.11.2.5      battery/UPS room?                                                                Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.1.11.2.5.1    Are the codes changed at least every 90 days?                                    N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A            N/A
                Is the code changed whenever an authorized individual is terminated or
F.1.11.2.5.2    transferred to another role?                                                     N/A                                       8.3.3        Removal of access rights               PO7.8    Job change and termination   N/A       N/A       N/A            PO7.8, DS5.4
F.1.11.2.6      Is there a process for approving access to the battery/UPS room ?                H.7 Physical Access Authorization         9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3



The Shared Assessments Program                                                                                                                   Page 19 of 191                                                                                                 SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                     AUP 5.0 Relevance                           ISO 27002:2005 Relevance                         COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance
               Is there a process to review access to the battery/UPS room at least every six
F.1.11.2.7     months?                                                                               N/A                            9.1.2.e      Physical entry controls                 DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3

                 Is there segregation of duties for issuing and approving access to the                                                                                                           Enterprise information                                                PO2.2, PO2.3, PO6.2,
F.1.11.2.8       battery/UPS room via the use of badges/keys...?                                     N/A                            11.1.1.h     Access control policy                   PO2.1    architecture model                N/A       N/A       N/A             DS5.2, DS5.3, DS5.4
F.1.11.2.9       Is there a process to report lost access cards / keys?                              N/A                            9.1.2        Physical entry controls                 DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                                                                 Public access, delivery, and loading                                                                                   DS5.7, DS12.1,
F.1.11.3         Are there prop alarms on points of entry?                                           N/A                            9.1.6        areas                                   AI7.10   System distribution               N/A       N/A       N/A             DS12.3
F.1.11.4         Do emergency doors only permit egress?                                              N/A                            9.1.1.e      Physical security perimeter             DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
F.1.11.5         Are visitors permitted in the battery/UPS room?                                     N/A                            9.1.2        Physical entry controls                 DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.1.12           Is there a call center operated or maintained?                                      N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.1         Are calls randomly monitored?                                                       N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.2         Are calls monitored for compliance?                                                 N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.3         Is a call recording system used for all calls?                                      N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
                 Does the recording solution indicate if recordings have been tampered with (to be
F.1.12.3.1       court evidence admissible)?                                                         N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.4         Are paper or electronic files used?                                                 N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
                                                                                                                                                                                                  Enterprise IT risk and internal
F.1.12.5         Is there a clean desk policy?                                                       N/A                            11.3.3       Clear desk and clear screen policy      PO6.2    control framework                 N/A       N/A       N/A             PO6.2, DS5.7
F.1.12.6         Is an audit trail of all calls retained?                                            N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.7         Are "secret caller" penetration tests conducted? If so, how often:                  N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.7.1       Daily?                                                                              N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.7.2       Weekly?                                                                             N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.7.3       Monthly?                                                                            N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.7.4       Semi-annually?                                                                      N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.7.5       Annually?                                                                           N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.8         Are separate access rights required to gain access to the call center?              N/A                            9.1.2.b      Physical entry controls                 DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                                                    11.3.2,      Unattended user equipment, Clear desk            Enterprise IT risk and internal
F.1.12.9         Are terminals set to lock after a specified amount of time? If so, how long:        N/A                            11.3.3       and clear screen policy               PO6.2      control framework                 N/A       N/A       N/A             PO6.2, DS5.7
F.1.12.9.1       Five minutes or less?                                                               N/A                            N/A                                                N/A                                          N/A       N/A       N/A             N/A
F.1.12.9.2       Five to 15 minutes?                                                                 N/A                            N/A                                                N/A                                          N/A       N/A       N/A             N/A
F.1.12.9.3       16 to 30 minutes?                                                                   N/A                            N/A                                                N/A                                          N/A       N/A       N/A             N/A
F.1.12.9.4       Greater than 30 minutes?                                                            N/A                            N/A                                                N/A                                          N/A       N/A       N/A             N/A
F.1.12.9.5       Never?                                                                              N/A                            N/A                                                N/A                                          N/A       N/A       N/A             N/A
F.1.12.9.6       Other (Please explain in the "Additional Information" column)?                      N/A                            N/A                                                N/A                                          N/A       N/A       N/A             N/A
F.1.12.10        Are representatives allowed access to the internet?                                 N/A                            11.4.1.c     Policy on use of network services     DS5.3      Identity management               N/A       N/A       N/A             DS5.9, DS5.11
F.1.12.11        Are they allowed access to email?                                                   N/A                            11.4.1.c     Policy on use of network services     DS5.3      Identity management               N/A       N/A       N/A             DS5.9, DS5.11
                 Is there an email monitoring system to check for outgoing confidential
F.1.12.11.1      information?                                                                        N/A                            11.4.6.a     Network connection control              DS5.10   Network security                  N/A       N/A       N/A             DS5.9, DS5.11
F.1.12.12        Are visitors permitted into the call center?                                        N/A                            9.1.2        Physical entry controls                 DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.1.12.13        Is the call center included in the disaster recovery plan?                          N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
                 Are there SIRT instructions for representatives (e.g., escalation procedures for
F.1.12.14        incident reporting)?                                                                N/A                            13.1.1.c     Reporting information security events   PO9.3    Event identification              N/A       N/A       N/A             PO9.3, DS5.6, DS8.2
                 Administrator access to CRM system not allowed to view data (e.g., configuration
F.1.12.15        and entitlements only)?                                                             N/A                            11.4.1.a     Policy on use of network services       DS5.3    Identity management               N/A       N/A       N/A             DS5.9, DS5.11
F.1.12.16        What type of systems does the call center utilize?                                  N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.16.1      Wintel desktop?                                                                     N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.16.2      Dumb terminal?                                                                      N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.16.3      Wintel laptop?                                                                      N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.16.4      Other (Please explain in the "Additional Information" column)?                      N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
                                                                                                                                                 Information exchange policies and
F.1.12.17        Can representatives make personal calls from their telecom systems?                 N/A                            10.8.1       procedures                              PO2.3    Data classification scheme        N/A       N/A       N/A             PO2.3, PO6.2, DS11.1
                 Does the call center use VOIP? If so, which protocol does the solution set up
F.1.12.18        calls with?                                                                         N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.18.1      H.323?                                                                              N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.18.2      SCCP?                                                                               N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.18.3      MGCP?                                                                               N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.18.4      MEGACO/H.348?                                                                       N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.18.5      SIP?                                                                                N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.18.5.1    Is SIP authentication used?                                                         N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
F.1.12.18.5.2    Is encryption done with IPSec or TLS (SSL)?                                         N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
                                                                                                                                                                                                                                                                        PO4.9, DS12.2,
F.1.12.19        Are any call center representatives home based?                                     N/A                            9.2.5        Security of equipment off-premises      PO4.9    Data and system ownership         N/A       N/A       N/A             DS12.3

                                                                                                                                                                                                                                                                        PO6.4, DS5.5, ME2.2,
F.1.12.20        Are call center operations outsourced?                                              N/A                            6.2          External parties                        N/A                                        N/A       N/A       N/A             ME2.5, ME4.7
                                                                                                     F.1 Environmental Controls –                                                                 Protection against
F.1.13           Is there a generator or generator area?                                             Computing Hardware             9.2.2        Supporting utilities                    DS12.4   environmental factors             N/A       N/A       N/A             N/A
                                                                                                                                                                                                  Protection against
F.1.13.1         Is there more than one generator?                                                   N/A                            9.2.2        Supporting utilities                    DS12.4   environmental factors             N/A       N/A       N/A             N/A
                 Are there multiple generator areas that supply backup power to systems that
F.1.13.1.1       contain Target Data?                                                                N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
                 Are the physical security and environmental controls the same for all of the
F.1.13.1.1.1     generator areas?                                                                    N/A                            N/A                                                  N/A                                        N/A       N/A       N/A             N/A
                 Is the generator area contained within a building or surrounded by a physical
F.1.13.2         barrier?                                                                            N/A                            9.1.1.a      Physical security perimeter             DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
                 Are fuel supplies for the generator readily available to ensure uninterrupted                                                                                                    Protection against
F.1.13.3         service?                                                                            N/A                            9.2.2        Supporting utilities                    DS12.4   environmental factors             N/A       N/A       N/A             N/A
                 Does the generator have the capacity to supply power to the systems that                                                                                                         Protection against
F.1.13.4         contain Target Data for at least 48 hours?                                          N/A                            9.2.2        Supporting utilities                    DS12.4   environmental factors             N/A       N/A       N/A             N/A



The Shared Assessments Program                                                                                                            Page 20 of 191                                                                                                        SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                                     ISO 27002:2005 Relevance                    COBIT 4.0 Relevance             PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance
F.1.13.5       Is access to the generator area restricted?                                         N/A                                       9.1.1.a     Physical security perimeter        DS12.1   Site selection and layout       N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                   F.2 Physical Security Controls – Target
F.1.13.5.1      Are logs kept of all access?                                                       Data                                      9.1.2.b     Physical entry controls            DS12.2   Physical security measures      N/A       N/A       RPS.2.C.1.3     DS12.2, DS12.3
F.1.13.5.2      Are badge readers used at points of entry?                                         N/A                                       9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.1.13.5.3      Are biometric readers used at points of entry?                                     Data                                      9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
F.1.13.5.4      Are there locked doors requiring a key or PIN at points of entry?                  N/A                                       9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
                Are cipher locks (electronic or mechanical) used to control access to the          F.2 Physical Security Controls – Target
F.1.13.5.5      generator area?                                                                    Data                                      9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
F.1.13.5.5.1    Are the codes changed at least every 90 days?                                      N/A                                       N/A                                            N/A                                      N/A       N/A       N/A             N/A
                Is the code changed whenever an authorized individual is terminated or
F.1.13.5.5.2    transferred to another role?                                                       N/A                                       8.3.3       Removal of access rights           PO7.8    Job change and termination      N/A       N/A       N/A             PO7.8, DS5.4
F.1.13.5.6      Is there a process for approving access to the generator area?                     H.7 Physical Access Authorization         9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
                Is there a process to review access to the generator area at least every six
F.1.13.5.7      months?                                                                            N/A                                       9.1.2.e     Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3

                Is there segregation of duties for issuing and approving access to the generator                                                                                                     Enterprise information                                              PO2.2, PO2.3, PO6.2,
F.1.13.5.8      area via the use of badges/keys...?                                                N/A                                       11.1.1.h    Access control policy              PO2.1    architecture model              N/A       N/A       N/A             DS5.2, DS5.3, DS5.4
F.1.13.5.9      Is there a process to report lost access cards / keys?                             N/A                                       9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.1.13.6        Is CCTV monitoring the generator area?                                             Data                                      9.1.1.e     Physical security perimeter        DS12.1   Site selection and layout       N/A       N/A       N/A             DS12.1, DS12.2
F.1.13.6.1      Is the generator area monitored 24x7x365?                                          N/A                                       N/A                                            N/A                                      N/A       N/A       N/A             N/A
F.1.13.6.2      Is the CCTV digital?                                                               N/A                                       N/A                                            N/A                                      N/A       N/A       N/A             N/A
F.1.13.6.3      Is CCTV stored for 90 days or greater?                                             N/A                                       N/A                                            N/A                                      N/A       N/A       N/A             N/A
                                                                                                                                                                                                     Protection of security
F.1.14          Is there an IDF closet?                                                            N/A                                       9.2.3       Cabling security                   DS5.7    technology                      N/A       N/A       OPS.1.7.1.5     DS5.7, DS12.4
                                                                                                                                                                                                     Protection of security
F.1.14.1        Is access to the IDF closet restricted?                                            N/A                                       9.2.3.f.1   Cabling security                   DS5.7    technology                      N/A       N/A       OPS.1.8.2.1     DS5.7, DS12.4
                                                                                                   F.2 Physical Security Controls – Target
F.1.14.1.1      Are logs kept of all access?                                                       Data                                      9.1.2.b     Physical entry controls            DS12.2   Physical security measures      N/A       N/A       RPS.2.C.1.3     DS12.2, DS12.3
F.1.14.1.2      Are badge readers used at points of entry?                                         N/A                                       9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.1.14.1.3      Are biometric readers used at points of entry?                                     Data                                      9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
F.1.14.1.4      Are there locked doors requiring a key or PIN at points of entry?                  N/A                                       9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
                Are cipher locks (electronic or mechanical) used to control access to the IDF      F.2 Physical Security Controls – Target
F.1.14.1.5      closets?                                                                           Data                                      9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
F.1.14.1.5.1    Are the codes changed at least every 90 days?                                      N/A                                       N/A                                            N/A                                      N/A       N/A       N/A             N/A
                Is the code changed whenever an authorized individual is terminated or
F.1.14.1.5.2    transferred to another role?                                                       N/A                                       8.3.3       Removal of access rights           PO7.8    Job change and termination      N/A       N/A       N/A             PO7.8, DS5.4
F.1.14.1.6      Is there a process for approving access to the IDF closet?                         H.7 Physical Access Authorization         9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3

F.1.14.1.7      Is there a process to review access to the IDF closet at least every six months?   N/A                                       9.1.2.e     Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3

                Is there segregation of duties for issuing and approving access to the IDF closets                                                                                                   Enterprise information                                              PO2.2, PO2.3, PO6.2,
F.1.14.1.8      via the use of badges/keys...?                                                     N/A                                       11.1.1.h    Access control policy              PO2.1    architecture model              N/A       N/A       N/A             DS5.2, DS5.3, DS5.4
F.1.14.1.9      Is there a process to report lost access cards / keys?                             N/A                                       9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                                                                                                                     Definition and maintenance of
                                                                                                                                                                                                     business functional and
F.1.15          Is there a mailroom that stores or processes Target Data?                          N/A                                       10.1.1      Documented operating procedures    AI1.1    technical requirements          N/A       N/A       N/A             AI1.1, AI4.4, DS13.1
F.1.15.1        Does the mailroom contain the following:                                           N/A                                       N/A                                            N/A                                      N/A       N/A       N/A             N/A
F.1.15.1.1      Motion sensors?                                                                    N/A                                       9.1.1.f     Physical security perimeter        DS12.1   Site selection and layout       N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                   F.2 Physical Security Controls – Target
F.1.15.1.2      CCTV pointed at entry points?                                                      Data                                      9.1.1.e     Physical security perimeter        DS12.1   Site selection and layout       N/A       N/A       N/A             DS12.1, DS12.2
F.1.15.1.2.1    Monitored 24x7x365?                                                                N/A                                       N/A                                            N/A                                      N/A       N/A       N/A             N/A
F.1.15.1.2.2    Is CCTV digital?                                                                   N/A                                       N/A                                            N/A                                      N/A       N/A       N/A             N/A
F.1.15.1.2.3    Is CCTV stored for 90 days or greater?                                             N/A                                       N/A                                            N/A                                      N/A       N/A       N/A             N/A
                                                                                                   F.1 Environmental Controls –                                                                      Protection of security                              OPS.1.7.1.6
F.1.15.1.3      Smoke detector?                                                                    Computing Hardware                        9.2.1.d     Equipment sitting and protection   DS5.7    technology                      N/A       N/A       OPS.2.12.D.5    DS5.7, DS12.4
                                                                                                                                                                                                     Protection of security
F.1.15.1.4      Fire alarm?                                                                        N/A                                       9.2.1.d     Equipment sitting and protection   DS5.7    technology                      N/A       N/A       N/A             DS5.7, DS12.4
                                                                                                   F.1 Environmental Controls –                          Protecting against external and             Protection against                                  OPS.1.7.1.6
F.1.15.1.5      Wet fire suppression?                                                              Computing Hardware                        9.1.4.c     environmental threats              DS12.4   environmental factors           N/A       N/A       OPS.2.12.D.5    DS12.4
                                                                                                   F.1 Environmental Controls –                          Protecting against external and             Protection against                                  OPS.1.7.1.6
F.1.15.1.6      Dry fire suppression?                                                              Computing Hardware                        9.1.4.c     environmental threats              DS12.4   environmental factors           N/A       N/A       OPS.2.12.D.5    DS12.4
                                                                                                   F.1 Environmental Controls –                          Protecting against external and             Protection against                                  OPS.1.7.1.6
F.1.15.1.7      Chemical fire suppression?                                                         Computing Hardware                        9.1.4.c     environmental threats              DS12.4   environmental factors           N/A       N/A       OPS.2.12.D.5    DS12.4
                                                                                                                                                         Protecting against external and             Protection against
F.1.15.1.8      Fire extinguishers?                                                                N/A                                       9.1.4.c     environmental threats              DS12.4   environmental factors           N/A       N/A       N/A             DS12.4
F.1.15.2        Is access to the mailroom restricted?                                              N/A                                       9.1.1.a     Physical security perimeter        DS12.1   Site selection and layout       N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                   F.2 Physical Security Controls – Target
F.1.15.2.1      Are logs kept of all access?                                                       Data                                      9.1.2.b     Physical entry controls            DS12.2   Physical security measures      N/A       N/A       RPS.2.C.1.3     DS12.2, DS12.3
F.1.15.2.2      Are badge readers used at points of entry?                                         N/A                                       9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.1.15.2.3      Are biometric readers used at points of entry?                                     Data                                      9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
F.1.15.2.4      Are there locked doors requiring a key or PIN at points of entry?                  N/A                                       9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
                Are cipher locks (electronic or mechanical) used to control access to the          F.2 Physical Security Controls – Target
F.1.15.2.5      mailroom?                                                                          Data                                      9.1.2       Physical entry controls            DS12.2   Physical security measures      N/A       N/A       N/A             DS12.2, DS12.3
F.1.15.2.5.1    Are the codes changed at least every 90 days?                                      N/A                                       N/A                                            N/A                                      N/A       N/A       N/A             N/A
                Is the code changed whenever an authorized individual is terminated or
F.1.15.2.5.2    transferred to another role?                                                       N/A                                       8.3.3       Removal of access rights           PO7.8    Job change and termination      N/A       N/A       N/A             PO7.8, DS5.4



The Shared Assessments Program                                                                                                                   Page 21 of 191                                                                                                  SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                  AUP 5.0 Relevance                                      ISO 27002:2005 Relevance                        COBIT 4.0 Relevance          PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance
F.1.15.2.6     Is there a process for approving access to the mailroom?                           H.7 Physical Access Authorization         9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3

F.1.15.2.7      Is there a process to review access to the mailroom at least every six months?    N/A                                       9.1.2.e      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3

                Is there segregation of duties for issuing and approving access to the mailroom                                                                                                          Enterprise information                                           PO2.2, PO2.3, PO6.2,
F.1.15.2.8      via the use of badges/keys...?                                                    N/A                                       11.1.1.h     Access control policy                  PO2.1    architecture model           N/A       N/A       N/A             DS5.2, DS5.3, DS5.4
F.1.15.2.9      Is there a process to report lost access cards / keys?                            N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                                                                         Public access, delivery, and loading                                                                             DS5.7, DS12.1,
F.1.15.3        Are there prop alarms on points of entry?                                         N/A                                       9.1.6        areas                                  AI7.10   System distribution          N/A       N/A       N/A             DS12.3
F.1.15.4        Do emergency doors only permit egress?                                            N/A                                       9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.15.5        Are visitors permitted into the mailroom?                                         N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
F.1.16          Is there a media library to store Target Data?                                    N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
F.1.16.1        Does the media library contain the following:                                     N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
F.1.16.1.1      Motion sensors?                                                                   N/A                                       9.1.1.f      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                  F.2 Physical Security Controls – Target
F.1.16.1.2      CCTV pointed at entry points?                                                     Data                                      9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.16.1.2.1    Media library monitored 24x7x365?                                                 N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
F.1.16.1.2.2    Is CCTV digital?                                                                  N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
F.1.16.1.2.3    Is CCTV stored for 90 days or greater?                                            N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
                                                                                                  F.2 Physical Security Controls – Target
F.1.16.1.3      Mechanisms that thwart tailgating/piggybacking?                                   Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
F.1.16.1.4      Windows or glass walls along the perimeter?                                       N/A                                       9.1.1.b      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                  F.2 Physical Security Controls – Target
F.1.16.1.4.1    Alarms on windows/glass walls?                                                    Data                                      9.1.1.f      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                  F.2 Physical Security Controls – Target                                                                Protection of security
F.1.16.1.5      Walls extending from true floor to true ceiling?                                  Data                                      9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A             DS5.7, DS12.4
                                                                                                  F.1 Environmental Controls –                                                                           Protection of security
F.1.16.1.6      Air conditioning?                                                                 Computing Hardware                        9.2.1.f      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.1.7.1.3     DS5.7, DS12.4
                                                                                                  F.1 Environmental Controls –                                                                           Protection of security
F.1.16.1.7      Fluid or water sensor?                                                            Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.2.12.D.6    DS5.7, DS12.4
                                                                                                  F.1 Environmental Controls –                                                                           Protection of security
F.1.16.1.8      Heat detector?                                                                    Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A             DS5.7, DS12.4
                                                                                                                                                                                                         Protection of security
F.1.16.1.9      Plumbing above ceiling (excluding fire suppression system)?                       N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.1.7.1.7     DS5.7, DS12.4
                                                                                                  F.1 Environmental Controls –
F.1.16.1.10     Raised floor?                                                                     Computing Hardware                        N/A                                                 N/A                                   N/A       N/A       N/A             N/A
                                                                                                  F.1 Environmental Controls –                                                                           Protection of security                           OPS.1.7.1.6
F.1.16.1.11     Smoke detector?                                                                   Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.2.12.D.5    DS5.7, DS12.4
                                                                                                                                                                                                         Protection of security
F.1.16.1.12     Fire alarm?                                                                       N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A             DS5.7, DS12.4
                                                                                                  F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.1.16.1.13     Wet fire suppression?                                                             Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5    DS12.4
                                                                                                  F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.1.16.1.14     Dry fire suppression?                                                             Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5    DS12.4
                                                                                                  F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.1.16.1.15     Chemical fire suppression?                                                        Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5    DS12.4
                                                                                                                                                         Protecting against external and                 Protection against
F.1.16.1.16     Fire extinguishers?                                                               N/A                                       9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       N/A             DS12.4
F.1.16.2        Is access to the media library restricted?                                        N/A                                       9.1.1.a      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                  F.2 Physical Security Controls – Target
F.1.16.2.1      Are logs kept of all access?                                                      Data                                      9.1.2.b      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       RPS.2.C.1.3     DS12.2, DS12.3
F.1.16.2.2      Are badge readers used at points of entry?                                        N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                  F.2 Physical Security Controls – Target
F.1.16.2.3      Are biometric readers used at points of entry?                                    Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
F.1.16.2.4      Are there locked doors requiring a key or PIN at points of entry?                 N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
                Are cipher locks (electronic or mechanical) used to control access to the media   F.2 Physical Security Controls – Target
F.1.16.2.5      library?                                                                          Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
F.1.16.2.5.1    Are the codes changed at least every 90 days?                                     N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
                Is the code changed whenever an authorized individual is terminated or
F.1.16.2.5.2    transferred to another role?                                                      N/A                                       8.3.3        Removal of access rights               PO7.8    Job change and termination   N/A       N/A       N/A             PO7.8, DS5.4
F.1.16.2.6      Is there a process for approving access to the media library?                     H.7 Physical Access Authorization         9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
                Is there a process to review access to the media library at least every six
F.1.16.2.7      months?                                                                           N/A                                       9.1.2.e      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3

                Is there segregation of duties for issuing and approving access to the media                                                                                                             Enterprise information                                           PO2.2, PO2.3, PO6.2,
F.1.16.2.8      library via the use of badges/keys...?                                            N/A                                       11.1.1.h     Access control policy                  PO2.1    architecture model           N/A       N/A       N/A             DS5.2, DS5.3, DS5.4
F.1.16.2.9      Is there a process to report lost access cards / keys?                            N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                                                                         Public access, delivery, and loading                                                                             DS5.7, DS12.1,
F.1.16.3        Are there prop alarms on points of entry?                                         N/A                                       9.1.6        areas                                  AI7.10   System distribution          N/A       N/A       N/A             DS12.3
F.1.16.4        Do emergency doors only permit egress?                                            N/A                                       9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.16.5        Are visitors permitted into the media library?                                    N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3
F.1.17          Is there a printer room to print Target Data?                                     N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
F.1.17.1        Does the printer room contain the following:                                      N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
F.1.17.1.1      Motion sensors?                                                                   N/A                                       9.1.1.f      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.17.1.1.1    CCTV pointed at entry points?                                                     N/A                                       9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A             DS12.1, DS12.2
F.1.17.1.1.2    Is the printer room monitored 24x7x365?                                           N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
F.1.17.1.1.3    Is CCTV digital?                                                                  N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
F.1.17.1.2      Is CCTV stored for 90 days or greater?                                            N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A             N/A
                                                                                                  F.2 Physical Security Controls – Target
F.1.17.1.3      Mechanisms that thwart tailgating/piggybacking?                                   Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A             DS12.2, DS12.3



The Shared Assessments Program                                                                                                                    Page 22 of 191                                                                                                  SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                                      ISO 27002:2005 Relevance                        COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance
                                                                                                   F.2 Physical Security Controls – Target                                                                Protection of security
F.1.17.1.4     Walls extending from true floor to true ceiling?                                    Data                                      9.2.1.d      Equipment sitting and protection       DS5.7    technology                        N/A       N/A       N/A             DS5.7, DS12.4
F.1.17.2       Is access to the printer room restricted?                                           N/A                                       9.1.1.a      Physical security perimeter            DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                   F.2 Physical Security Controls – Target
F.1.17.2.1     Are logs kept of all access?                                                        Data                                      9.1.2.b      Physical entry controls                DS12.2   Physical security measures        N/A       N/A       RPS.2.C.1.3     DS12.2, DS12.3
F.1.17.2.2     Are badge readers used at points of entry?                                          N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.1.17.2.3     Are biometric readers used at points of entry?                                      Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.1.17.2.4     Are there locked doors requiring a key or PIN at points of entry?                   N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
               Are cipher locks (electronic or mechanical) used to control access to the printer   F.2 Physical Security Controls – Target
F.1.17.2.5     room?                                                                               Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.1.17.2.5.1   Are the codes changed at least every 90 days?                                       N/A                                       N/A                                                 N/A                                        N/A       N/A       N/A             N/A
               Is the code changed whenever an authorized individual is terminated or
F.1.17.2.5.2   transferred to another role?                                                        N/A                                       8.3.3        Removal of access rights               PO7.8    Job change and termination        N/A       N/A       N/A             PO7.8, DS5.4
F.1.17.2.6     Is there a process for approving access to the printer room?                        H.7 Physical Access Authorization         9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3

F.1.17.2.7     Is there a process to review access to the printer room at least every six months? N/A                                        9.1.2.e      Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3

               Is there segregation of duties for issuing and approving access to the printer                                                                                                             Enterprise information                                                PO2.2, PO2.3, PO6.2,
F.1.17.2.8     room via the use of badges/keys...?                                                 N/A                                       11.1.1.h     Access control policy                  PO2.1    architecture model                N/A       N/A       N/A             DS5.2, DS5.3, DS5.4
F.1.17.2.9     Is there a process to report lost access cards / keys?                              N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                                                                          Public access, delivery, and loading                                                                                  DS5.7, DS12.1,
F.1.17.3       Are there prop alarms on points of entry?                                          N/A                                        9.1.6        areas                                  AI7.10   System distribution               N/A       N/A       N/A             DS12.3
F.1.17.4       Do emergency doors only permit egress?                                             N/A                                        9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
F.1.17.5       Are visitors permitted in the printer room?                                        N/A                                        9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.1.18         Is there a secured work area where constituents access Target Data?                N/A                                        N/A                                                 N/A                                        N/A       N/A       N/A             N/A
F.1.18.1       Do secured work area(s) within the facility contain the following:                 N/A                                        N/A                                                 N/A                                        N/A       N/A       N/A             N/A
F.1.18.1.1     Motion sensors?                                                                    N/A                                        9.1.1.f      Physical security perimeter            DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                  F.2 Physical Security Controls – Target
F.1.18.1.2     CCTV pointed at entry points?                                                      Data                                       9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
F.1.18.1.2.1   Are the secured work areas monitored 24x7x365?                                     N/A                                        N/A                                                 N/A                                        N/A       N/A       N/A             N/A
F.1.18.1.2.2   Is CCTV digital?                                                                   N/A                                        N/A                                                 N/A                                        N/A       N/A       N/A             N/A
F.1.18.1.2.3   Is CCTV stored for 90 days or greater?                                             N/A                                        N/A                                                 N/A                                        N/A       N/A       N/A             N/A
                                                                                                  F.2 Physical Security Controls – Target
F.1.18.1.3     Mechanisms that thwart tailgating/piggybacking?                                    Data                                       9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.1.18.1.4     Windows or glass walls along the perimeter?                                        N/A                                        9.1.1.b      Physical security perimeter            DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                  F.2 Physical Security Controls – Target
F.1.18.1.4.1   Alarms on windows/glass walls?                                                     Data                                       9.1.1.f      Physical security perimeter            DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
F.1.18.2       Is access to the secured work area(s) restricted?                                  N/A                                        9.1.1.a      Physical security perimeter            DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                  F.2 Physical Security Controls – Target
F.1.18.2.1     Are logs kept of all access?                                                       Data                                       9.1.2.b      Physical entry controls                DS12.2   Physical security measures        N/A       N/A       RPS.2.C.1.3     DS12.2, DS12.3
F.1.18.2.1.1   Are access logs regularly reviewed?                                                N/A                                        10.1.1.h     Documented operating procedures        N/A                                        N/A       N/A       N/A             AI1.1, AI4.4, DS13.1
F.1.18.2.2     Are badge readers used at points of entry?                                         N/A                                        9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                  F.2 Physical Security Controls – Target
F.1.18.2.3     Are biometric readers used at points of entry?                                     Data                                       9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.1.18.2.4     Are there locked doors requiring a key or PIN at points of entry?                  N/A                                        9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
               Are cipher locks (electronic or mechanical) used to control access to the secured F.2 Physical Security Controls – Target
F.1.18.2.5     work area(s)?                                                                      Data                                       9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.1.18.2.5.1   Are the codes changed at least every 90 days?                                      N/A                                        N/A                                                 N/A                                        N/A       N/A       N/A             N/A
               Is the code changed whenever an authorized individual is terminated or
F.1.18.2.5.2   transferred to another role?                                                       N/A                                        8.3.3        Removal of access rights               PO7.8    Job change and termination        N/A       N/A       N/A             PO7.8, DS5.4
F.1.18.2.6     Is there a process for approving access to the secured work areas?                 H.7 Physical Access Authorization          9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
               Is there a process to review access to the secured work area(s) at least every six
F.1.18.2.7     months?                                                                            N/A                                        9.1.2.e      Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3

               Is there segregation of duties for issuing and approving access to the secured                                                                                                             Enterprise information                                                PO2.2, PO2.3, PO6.2,
F.1.18.2.8     work area(s) via the use of badges/keys...?                                         N/A                                       11.1.1.h     Access control policy                  PO2.1    architecture model                N/A       N/A       N/A             DS5.2, DS5.3, DS5.4
F.1.18.2.9     Is there a process to report lost access cards / keys?                              N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                                                                          Public access, delivery, and loading                                                                                  DS5.7, DS12.1,
F.1.18.3       Are there prop alarms on points of entry?                                           N/A                                       9.1.6        areas                                  AI7.10   System distribution               N/A       N/A       N/A             DS12.3
F.1.18.4       Do emergency doors only permit egress?                                              N/A                                       9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
F.1.18.5       Are visitors permitted in the secured work area(s)?                                 N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                                                                                                                          Enterprise IT risk and internal
F.1.18.6       Is there a clean desk policy?                                                       N/A                                       11.3.3       Clear desk and clear screen policy     PO6.2    control framework                 N/A       N/A       N/A             PO6.2, DS5.7
                                                                                                                                                                                                          Enterprise IT risk and internal
F.1.18.6.1     Is a clean desk review performed at least every six months?                         N/A                                       11.3.3       Clear desk and clear screen policy     PO6.2    control framework                 N/A       N/A       N/A             PO6.2, DS5.7
                                                                                                                                                                                                          Definition and maintenance of
               Do the secured work area(s) contain secured disposal containers, shred bins or                                                                                                             business functional and
F.1.18.7       shredders?                                                                          N/A                                       10.1.1.f     Documented operating procedures        AI1.1    technical requirements            N/A       N/A       OPS.2.12.E.13   AI1.1, AI4.4, DS13.1
                                                                                                                                                                                                          Enterprise IT risk and internal                                       PO6.2, DS5.2, DS5.3,
F.1.18.8       Are physical locks required on portable computers within secured work areas?    N/A                                           11.7.1       Mobile computing and communications PO6.2       control framework                 N/A       N/A       N/A             DS5.7
               Are reviews performed to ensure that portable computers locks are being used at
F.1.18.8.1     least every six months?                                                         N/A                                           N/A                                                 N/A                                        N/A       N/A       N/A             N/A
                                                                                                                                                                                                          Enterprise IT risk and internal
F.1.18.9       Is there a process for equipment removal from secured work areas?                   N/A                                       9.2.7        Removal of property                    PO6.2    control framework                 N/A       N/A       N/A             PO6.2, DS12.2
F.1.19         Is there a separate room for telecom equipment (e.g., PBX)?                         N/A                                       N/A                                                 N/A                                        N/A       N/A       OPS.1.7.1.2     N/A
F.1.19.1       Does the telecom closet/room contain the following:                                 N/A                                       N/A                                                 N/A                                        N/A       N/A       N/A             N/A
F.1.19.1.1     Motion sensors?                                                                     N/A                                       9.1.1.f      Physical security perimeter            DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                   F.2 Physical Security Controls – Target
F.1.19.1.2     CCTV pointed at entry points?                                                       Data                                      9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2



The Shared Assessments Program                                                                                                                     Page 23 of 191                                                                                                       SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                                                   AUP 5.0 Relevance                                      ISO 27002:2005 Relevance                        COBIT 4.0 Relevance          PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
F.1.19.1.2.1     Is the telecom closet/room monitored 24x7x365?                                      N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A                N/A
F.1.19.1.2.2     Is CCTV digital?                                                                    N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A                N/A
F.1.19.1.2.3     Is CCTV stored for 90 days or greater?                                              N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A                N/A
                                                                                                     F.2 Physical Security Controls – Target
F.1.19.1.3       Mechanisms that thwart tailgating/piggybacking?                                     Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A                DS12.2, DS12.3
F.1.19.1.4       Windows or glass walls along the perimeter?                                         N/A                                       9.1.1.b      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A                DS12.1, DS12.2
                                                                                                     F.2 Physical Security Controls – Target
F.1.19.1.4.1     Alarms on windows/glass walls?                                                      Data                                      9.1.1.f      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A                DS12.1, DS12.2
                                                                                                     F.2 Physical Security Controls – Target                                                                Protection of security
F.1.19.1.5       Walls extending from true floor to true ceiling?                                    Data                                      9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A                DS5.7, DS12.4
                                                                                                     F.1 Environmental Controls –                                                                           Protection of security
F.1.19.1.6       Air conditioning?                                                                   Computing Hardware                        9.2.1.f      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.1.7.1.3        DS5.7, DS12.4
                                                                                                     F.1 Environmental Controls –                                                                           Protection of security
F.1.19.1.7       Fluid or water sensor?                                                              Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.2.12.D.6       DS5.7, DS12.4
                                                                                                     F.1 Environmental Controls –                                                                           Protection of security
F.1.19.1.8       Heat detector?                                                                      Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A                DS5.7, DS12.4
                                                                                                                                                                                                            Protection of security
F.1.19.1.9       Plumbing above ceiling (excluding fire suppression system)?                         N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.1.7.1.7        DS5.7, DS12.4
                                                                                                     F.1 Environmental Controls –
F.1.19.1.10      Raised floor?                                                                       Computing Hardware                        N/A                                                 N/A                                   N/A       N/A       N/A                N/A
                                                                                                     F.1 Environmental Controls –                                                                           Protection of security                           OPS.1.7.1.6
F.1.19.1.11      Smoke detector?                                                                     Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.2.12.D.5       DS5.7, DS12.4
                                                                                                                                                                                                            Protection of security
F.1.19.1.12      Fire alarm?                                                                         N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A                DS5.7, DS12.4
                                                                                                     F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.1.19.1.13      Wet fire suppression?                                                               Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5       DS12.4
                                                                                                     F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.1.19.1.14      Dry fire suppression?                                                               Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5       DS12.4
                                                                                                     F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.1.19.1.15      Chemical fire suppression?                                                          Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5       DS12.4
                                                                                                                                                            Protecting against external and                 Protection against
F.1.19.1.16      Fire extinguishers?                                                                 N/A                                       9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       N/A                DS12.4
                                                                                                                                                                                                            Protection of security
F.1.19.2         Is access to the telecom closet/room restricted?                                    N/A                                       9.2.3.f.1    Cabling security                       DS5.7    technology                   N/A       N/A       OPS.1.8.2.1        DS5.7, DS12.4
                                                                                                     F.2 Physical Security Controls – Target
F.1.19.2.1       Are logs kept of all access?                                                        Data                                      9.1.2.b      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       RPS.2.C.1.3        DS12.2, DS12.3
F.1.19.2.2       Are badge readers used at points of entry?                                          N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A                DS12.2, DS12.3
                                                                                                     F.2 Physical Security Controls – Target
F.1.19.2.3       Are biometric readers used at points of entry?                                      Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A                DS12.2, DS12.3
F.1.19.2.4       Are there locked doors requiring a key or PIN at points of entry?                   N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A                DS12.2, DS12.3
                 Are cipher locks (electronic or mechanical) used to control access to the telecom   F.2 Physical Security Controls – Target
F.1.19.2.5       closet/room?                                                                        Data                                      9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A                DS12.2, DS12.3
F.1.19.2.5.1     Are the codes changed at least every 90 days?                                       N/A                                       N/A                                                 N/A                                   N/A       N/A       N/A                N/A
                 Is the code changed whenever an authorized individual is terminated or
F.1.19.2.5.2     transferred to another role?                                                        N/A                                       8.3.3        Removal of access rights               PO7.8    Job change and termination   N/A       N/A       N/A                PO7.8, DS5.4
F.1.19.2.6       Is there a process for approving access to the telecom closet/room?                 H.7 Physical Access Authorization         9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A                DS12.2, DS12.3
                 Is there a process to review access to the telecom closet/room at least every six
F.1.19.2.7       months?                                                                             N/A                                       9.1.2.e      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A                DS12.2, DS12.3

                 Is there segregation of duties for issuing and approving access to the telecom                                                                                                             Enterprise information                                              PO2.2, PO2.3, PO6.2,
F.1.19.2.8       closet/room via the use of badges/keys...?                                          N/A                                       11.1.1.h     Access control policy                  PO2.1    architecture model           N/A       N/A       N/A                DS5.2, DS5.3, DS5.4
F.1.19.2.9       Is there a process to report lost access cards / keys?                              N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A                DS12.2, DS12.3
                                                                                                                                                            Public access, delivery, and loading                                                                                DS5.7, DS12.1,
F.1.19.3         Are there prop alarms on points of entry?                                           N/A                                       9.1.6        areas                                  AI7.10   System distribution          N/A       N/A       N/A                DS12.3
F.1.19.4         Do emergency doors only permit egress?                                              N/A                                       9.1.1.e      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A                DS12.1, DS12.2
F.1.19.5         Are visitors permitted in the telecom closet/room?                                  N/A                                       9.1.2        Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A                DS12.2, DS12.3
                                                                                                     F.1 Environmental Controls –
F.2              Do the target systems reside in a data center?                                      Computing Hardware                        N/A                                                 N/A                                   N/A       N/A       N/A                N/A
F.2.1            Is the data center shared with other tenants?                                       N/A                                       9.1.1.g      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A                DS12.1, DS12.2
F.2.2            Does the data center have the following:                                            N/A                                       N/A                                                 N/A                                   N/A       N/A       IS.2.E.4           N/A
                                                                                                     F.1 Environmental Controls –                                                                           Protection of   security
F.2.2.1          Air conditioning?                                                                   Computing Hardware                        9.2.1.f      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.1.7.1.3        DS5.7, DS12.4
                                                                                                     F.1 Environmental Controls –                                                                           Protection of   security
F.2.2.2          Fluid or water sensor?                                                              Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.2.12.D.6       DS5.7, DS12.4
                                                                                                     F.1 Environmental Controls –                                                                           Protection of   security
F.2.2.3          Heat detector?                                                                      Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A                DS5.7, DS12.4
                                                                                                                                                                                                            Protection of   security
F.2.2.4          Plumbing above ceiling (excluding fire suppression system)?                         N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.1.7.1.7        DS12.4, DS12.5
                                                                                                     F.1 Environmental Controls –
F.2.2.5          Raised floor?                                                                       Computing Hardware                        N/A                                                 N/A                                   N/A       N/A       N/A                N/A
                                                                                                     F.1 Environmental Controls –                                                                           Protection of security                           OPS.1.7.1.6
F.2.2.6          Smoke detector?                                                                     Computing Hardware                        9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       OPS.2.12.D.5       DS12.4, DS12.5
                                                                                                                                                                                                            Protection against
F.2.2.7          Uninterruptible Power Supply (UPS)?                                                 N/A                                       9.2.2        Supporting utilities                   DS12.4   environmental factors        N/A       N/A       N/A                N/A
                                                                                                                                                                                                            Protection of security
F.2.2.8          Vibration alarm / sensor?                                                           N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A                DS12.4, DS12.5
                                                                                                                                                                                                            Protection of security
F.2.2.9          Fire alarm?                                                                         N/A                                       9.2.1.d      Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A                DS12.4, DS12.5
                                                                                                     F.1 Environmental Controls –                           Protecting against external and                 Protection against                               OPS.1.7.1.6
F.2.2.10         Wet fire suppression?                                                               Computing Hardware                        9.1.4.c      environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5       DS12.4



The Shared Assessments Program                                                                                                                       Page 24 of 191                                                                                                     SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                                    ISO 27002:2005 Relevance                        COBIT 4.0 Relevance          PCI 1.1   PCI 1.2   FFIEC          COBIT 4.1 Relevance
                                                                                                   F.1 Environmental Controls –                         Protecting against external and                 Protection against                               OPS.1.7.1.6
F.2.2.11       Dry fire suppression?                                                               Computing Hardware                        9.1.4.c    environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5   DS12.4
                                                                                                   F.1 Environmental Controls –                         Protecting against external and                 Protection against                               OPS.1.7.1.6
F.2.2.12       Chemical fire suppression?                                                          Computing Hardware                        9.1.4.c    environmental threats                  DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.5   DS12.4
                                                                                                                                                        Protecting against external and                 Protection against
F.2.2.13       Fire extinguishers?                                                                 N/A                                       9.1.4.c    environmental threats                  DS12.4   environmental factors        N/A       N/A       N/A            DS12.4
                                                                                                                                                                                                        Protection against
F.2.2.14       Multiple power feeds?                                                               N/A                                       9.2.2      Supporting utilities                   DS12.4   environmental factors        N/A       N/A       OPS.1.7.1.1    DS12.4, DS12.5
                                                                                                                                                                                                        Protection against
F.2.2.14.1     Are the multiple power feeds fed from separate power substations?                   N/A                                       9.2.2      Supporting utilities                   DS12.4   environmental factors        N/A       N/A       N/A            DS12.4, DS12.5
                                                                                                                                                                                                        Protection against
F.2.2.15       Multiple communication feeds?                                                       N/A                                       9.2.2      Supporting utilities                   DS12.4   environmental factors        N/A       N/A       N/A            DS12.4, DS12.5
                                                                                                                                                                                                        Protection against
F.2.2.16       Emergency power off button?                                                         N/A                                       9.2.2      Supporting utilities                   DS12.4   environmental factors        N/A       N/A       N/A            DS12.4, DS12.5
                                                                                                                                                                                                        Protection against
F.2.2.17       Water pump?                                                                         N/A                                       9.2.2      Supporting utilities                   DS12.4   environmental factors        N/A       N/A       OPS.2.12.D.6   DS12.4, DS12.5
                                                                                                   F.1 Environmental Controls –                                                                         Protection against
F.2.2.18       UPS system?                                                                         Computing Hardware                        9.2.2      Supporting utilities                   DS12.4   environmental factors        N/A       N/A       N/A            DS12.4, DS12.5
                                                                                                                                                                                                        Protection against
F.2.2.18.1     Does it support N+1?                                                                N/A                                       9.2.2      Supporting utilities                   DS12.4   environmental factors        N/A       N/A       N/A            DS12.4, DS12.5
                                                                                                   F.1 Environmental Controls –                                                                         Protection against
F.2.2.19       Is/are there a generator(s)?                                                        Computing Hardware                        9.2.2      Supporting utilities                   DS12.4   environmental factors        N/A       N/A       N/A            DS12.4, DS12.5
                                                                                                                                                                                                        Protection against
F.2.2.19.1     Does it support N+1?                                                                N/A                                       9.2.2      Supporting utilities                   DS12.4   environmental factors        N/A       N/A       N/A            DS12.4, DS12.5
F.2.2.20       Is access to the data center restricted?                                            N/A                                       9.1.1.a    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
                                                                                                   F.2 Physical Security Controls – Target
F.2.2.20.1     Are logs kept of all access?                                                        Data                                      9.1.2.b    Physical entry controls                DS12.2   Physical security measures   N/A       N/A       RPS.2.C.1.3    DS12.2, DS12.3
F.2.2.20.1.1   Are access logs regularly reviewed?                                                 N/A                                       10.1.1.h   Documented operating procedures        N/A                                   N/A       N/A       N/A            AI1.1, AI4.4, DS13.1
F.2.2.20.2     A process for requesting access to the data center?                                 H.7 Physical Access Authorization         9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3

               Is there segregation of duties for issuing and approving access to the data                                                                                                              Enterprise information                                          PO2.2, PO2.3, PO6.2,
F.2.2.20.2.1   center?                                                                             N/A                                       11.1.1.h   Access control policy                  PO2.1    architecture model           N/A       N/A       N/A            DS5.2, DS5.3, DS5.4
F.2.2.20.3     A process to review access to the data center at least every six months?            N/A                                       9.1.1      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
F.2.2.20.4     Are badge readers used at points of entry?                                          N/A                                       9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.2.2.20.5     Are biometric readers used at points of entry?                                      Data                                      9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
               Are there locked doors requiring a key or PIN used at points of entry to the data
F.2.2.20.6     center?                                                                             N/A                                       9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.2.2.21       Is there a mechanism to thwart tailgating / piggybacking into the data center?      Data                                      9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.2.2.22       Are there security guards at points of entry?                                       Data                                      9.1.1.c    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
F.2.2.22.1     Do the security guards monitor security systems and alarms?                         N/A                                       9.1.1.c    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
F.2.2.23       Are visitors permitted in the data center?                                          N/A                                       9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.2.2.23.1     Are they required to sign in and out of the data center?                            N/A                                       9.1.2.a    Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.2.2.23.2     Are they escorted within the data center?                                           N/A                                       9.1.2.c    Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.2.2.24       Are all entry and exit points to the data center alarmed?                           Data                                      9.1.1.f    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
                                                                                                   F.2 Physical Security Controls – Target
F.2.2.24.1     Are there alarm motion sensors monitoring the data center?                          Data                                      9.1.1.f    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
                                                                                                   F.2 Physical Security Controls – Target
F.2.2.24.2     Are there alarm contact sensors on the data center doors?                           Data                                      9.1.1.f    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
                                                                                                                                                        Public access, delivery, and loading                                                                            DS5.7, DS12.1,
F.2.2.24.3     Are there prop alarms on data center doors?                                         N/A                                       9.1.6      areas                                  AI7.10   System distribution          N/A       N/A       N/A            DS12.3
F.2.2.25       Do emergency doors only permit egress?                                              N/A                                       9.1.1.e    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
                                                                                                   F.2 Physical Security Controls – Target
F.2.2.26       CCTV used to monitor data center?                                                   Data                                      9.1.1.e    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
F.2.2.26.1     Pointed at entry points to the data center?                                         N/A                                       N/A                                               N/A                                   N/A       N/A       N/A            N/A
F.2.2.26.2     Monitored 24x7x365?                                                                 N/A                                       N/A                                               N/A                                   N/A       N/A       N/A            N/A
F.2.2.26.3     Stored at least 90 days?                                                            N/A                                       N/A                                               N/A                                   N/A       N/A       N/A            N/A
                                                                                                   F.2 Physical Security Controls – Target                                                              Protection of security
F.2.2.27       Walls extending from true floor to true ceiling?                                    Data                                      9.2.1.d    Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A            DS12.4, DS12.5
                                                                                                                                                                                                        Protection of security
F.2.2.28       Walls, doors and windows at least one hour fire rated?                              N/A                                       9.2.1.d    Equipment sitting and protection       DS5.7    technology                   N/A       N/A       N/A            DS12.4, DS12.5
F.2.2.29       Windows or glass walls along the perimeter?                                         N/A                                       9.1.1.b    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2
F.2.3          Does the Target Data reside in a caged environment within a data center?            N/A                                       N/A                                               N/A                                   N/A       N/A       N/A            N/A
                                                                                                   F.2 Physical Security Controls – Target
F.2.3.1        Does the caged environment have the following:                                      Data                                      N/A                                               N/A                                   N/A       N/A       N/A            N/A
F.2.3.1.1      Badge readers used at points of entry?                                              N/A                                       9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.2.3.1.2      Biometric readers used at points of entry?                                          Data                                      9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.2.3.1.3      Locks requiring a key or PIN used at points of entry?                               N/A                                       9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.2.3.1.4      A process for requesting access?                                                    N/A                                       9.1.1.a    Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2

               Segregation of duties for granting and storage of cage access and access                                                                                                                 Enterprise information                                          PO2.2, PO2.3, PO6.2,
F.2.3.1.5      devices (e.g., badges, keys, etc.)?                                                 N/A                                       11.1.1.h   Access control policy                  PO2.1    architecture model           N/A       N/A       N/A            DS5.2, DS5.3, DS5.4
F.2.3.1.6      A list maintained of personnel with cards / keys to the caged environment?          N/A                                       9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.2.3.1.7      A process to report lost access cards / keys?                                       N/A                                       9.1.2      Physical entry controls                DS12.2   Physical security measures   N/A       N/A       N/A            DS12.2, DS12.3
F.2.3.2        A process to review access to the cage at least every six months?                   N/A                                       9.1.1      Physical security perimeter            DS12.1   Site selection and layout    N/A       N/A       N/A            DS12.1, DS12.2




The Shared Assessments Program                                                                                                                   Page 25 of 191                                                                                                 SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                                      ISO 27002:2005 Relevance                      COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance
               A process to collect access equipment (e.g., badges, keys, change pin numbers,
               etc.) when a constituent is terminated or changes status and no longer require
F.2.3.3        access?                                                                             H.6 Revoke Physical Access                9.1.2.e      Physical entry controls              DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.2.3.4        Are visitors permitted in the caged environment?                                    N/A                                       9.1.2        Physical entry controls              DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.2.3.4.1      Are they required to sign in and out of the caged area?                             N/A                                       9.1.2.a      Physical entry controls              DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.2.3.4.2      Are they escorted within the cage?                                                  N/A                                       9.1.2.c      Physical entry controls              DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
                                                                                                   F.2 Physical Security Controls – Target
F.2.3.5         CCTV used to monitor entry points to the caged environment?                        Data                                      9.1.1.e      Physical security perimeter          DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
F.2.3.5.1       Monitored 24x7x365?                                                                N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
F.2.3.5.2       Stored at least 90 days?                                                           N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
F.2.4           Does the Target Data reside in a locked cabinet(s)?                                N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
F.2.4.1         Are cabinets shared?                                                               N/A                                       9.1.1.g      Physical security perimeter          DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
F.2.4.2         Does the cabinet have the following:                                               N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
F.2.4.2.1       Is access to the cabinet restricted?                                               N/A                                       9.1.1.a      Physical security perimeter          DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
                                                                                                   F.2 Physical Security Controls – Target
F.2.4.2.2       Are logs kept of all access?                                                       Data                                      9.1.2.b      Physical entry controls              DS12.2   Physical security measures        N/A       N/A       RPS.2.C.1.3     DS12.2, DS12.3
F.2.4.2.3       A process for requesting access?                                                   N/A                                       9.1.1.a      Physical security perimeter          DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2

                Segregation of duties for storage and granting of cabinet access devices (e.g.,                                                                                                         Enterprise information                                                PO2.2, PO2.3, PO6.2,
F.2.4.2.4       badges, keys, etc.)?                                                               N/A                                       11.1.1.h     Access control policy                PO2.1    architecture model                N/A       N/A       N/A             DS5.2, DS5.3, DS5.4

                                                                                                                                                                                                        Enterprise information                                                PO2.2, PO2.3, PO6.2,
F.2.4.2.5       Segregation of duties in granting and approving access to the cabinet(s)?          N/A                                       11.1.1.h     Access control policy                PO2.1    architecture model                N/A       N/A       N/A             DS5.2, DS5.3, DS5.4
F.2.4.2.6       A list maintained of personnel with cards / keys to the cabinet?                   N/A                                       9.1.2        Physical entry controls              DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.2.4.2.7       A process to report lost access cards / keys?                                      N/A                                       9.1.2        Physical entry controls              DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
                A process to collect access equipment (e.g., badges, keys, change pin numbers,
                etc.) when a constituent is terminated or changes status and no longer require
F.2.4.2.8       access?                                                                            N/A                                       9.1.2.e      Physical entry controls              DS12.2   Physical security measures        N/A       N/A       N/A             DS12.2, DS12.3
F.2.4.2.9       Is CCTV used to monitor the cabinets?                                              N/A                                       9.1.1.e      Physical security perimeter          DS12.1   Site selection and layout         N/A       N/A       N/A             DS12.1, DS12.2
F.2.4.2.9.1     Monitored 24x7x365?                                                                N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
F.2.4.2.9.2     Stored at least 90 days?                                                           N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
                Is there a policy on using locking screensavers on unattended system displays or                                             11.3.2.a,    Unattended user equipment, Clear desk         Enterprise IT risk and internal
F.2.4.3         locks on consoles within the data center?                                          N/A                                       11.3.3       and clear screen policy               PO6.2   control framework                 N/A       N/A       N/A             PO6.2, DS5.7
                                                                                                                                                                                                        Enterprise IT risk and internal
F.2.4.4         Is there a procedure for equipment removal from the data center?                   N/A                                       9.2.7        Removal of property                  PO6.2    control framework                 N/A       N/A       N/A             PO6.2, DS12.2
                Is there a preventive maintenance process or current maintenance contracts in                                                                                                                                                                 OPS.1.7.1.8
F.2.5           place for the following:                                                           N/A                                       N/A                                               N/A                                        N/A       N/A       OPS.2.12.D.7    N/A

F.2.5.1         UPS system?                                                                        N/A                                       9.2.4        Equipment maintenance                AI3.3    Infrastructure maintenance        N/A       N/A       N/A             AI3.3, DS12.5, DS13.5

F.2.5.2         Security system?                                                                   N/A                                       9.2.4        Equipment maintenance                AI3.3    Infrastructure maintenance        N/A       N/A       N/A             AI3.3, DS12.5, DS13.5

F.2.5.3         Generator?                                                                         N/A                                       9.2.4        Equipment maintenance                AI3.3    Infrastructure maintenance        N/A       N/A       N/A             AI3.3, DS12.5, DS13.5

F.2.5.4         Batteries?                                                                         N/A                                       9.2.4        Equipment maintenance                AI3.3    Infrastructure maintenance        N/A       N/A       N/A             AI3.3, DS12.5, DS13.5

F.2.5.5         Fire alarm?                                                                        N/A                                       9.2.4        Equipment maintenance                AI3.3    Infrastructure maintenance        N/A       N/A       N/A             AI3.3, DS12.5, DS13.5
                                                                                                                                                                                                                                                              OPS.1.7.1.6
F.2.5.6         Fire suppression systems?                                                          N/A                                       9.2.4        Equipment maintenance                AI3.3    Infrastructure maintenance        N/A       N/A       OPS.2.12.D.5    AI3.3, DS12.5, DS13.5

F.2.5.7         HVAC?                                                                              N/A                                       9.2.4        Equipment maintenance                AI3.3    Infrastructure maintenance        N/A       N/A       N/A             AI3.3, DS12.5, DS13.5
F.2.6           Are the following tested:                                                          N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
F.2.6.1         UPS system - annually?                                                             N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
F.2.6.2         Security alarm system - annually?                                                  N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
F.2.6.3         Fire alarms - annually?                                                            N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
                                                                                                                                                                                                                                                              OPS.1.7.1.6
F.2.6.4         Fire suppression system - annually?                                                N/A                                       N/A                                               N/A                                        N/A       N/A       OPS.2.12.D.5    N/A
F.2.6.5         Generators - monthly?                                                              N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A
F.2.6.6         Generators full load tested - monthly?                                             N/A                                       N/A                                               N/A                                        N/A       N/A       N/A             N/A




The Shared Assessments Program                                                                                                                     Page 26 of 191                                                                                                     SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                    AUP 5.0 Relevance                  ISO 27002:2005 Relevance                       COBIT 4.0 Relevance             PCI 1.1   PCI 1.2   FFIEC            COBIT 4.1 Relevance

               G. Communications and Operations Management
                                                                                                                                                                                                                                          MGMT.1.6.1.4
                                                                                                                                                                                      Definition and maintenance of                       OPS.1.5
                                                                                                                                                                                      business functional and                             WPS.2.2.1.3.2
G.1            Are operating procedures utilized?                                                   N/A                   10.1.1       Documented Operating Procedure         AI1.1   technical requirements          N/A       N/A       AUDIT.2.D.1.11 AI1.1, AI4.4, DS13.1
                                                                                                                                                                                      Definition and maintenance of
               Are operating procedures documented, maintained, and made available to all                                                                                             business functional and                             OPS.1.4.4
G.1.1          users who need them?                                                                 N/A                   10.1.1       Documented Operating Procedure         AI1.1   technical requirements          N/A       N/A       AUDIT.2.D.1.3    AI1.1, AI4.4, DS13.1

                                                                                                                                                                                                                                                           PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                           PO6.3, PO9.4, DS5.2,
                                                                                                                                       Review Of The Information Security             Technological direction                                              DS5.3, ME2.2, ME2.5,
G.1.1.1        Has it been approved by management?                                                  N/A                   5.1.2        Policy                                 PO3.1   planning                        N/A       N/A       N/A              ME2.7, ME4.7
                                                                                                                                                                                                                                                           PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                      IT policy and control                                                PO6.5, DS5.2, DS5.3,
G.1.1.2        Has the policy been published?                                                       N/A                   5.1.1        Information Security Policy Document   PO6.1   environment                     N/A       N/A       N/A              ME2.1
                                                                                                                                                                                                                                                           PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                      IT policy and control                                                PO6.5, DS5.2, DS5.3,
G.1.1.3        Has it been communicated to appropriate constituents?                                N/A                   5.1.1        Information Security Policy Document   PO6.1   environment                     N/A       N/A       N/A              ME2.1
                                                                                                                                                                                      Definition and maintenance of
                                                                                                                                                                                      business functional and
G.1.1.4        Is there an owner to maintain and review the policy?                                 N/A                   10.1.1       Documented Operating Procedure         AI1.1   technical requirements          N/A       N/A       N/A              AI1.1, AI4.4, DS13.1
G.1.2          Do procedures include the following:                                                 N/A                   N/A                                                 N/A                                     N/A       N/A       N/A              N/A
                                                                                                                                                                                      Definition and maintenance of
                                                                                                                                                                                      business functional and
G.1.2.1        Processing and handling of information?                                              N/A                   10.1.1.a     Documented Operating Procedure         AI1.1   technical requirements          N/A       N/A       N/A              AI1.1, AI4.4, DS13.1
                                                                                                                                                                                      Definition and maintenance of
               Scheduling requirements, including interdependencies with other systems,                                                                                               business functional and
G.1.2.2        earliest job start and latest job completion times?                                  N/A                   10.1.1.c     Documented Operating Procedure         AI1.1   technical requirements          N/A       N/A       N/A              AI1.1, AI4.4, DS13.1
                                                                                                                                                                                      Definition and maintenance of
                                                                                                                                                                                      business functional and
G.1.2.3        Support contacts in the event of unexpected operational or technical difficulties?   N/A                   10.1.1.e     Documented Operating Procedure         AI1.1   technical requirements          N/A       N/A       N/A              AI1.1, AI4.4, DS13.1
                                                                                                                                                                                      Definition and maintenance of
                                                                                                                                                                                      business functional and
G.1.2.4        System restart and recovery procedures for use in the event of system failure?       N/A                   10.1.1.g     Documented Operating Procedure         AI1.1   technical requirements          N/A       N/A       N/A              AI1.1, AI4.4, DS13.1
                                                                                                                                                                                      Change standards and                                IS.1.7.8         AI6.1, AI6.2, AI6.3,
G.2            Is there a formal operational change management / change control process?            G.21 Change Control   10.1.2       Change Management                      AI6.1   procedures                      6.4       6.4       OPS.1.5.1.3      AI6.4, AI6.5
                                                                                                                                                                                      Change standards and                                                 AI6.1, AI6.2, AI6.3,
G.2.1          Is the operational change management process documented?                             N/A                   10.1.2       Change Management                      AI6.1   procedures                      N/A       N/A       N/A              AI6.4, AI6.5

                                                                                                                                                                                                                                                           PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                           PO6.3, PO9.4, DS5.2,
                                                                                                                                       Review Of The Information Security             Technological direction                                              DS5.3, ME2.2, ME2.5,
G.2.1.1        Has it been approved by management?                                                  N/A                   5.1.2        Policy                                 PO3.1   planning                        6.4.2     6.4.2     N/A              ME2.7, ME4.7
                                                                                                                                                                                                                                                           PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                      IT policy and control                                                PO6.5, DS5.2, DS5.3,
G.2.1.2        Has the policy been published?                                                       N/A                   5.1.1        Information Security Policy Document   PO6.1   environment                     N/A       N/A       N/A              ME2.1
                                                                                                                                                                                                                                                           PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                      IT policy and control                                                PO6.5, DS5.2, DS5.3,
G.2.1.3        Has it been communicated to appropriate constituents?                                N/A                   5.1.1        Information Security Policy Document   PO6.1   environment                     N/A       N/A       N/A              ME2.1
                                                                                                                                                                                      Change standards and                                                 AI6.1, AI6.2, AI6.3,
G.2.1.4        Is there an owner to maintain and review the policy?                                 N/A                   10.1.2       Change Management                      AI6.1   procedures                      N/A       N/A       N/A              AI6.4, AI6.5
                                                                                                                                                                                                                                          IS.1.2.5
                                                                                                                                                                                                                                          IS.2.M.4.2
G.2.2          Does the change management / change control process require the following:           N/A                   N/A                                                 N/A                                     N/A       N/A       D&A.1.10.1.1     N/A
                                                                                                                                                                                                                                          D&A.1.7.1.3
                                                                                                                                                                                                                                          D&A.1.7.1.5
                                                                                                                                                                                      Change standards and                                D&A.1.10.1.1.3   AI6.1, AI6.2, AI6.3,
G.2.2.1        Documentation of changes?                                                            N/A                   10.1.2.a     Change Management                      AI6.1   procedures                      6.4.1     6.4.1     D&A.1.10.1.1.5   AI6.4, AI6.5
                                                                                                                                                                                                                                          D&A.1.5.1.7
                                                                                                                          10.1.2.a,                                                   Change standards and                                D&A.1.7.1.1      AI6.1, AI6.2, AI6.3,
G.2.2.2        Request, review and approval of proposed changes?                                    N/A                   10.1.2.d     Change Management                      AI6.1   procedures                      6.4.2     6.4.2     D&A.1.10.1.1.1   AI6.4, AI6.5
                                                                                                                                                                                      Change standards and                                D&A.1.7.1.2      AI6.1, AI6.2, AI6.3,
G.2.2.3        Pre-implementation testing?                                                          N/A                   10.1.2.b     Change Management                      AI6.1   procedures                      6.4.3     6.4.3     D&A.1.10.1.1.2   AI6.4, AI6.5
                                                                                                                                                                                      Change standards and                                D&A.1.7.1.2      AI6.1, AI6.2, AI6.3,
G.2.2.4        Post-implementation testing?                                                         N/A                   10.1.2.b     Change Management                      AI6.1   procedures                      6.4.3     6.4.3     D&A.1.10.1.1.2   AI6.4, AI6.5
                                                                                                                                                                                      Change standards and                                                 AI6.1, AI6.2, AI6.3,
G.2.2.5        Review for potential security impact?                                                N/A                   10.1.2.c     Change Management                      AI6.1   procedures                      6.4.1     6.4.1     N/A              AI6.4, AI6.5
                                                                                                                                                                                      Change standards and                                                 AI6.1, AI6.2, AI6.3,
G.2.2.6        Review for potential operational impact?                                             N/A                   10.1.2.c     Change Management                      AI6.1   procedures                      6.4.1     6.4.1     D&A.1.7.1.4      AI6.4, AI6.5
                                                                                                                                                                                      Change standards and                                                 AI6.1, AI6.2, AI6.3,
G.2.2.7        Customer / client approval (when applicable)?                                        N/A                   10.1.2.d     Change Management                      AI6.1   procedures                      N/A       N/A       N/A              AI6.4, AI6.5
                                                                                                                                                                                      Change standards and                                D&A.1.7.1.6      AI6.1, AI6.2, AI6.3,
G.2.2.8        Changes are communicated to all relevant constituents?                               N/A                   10.1.2.e     Change Management                      AI6.1   procedures                      N/A       N/A       D&A.1.10.1.1.6   AI6.4, AI6.5
                                                                                                                                                                                      Change standards and                                D&A.1.10.1.1.4   AI6.1, AI6.2, AI6.3,
G.2.2.9        Rollback procedures?                                                                 N/A                   10.1.2.f     Change Management                      AI6.1   procedures                      6.4.4     6.4.4     D&A.1.11.1.6     AI6.4, AI6.5
                                                                                                                                                                                      Change standards and                                                 AI6.1, AI6.2, AI6.3,
G.2.2.10       Maintaining change control logs?                                                     N/A                   10.1.2       Change Management                      AI6.1   procedures                      N/A       N/A       N/A              AI6.4, AI6.5
G.2.2.11       Security approval?                                                                   N/A                   N/A                                                 N/A                                     N/A       N/A       N/A              N/A



The Shared Assessments Program                                                                                                  Page 27 of 191                                                                                                    SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                       AUP 5.0 Relevance                ISO 27002:2005 Relevance                        COBIT 4.0 Relevance             PCI 1.1      PCI 1.2      FFIEC               COBIT 4.1 Relevance
               Code reviews by information security prior to the implementation of internally                                                                                           Major upgrades to existing                                                    AI2.6, AI6.2, AI6.3,
G.2.2.12       developed applications and / or application updates?                                    N/A                 12.5.1       Change Control Procedures              AI2.6    systems                         N/A          N/A          N/A                 AI7.2

G.2.2.13         Information security's approval required prior to the implementation of changes?      N/A                 N/A                                                 N/A                                      6.4.2        6.4.2        N/A                 N/A
                 Are the following changes to the production environment subject to the change                                                                                          Change standards and                                                          AI6.1, AI6.2, AI6.3,
G.2.3            control process:                                                                      N/A                 10.1.2       Change Management                      AI6.1    procedures                      N/A          N/A          N/A                 AI6.4, AI6.5
                                                                                                                                                                                                                                                  IS.2.B.1.2
                                                                                                                                                                                                                                                  IS.2.B.2.1
G.2.3.1          Network?                                                                              N/A                 N/A                                                 N/A                                      N/A          N/A          IS.2.B.10.9         N/A
                                                                                                                                                                                        Change standards and                                                          AI6.1, AI6.2, AI6.3,
G.2.3.2          Systems?                                                                              N/A                 10.1.2       Change Management                      AI6.1    procedures                      N/A          N/A          N/A                 AI6.4, AI6.5
                                                                                                                                                                                        Change standards and                                                          AI6.1, AI6.2, AI6.3,
G.2.3.3          Application updates?                                                                  N/A                 10.1.2       Change Management                      AI6.1    procedures                      N/A          N/A          N/A                 AI6.4, AI6.5
                                                                                                                                                                                        Change standards and                                                          AI6.1, AI6.2, AI6.3,
G.2.3.4          Code changes?                                                                         N/A                 10.1.2       Change Management                      AI6.1    procedures                      N/A          N/A          N/A                 AI6.4, AI6.5
                                                                                                                                        Technical Review Of Applications After          Application security and                                                      AI2.6, AI6.2, AI6.3,
G.2.4            Are application owners notified of all operating system changes?                      N/A                 12.5.2.c     Operating System Changes               AI2.4    availability                    N/A          N/A          N/A                 AI7.2
G.2.5            Is the requestor of the change separate from the approver?                            N/A                 10.1.3       Segregation Of Duties                  PO4.11   Segregation of duties           N/A          N/A          N/A                 PO4.11, DS5.4
                                                                                                                                                                                                                                                  IS.1.6.8
                 Is there a segregation of duties for approving a change and those implementing                                                                                                                                                   MGMT.1.2.1.4
G.2.6            the change?                                                                           N/A                 10.1.3       Segregation Of Duties                  PO4.11   Segregation of duties           6.3.3        6.3.3        RPS.1.3.1.3         PO4.11, DS5.4
                                                                                                                                        Security In Development And Support                                                                                           AI2.4, AI7.4, AI7.6,
G.3              Is application development performed?                                                 N/A                 12.5         Processes                              N/A                                      N/A          N/A          N/A                 DS11.3, DS11.6
                 Is a development, test, staging, QA or production environment supported and
G.3.1            maintained?                                                                           N/A                 N/A                                                 N/A                                      N/A          N/A          D&A.1.9.1.6.4       N/A
G.3.1.1          Which of the following environments are supported:                                    N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.3.1.1.1        Development?                                                                          N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.3.1.1.2        Test?                                                                                 N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.3.1.1.3        QA?                                                                                   N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.3.1.1.4        Staging?                                                                              N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.3.1.1.5        Production?                                                                           N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
                                                                                                                                        Separation Of Development, Test, And
G.3.1.2          How are the production, test and development environments segregated:                 N/A                 10.1.4       Operational Facilities               PO4.11     Segregation of duties           3.2, 6.3.2   3.2, 6.3.2   N/A                 PO4.11, AI3.4, AI7.4
G.3.1.2.1        Logically?                                                                            N/A                 N/A                                               N/A                                        N/A          N/A          N/A                 N/A
G.3.1.2.2        Physically?                                                                           N/A                 N/A                                               N/A                                        N/A          N/A          N/A                 N/A
G.3.1.2.3        Both?                                                                                 N/A                 N/A                                               N/A                                        N/A          N/A          N/A                 N/A
G.3.1.2.4        No segregation?                                                                       N/A                 N/A                                               N/A                                        N/A          N/A          N/A                 N/A
G.3.1.3          Is data from multiple clients co-mingled in any of the following:                     N/A                 N/A                                               N/A                                        N/A          N/A          N/A                 N/A
G.3.1.3.1        Servers?                                                                              N/A                 N/A                                               N/A                                        N/A          N/A          N/A                 N/A
G.3.1.3.2        Database instances?                                                                   N/A                 N/A                                               N/A                                        N/A          N/A          N/A                 N/A
G.3.1.3.3        SAN?                                                                                  N/A                 N/A                                               N/A                                        N/A          N/A          N/A                 N/A
G.3.1.3.4        LPAR?                                                                                 N/A                 N/A                                               N/A                                        N/A          N/A          N/A                 N/A
G.3.1.3.5        Other (Please explain in the "Additional Information" column)?                        N/A                 N/A                                               N/A                                        N/A          N/A          N/A                 N/A
                 Do third party vendors have access to Target Data (e.g., backup vendors, service
G.4              providers, equipment support vendors, etc)?                                           N/A                 N/A                                                 N/A                                      8.3          8.3          N/A                 N/A
G.4.1            Does a third party provide:                                                           N/A                 N/A                                                 N/A                                      N/A          N/A          O.1.2.1             N/A
G.4.1.1          Physical site (co-location, etc.)?                                                    N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.2          Site management?                                                                      N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.3          Network services - data?                                                              N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.4          Network services - telephony?                                                         N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.5          Firewall management?                                                                  N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.6          IDS (Intrusion Detection System)?                                                     N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.7          Router configuration and management?                                                  N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.8          Anti-virus?                                                                           N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.9          System admin. (server management and support)??                                       N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.10         Security administration?                                                              N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.11         Development?                                                                          N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.12         Managed host?                                                                         N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.13         Media vaulting (offsite storage)?                                                     N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.14         Physical security?                                                                    N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
                                                                                                                                                                                                                                                                      AI3.3, AI6.2, AI6.3,
G.4.1.15         Vulnerability assessment (ethical hack testing)?                                      N/A                 12.6.1       Control Of Technical Vulnerabilities   AI3.3    Infrastructure maintenance      N/A          N/A          N/A                 DS5.5, DS5.7, DS9.2
G.4.1.16         Security infrastructure engineering?                                                  N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.17         Business continuity management?                                                       N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
G.4.1.18         Other (Please explain in the "Additional Information" column)?                        N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A
                                                                                                                                                                                                                                                  IS.1.4.1.11
                                                                                                                                                                                                                                                  IS.1.5.1
                 Is there a process to review the security of a third party vendor prior to engaging                                                                                    Service level management                                  O.1.3.1.1           DS1.1, DS1.2, DS1.3,
G.4.2            their services?                                                                       N/A                 10.2.1       Service Delivery                       DS1.1    framework                       12.8         12.8         O.1.3.3             DS2.4
                                                                                                                                                                                                                                                  IS.1.4.1.11
                                                                                                                                                                                                                                                  IS.1.5.4
                 Is there a process to review the security of a third party vendor on an ongoing                                        Monitoring And Review Of Third Party            Monitoring and reporting of                               O.1.3.1.2
G.4.3            basis?                                                                                N/A                 10.2.2       Services                               DS1.5    service level achievements      N/A          N/A          O.2.D.1             DS1.5, DS2.4, ME2.6
                                                                                                                                                                                                                                                  IS.1.5.1 IS.1.5.4   PO4.14, DS2.1,
                                                                                                                                        Identification Of Risks Related To              Contracted staff policies and                             O.1.2.1 O.1.3.5     DS2.3, DS5.4, DS5.9,
G.4.4            Are risk assessments or reviews conducted on your third parties?                      N/A                 6.2.1        External Parties                       PO4.14   procedures                      N/A          N/A          IS.2.J.2            DS5.11, DS12.3
G.4.5            Have third party vendors undergone a security audit in the last 12 months?            N/A                 N/A                                                 N/A                                      N/A          N/A          IS.1.5.4            N/A
G.4.6            Are third parties required to adhere to your policies and standards?                  N/A                 N/A                                                 N/A                                      N/A          N/A          N/A                 N/A




The Shared Assessments Program                                                                                                   Page 28 of 191                                                                                                             SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                 AUP 5.0 Relevance                                 ISO 27002:2005 Relevance                        COBIT 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
                                                                                                                                                                                                                                                                           PO4.14, PO6.4,
                                                                                                                                                                                                                                                                           PO8.3, AI5.2, DS2.2,
               Are confidentiality agreements and/or Non Disclosure Agreements required of                                                         Addressing Security In Third Party              Contracted staff policies and                                           DS2.3, DS2.4, DS5.1,
G.4.7          third party vendors?                                                              N/A                                   6.2.3.b.7   Agreements                             PO4.14   procedures                       N/A       N/A       IS.1.5.3           ME2.6
               Are third party vendors required to notify of any changes that might affect                                                         Managing Changes To Third Party                 Monitoring and reporting of
G.4.8          services rendered?                                                                N/A                                   10.2.3      Services                               DS1.5    service level achievements       N/A       N/A       N/A                DS1.5, DS2.2, DS2.3
G.4.9          Are any of the following outsourced to an offshore third party vendor:            N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.1        Physical site (co-location, etc.)?                                                N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.2        Site management?                                                                  N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.3        Network services - data?                                                          N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.4        Network services - telephony?                                                     N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.5        Firewall management?                                                              N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.6        IDS (Intrusion Detection System)?                                                 N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.7        Router configuration and management?                                              N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.8        Anti-virus?                                                                       N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.9        System admin. (server management and support)??                                   N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.10       Security administration?                                                          N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.11       Development?                                                                      N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.12       Managed host?                                                                     N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.4.9.13       Other (Please explain in the "Additional Information" column)?                    N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                   Performance and capacity                             E-BANK.1.4.3.1
G.5            Are system resources reviewed to ensure adequate capacity is maintained?          N/A                                   10.3.1      Capacity Management                    DS3.1    planning                         N/A       N/A       RPS.1.1.5.3        DS3.1, DS3.2, DS3.3
                                                                                                                                                                                                                                                                           PO3.4, AI1.1, AI1.4,
               Are criteria for accepting new information systems, upgrades, and new versions                                                                                                                                                                              AI2.4, AI2.8, AI4.4,
G.6            established?                                                                      N/A                                   10.3.2      System acceptance                      PO3.4    Technology standards             N/A       N/A       D&A.1.6.1.9        AI7.7
G.6.1          Are the following criteria taken into consideration prior to formal acceptance?   N/A                                   N/A         System acceptance                      N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                                                                        D&A.1.6.1.9.2      PO3.4, AI1.1, AI1.4,
                                                                                                                                                                                                                                                        OPS.1.5.1.1        AI2.4, AI2.8, AI4.4,
G.6.1.1        Performance and computer capacity requirements?                                   N/A                                   10.3.2.a    System acceptance                      PO3.4    Technology standards             N/A       N/A       RPS.1.1.5.3        AI7.7
                                                                                                                                                                                                                                                                           PO3.4, AI1.1, AI1.4,
                                                                                                                                                                                                                                                                           AI2.4, AI2.8, AI4.4,
G.6.1.2        Error recovery and restart procedures?                                            N/A                                   10.3.2.b    System acceptance                      PO3.4    Technology standards             N/A       N/A       N/A                AI7.7
                                                                                                                                                                                                                                                                           PO3.4, AI1.1, AI1.4,
                                                                                                                                                                                                                                                                           AI2.4, AI2.8, AI4.4,
G.6.1.3        Preparation and testing of routine operating procedures to defined standards?     N/A                                   10.3.2.c    System acceptance                      PO3.4    Technology standards             N/A       N/A       D&A.1.6.1.10.4     AI7.7
                                                                                                                                                                                                                                                                           PO3.4, AI1.1, AI1.4,
                                                                                                                                                                                                                                                                           AI2.4, AI2.8, AI4.4,
G.6.1.4        Agreed set of security controls in place?                                         N/A                                   10.3.2.d    System acceptance                      PO3.4    Technology standards             N/A       N/A       D&A.1.6.1.9.1      AI7.7
                                                                                                                                                                                                                                                                           PO3.4, AI1.1, AI1.4,
                                                                                                                                                                                                                                                                           AI2.4, AI2.8, AI4.4,
G.6.1.5        Effective manual procedures?                                                      N/A                                   10.3.2.e    System acceptance                      PO3.4    Technology standards             N/A       N/A       N/A                AI7.7
                                                                                                                                                                                                                                                                           PO3.4, AI1.1, AI1.4,
                                                                                                                                                                                                                                                                           AI2.4, AI2.8, AI4.4,
G.6.1.6        Business continuity arrangements?                                                 N/A                                   10.3.2.f    System acceptance                      PO3.4    Technology standards             N/A       N/A       BCP.1.4.3.2        AI7.7
                                                                                                                                                                                                                                                                           PO3.4, AI1.1, AI1.4,
               Evidence that installation of the new system will not adversely affect existing                                                                                                                                                                             AI2.4, AI2.8, AI4.4,
G.6.1.7        systems, particularly at peak processing times, such as month end?                N/A                                   10.3.2.g    System acceptance                      PO3.4    Technology standards             N/A       N/A       N/A                AI7.7
                                                                                                                                                                                                                                                                           PO3.4, AI1.1, AI1.4,
               Evidence that consideration has been given to the effect the new system has on                                                                                                                                                                              AI2.4, AI2.8, AI4.4,
G.6.1.8        the overall security of the organization?                                         N/A                                   10.3.2.h    System acceptance                      PO3.4    Technology standards             N/A       N/A       N/A                AI7.7
                                                                                                                                                                                                                                                                           PO3.4, AI1.1, AI1.4,
                                                                                                                                                                                                                                                                           AI2.4, AI2.8, AI4.4,
G.6.1.9        Training in the operation or use of new systems?                                  N/A                                   10.3.2.i    System acceptance                      PO3.4    Technology standards             N/A       N/A       N/A                AI7.7
                                                                                                                                                                                                                                                                           PO3.4, AI1.1, AI1.4,
               Are suitable tests of the system(s) carried out during development and prior to                                                                                                                                                                             AI2.4, AI2.8, AI4.4,
G.6.2          acceptance?                                                                       N/A                                   10.3.2      System acceptance                      PO3.4    Technology standards             N/A       N/A       N/A                AI7.7
                                                                                                                                                                                                   Malicious software prevention,                       IS.1.4.1.2.2
G.7            Are anti-virus products used?                                                     N/A                                   10.4.1      Controls Against Malicious Code        DS5.9    detection and correction         5.1       5.1       IS.2.D.5           DS5.9
                                                                                                                                                                                                                                                        IS.1.4.1.3.4
                                                                                                                                                                                                   Malicious software prevention,                       IS.1.4.1.4.4
G.7.1          Is there an anti-virus / malware policy or process?                               N/A                                   10.4.1.e    Controls Against Malicious Code        DS5.9    detection and correction         5.2       5.2       IS.1.4.1.7         DS5.9

                                                                                                                                                                                                                                                                           PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                           PO6.3, PO9.4, DS5.2,
                                                                                                                                                   Review Of The Information Security              Technological direction                                                 DS5.3, ME2.2, ME2.5,
G.7.1.1        Has it been approved by management?                                               N/A                                   5.1.2       Policy                                 PO3.1    planning                         N/A       N/A       N/A                ME2.7, ME4.7
                                                                                                                                                                                                                                                                           PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                   IT policy and control                                                   PO6.5, DS5.2, DS5.3,
G.7.1.2        Has the policy been published?                                                    N/A                                   5.1.1       Information Security Policy Document   PO6.1    environment                      N/A       N/A       N/A                ME2.1
                                                                                                                                                                                                                                                                           PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                   IT policy and control                                                   PO6.5, DS5.2, DS5.3,
G.7.1.3        Has it been communicated to appropriate constituents?                             N/A                                   5.1.1       Information Security Policy Document   PO6.1    environment                      N/A       N/A       N/A                ME2.1

                                                                                                                                                                                                                                                                           PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                           PO6.3, PO9.4, DS5.2,
                                                                                                                                                   Review Of The Information Security              Technological direction                                                 DS5.3, ME2.2, ME2.5,
G.7.1.4        Is there an owner to maintain and review the policy?                              N/A                                   5.1.2       Policy                                 PO3.1    planning                         N/A       N/A       N/A                ME2.7, ME4.7
G.7.2          Has anti-virus software been installed on the following:                          N/A                                   N/A                                                N/A                                       5.1       5.1       N/A                N/A
G.7.2.1        Workstations?                                                                     G.6 Virus Protection (Workstations)   N/A                                                N/A                                       N/A       N/A       N/A                N/A
G.7.2.2        Mobile devices (e.g., PDA, blackberry, palm pilot, etc.)?                         N/A                                   N/A                                                N/A                                       N/A       N/A       N/A                N/A



The Shared Assessments Program                                                                                                             Page 29 of 191                                                                                                          SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                                               AUP 5.0 Relevance                             ISO 27002:2005 Relevance                       COBIT 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
G.7.2.3          Windows servers?                                                                G.5 Virus Protection (Servers)   N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.7.2.4          UNIX and UNIX-based systems (e.g., Linux, Sun Solaris, HP-UX, etc.)?            N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.7.2.5          Email servers?                                                                  N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.7.3            Is there a process for emergency anti-virus signature updates?                  N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
                                                                                                                                                                                              Malicious software prevention,
G.7.4            How frequently do systems automatically check for new signature updates:        N/A                              10.4.1.d     Controls Against Malicious Code        DS5.9   detection and correction         5.2       5.2       N/A                DS5.9
G.7.4.1          An hour or less?                                                                N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.7.4.2          One day or less?                                                                N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.7.4.3          One week or less?                                                               N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.7.4.4          One month or less?                                                              N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
                 What is the interval between the availability of the signature update and its                                                                                                Malicious software prevention,
G.7.5            deployment:                                                                     N/A                              10.4.1.d     Controls Against Malicious Code        DS5.9   detection and correction         N/A       N/A       N/A                DS5.9
G.7.5.1          An hour or less?                                                                N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.7.5.2          One day or less?                                                                N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.7.5.3          One week or less?                                                               N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.7.5.4          One month or less?                                                              N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
                                                                                                                                                                                              Malicious software prevention,
G.7.6            Are workstation scans scheduled daily?                                          N/A                              10.4.1.d     Controls Against Malicious Code        DS5.9   detection and correction         11.2      11.2      N/A                DS5.9
                                                                                                                                                                                              Malicious software prevention,
G.7.6.1          If not, is on-access / real-time scanning enabled on all workstations?          N/A                              10.4.1.d     Controls Against Malicious Code        DS5.9   detection and correction         N/A       N/A       N/A                DS5.9
                                                                                                                                                                                              Malicious software prevention,
G.7.7            Are servers scans scheduled daily?                                              N/A                              10.4.1.d     Controls Against Malicious Code        DS5.9   detection and correction         11.1      11.1      N/A                DS5.9
                                                                                                                                                                                              Malicious software prevention,
G.7.7.1          If not, is on-access / real-time scanning enabled on all servers?               N/A                              10.4.1.d     Controls Against Malicious Code        DS5.9   detection and correction         N/A       N/A       N/A                DS5.9
G.7.8            Can a non-administrative user disable anti-virus software?                      N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
                 Are reviews conducted at least monthly to detect unapproved files or                                                                                                         Malicious software prevention,
G.7.9            unauthorized changes?                                                           N/A                              10.4.1.c     Controls Against Malicious Code        DS5.9   detection and correction         N/A       N/A       N/A                DS5.9
                                                                                                                                                                                                                                                                      DS4.9, DS11.2,
G.8              Are system backups of Target Data performed?                                    N/A                              10.5.1       Information Back-Up                    DS4.9   Offsite backup storage           12.9.1b   12.9.1b   BCP.1.4.1.2        DS11.5, DS11.6
                                                                                                                                                                                                                                                                      DS4.9, DS11.2,
G.8.1            Is there a policy surrounding backup of production data?                        N/A                              10.5.1       Information Back-Up                    DS4.9   Offsite backup storage           N/A       N/A       IS.2.I.1           DS11.5, DS11.6

                                                                                                                                                                                                                                                                      PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                      PO6.3, PO9.4, DS5.2,
                                                                                                                                               Review Of The Information Security             Technological direction                                                 DS5.3, ME2.2, ME2.5,
G.8.1.1          Has it been approved by management?                                             N/A                              5.1.2        Policy                                 PO3.1   planning                         N/A       N/A       N/A                ME2.7, ME4.7
                                                                                                                                                                                                                                                                      PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                              IT policy and control                                                   PO6.5, DS5.2, DS5.3,
G.8.1.2          Has the policy been published?                                                  N/A                              5.1.1        Information Security Policy Document   PO6.1   environment                      N/A       N/A       N/A                ME2.1
                                                                                                                                                                                                                                                                      PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                              IT policy and control                                                   PO6.5, DS5.2, DS5.3,
G.8.1.3          Has it been communicated to appropriate constituents?                           N/A                              5.1.1        Information Security Policy Document   PO6.1   environment                      N/A       N/A       N/A                ME2.1

                                                                                                                                                                                                                                                                      PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                      PO6.3, PO9.4, DS5.2,
                                                                                                                                               Review Of The Information Security             Technological direction                                                 DS5.3, ME2.2, ME2.5,
G.8.1.4          Is there an owner to maintain and review the policy?                            N/A                              5.1.2        Policy                                 PO3.1   planning                         N/A       N/A       N/A                ME2.7, ME4.7
                                                                                                                                                                                                                                                   OPS.1.6.2          DS4.9, DS11.2,
G.8.2            Does the policy/process include the following:                                  N/A                              10.5.1       Information Back-Up                    DS4.9   Offsite backup storage           12.9.1    12.9.1    WPS.2.10.2.1       DS11.5, DS11.6
                                                                                                                                                                                                                                                                      DS4.9, DS11.2,
G.8.2.1          Accurate and complete records of backup copies?                                 N/A                              10.5.1.b     Information Back-Up                    DS4.9   Offsite backup storage           12.9.1    12.9.1    N/A                DS11.5, DS11.6
                                                                                                                                                                                                                                                                      DS4.9, DS11.2,
G.8.2.2          Restoration procedures?                                                         N/A                              10.5.1.b     Information Back-Up                    DS4.9   Offsite backup storage           N/A       N/A       N/A                DS11.5, DS11.6
                                                                                                                                                                                                                                                                      DS4.9, DS11.2,
G.8.2.3          The extent and frequency of backups?                                           N/A                               10.5.1.c     Information Back-Up                    DS4.9   Offsite backup storage           N/A       N/A       N/A                DS11.5, DS11.6
                 A requirement to store backups to avoid any damage from a disaster at the main                                                                                                                                                    BCP.1.4.1.3        DS4.9, DS11.2,
G.8.2.4          site?                                                                          N/A                               10.5.1.d     Information Back-Up                    DS4.9   Offsite backup storage           N/A       N/A       BCP.1.4.3.4        DS11.5, DS11.6
                                                                                                                                                                                                                                                                      DS4.9, DS11.2,
G.8.2.5          A requirement to test backup media at least annually?                           N/A                              10.5.1.f     Information Back-Up                    DS4.9   Offsite backup storage           12.9.2    12.9.2    N/A                DS11.5, DS11.6
                                                                                                                                                                                                                                                                      DS4.9, DS11.2,
G.8.2.6          The review and testing of restoration procedures?                               N/A                              10.5.1.g     Information Back-Up                    DS4.9   Offsite backup storage           N/A       N/A       N/A                DS11.5, DS11.6
                                                                                                                                                                                                                                                                      DS4.9, DS11.2,
G.8.2.7          A requirement for classified Target Data to be encrypted?                       N/A                              10.5.1.h     Information Back-Up                    DS4.9   Offsite backup storage           N/A       N/A       N/A                DS11.5, DS11.6
                                                                                                                                                                                                                                                                      DS4.9, DS11.2,
G.8.3            Is backup of Target Data performed:                                             N/A                              10.5.1       Information Back-Up                    DS4.9   Offsite backup storage           N/A       N/A       OPS.1.6.4          DS11.5, DS11.6
G.8.3.1          Real-time?                                                                      N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.3.2          Daily?                                                                          N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.3.3          Weekly?                                                                         N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.3.4          Monthly?                                                                        N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.3.5          Never?                                                                          N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.3.6          Other (Please explain in the "Additional Information" column)?                  N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
                                                                                                                                                                                                                                                                      DS4.9, DS11.2,
G.8.4            Is backup data retained:                                                        N/A                              10.5.1       Information Back-Up                    DS4.9   Offsite backup storage           N/A       N/A       N/A                DS11.5, DS11.6
G.8.4.1          One day or less?                                                                N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.4.2          One week or less?                                                               N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.4.3          One month or less?                                                              N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.4.4          Six months or less?                                                             N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.4.5          One year or less?                                                               N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.4.6          One to seven years?                                                             N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A
G.8.4.7          Seven years or more?                                                            N/A                              N/A                                                 N/A                                      N/A       N/A       N/A                N/A



The Shared Assessments Program                                                                                                          Page 30 of 191                                                                                                        SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                              AUP 5.0 Relevance                            ISO 27002:2005 Relevance                        COBIT 4.0 Relevance          PCI 1.1   PCI 1.2   FFIEC            COBIT 4.1 Relevance
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.5          Are tests performed regularly to determine:                                    G.20 Backup Media Restoration   10.5.1.f     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       OPS.1.6.7        DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.5.1        Successful backup of data?                                                     N/A                             10.5.1.f     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.5.2        Ability to recover the data?                                                   N/A                             10.5.1.f     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.5.3        Is Target Data encrypted on backup media?                                      N/A                             10.5.1.h     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
               Are cryptographic keys, shared secrets and Random Number Generator (RNG)                                                                                                                                                                      DS4.9, DS11.2,
G.8.6          seeds being encrypted in backup or archival when necessary?                    N/A                             10.5.1.h     Information Back-Up                    DS4.9    Offsite backup storage       3.5.2     3.5.2     N/A              DS11.5, DS11.6
G.8.7          Is access to backup media:                                                     N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.7.1        Restricted to authorized personnel only?                                       N/A                             10.5.1.e     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.7.2        Formally requested?                                                            N/A                             10.5.1.e     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.7.3        Formally approved?                                                             N/A                             10.5.1.e     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.7.4        Logged?                                                                        N/A                             10.5.1.e     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.8          Is backup media stored offsite?                                                N/A                             10.5.1.d     Information Back-Up                    DS4.9    Offsite backup storage       9.5       9.5       BCP.1.4.2.5      DS11.5, DS11.6
G.8.8.1        For offsite media, are there processes to address:                             N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
G.8.8.1.1      Secure transport?                                                              N/A                             10.8.3       Physical Media In Transit              DS5.11   Exchange of sensitive data   N/A       N/A       N/A              DS11.6
                                                                                                                              10.8.2.a &                                                                                                                     PO2.3, PO3.4, AI5.2,
G.8.8.1.2      Tracking shipments?                                                            N/A                             10.8.2.b     Exchange Agreements                    PO2.3    Data classification scheme   N/A       N/A       N/A              DS2.3
                                                                                                                              10.8.2.a &                                                                                                                     PO2.3, PO3.4, AI5.2,
G.8.8.1.3      Verification of receipt?                                                       N/A                             10.8.2.b     Exchange Agreements                    PO2.3    Data classification scheme   N/A       N/A       N/A              DS2.3
                                                                                                                                                                                           Media library management
G.8.8.1.4      Destruction of offsite backup media?                                           N/A                             10.7.2.a     Disposal Of Media                      DS11.3   system                       9.1       9.1       N/A              DS11.3, DS11.4
G.8.8.1.5      Rotation of offsite backup media?                                              N/A                             10.8.3       Physical Media In Transit              DS5.11   Exchange of sensitive data   N/A       N/A       N/A              DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.8.2        How long is backup data retained offsite:                                      N/A                             10.5.1       Information Back-Up                    DS4.9    Offsite backup storage       3.1       3.1       N/A              DS11.5, DS11.6
G.8.8.2.1      One day or less?                                                               N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
G.8.8.2.2      One week or less?                                                              N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
G.8.8.2.3      One month or less?                                                             N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
G.8.8.2.4      Six months or less?                                                            N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
G.8.8.2.5      One year or less?                                                              N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
G.8.8.2.6      One to seven years?                                                            N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
G.8.8.2.7      Seven years or more?                                                           N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
G.8.8.3        Are tests performed regularly to determine:                                    N/A                             N/A                                                 N/A                                   N/A       N/A       OPS.1.6.7        N/A
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.8.3.1      Successful backup of data?                                                     N/A                             10.5.1.f     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.8.3.2      Ability to recover the data?                                                   N/A                             10.5.1.f     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.8.3.3      Is Target Data encrypted on offsite backup media?                              N/A                             10.5.1.h     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
G.8.8.4        Is access to offsite backup media:                                             N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.8.4.1      Restricted to authorized personnel only?                                       N/A                             10.5.1.e     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.8.4.2      Formally requested?                                                            N/A                             10.5.1.e     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.8.4.3      Formally approved?                                                             N/A                             10.5.1.e     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                                             DS4.9, DS11.2,
G.8.8.4.4      Logged?                                                                        N/A                             10.5.1.e     Information Back-Up                    DS4.9    Offsite backup storage       N/A       N/A       N/A              DS11.5, DS11.6
                                                                                                                                                                                                                                            IS.1.2.3
                                                                                                                                                                                                                                            OPS.1.4.2
                                                                                                                                                                                                                                            OPS.1.4.3 E-
G.9            Are there external network connections (Internet, Intranet, Extranet, etc.)?   N/A                             N/A                                                 N/A                                   N/A       N/A       BANK.1.4.2.4     N/A
                                                                                                                                                                                                                                            IS.2.B.1
                                                                                                                                                                                                                                            OPS.1.5.1.5
G.9.1          Is there a documented process for securing and hardening network devices?      N/A                             10.6.1.e     Network Controls                       PO4.11   Segregation of duties        2.2       2.2       AUDIT.2.D.1.14   PO4.1, DS5.9, DS5.11
G.9.1.1        If so, does it address the following items:                                    N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
G.9.1.1.1      Base installation and configuration standards?                                 N/A                             N/A                                                 N/A                                   N/A       N/A       N/A              N/A
G.9.1.1.2      Establishing strong password controls?                                         H.1 Password Controls           11.5.3       Password Management System             DS5.3    Identity management          N/A       N/A       N/A              DS5.4
G.9.1.1.3      Changing default passwords?                                                    N/A                             11.2.3.h     User Password Management               DS5.3    Identity management          N/A       N/A       N/A              DS5.3
                                                                                                                                           Remote Diagnostic And Configuration             Protection of security
G.9.1.1.4      SNMP community strings changed?                                                N/A                             11.4.4       Port Protection                        DS5.7    technology                   N/A       N/A       N/A              DS5.7, DS5.9, DS5.11
G.9.1.1.5      Establishing and maintaining access controls?                                  N/A                             11.5.4.i     Use Of System Utilities                AI6.3    Emergency changes            N/A       N/A       N/A              AI6.3, DS5.7
                                                                                                                                                                                                                                                             AI3.3, AI6.2, AI6.3,
G.9.1.1.6      Removing known vulnerable configurations?                                      N/A                             12.6.1.a     Control Of Technical Vulnerabilities   AI3.3    Infrastructure maintenance   N/A       N/A       N/A              DS5.5, DS5.7, DS9.2
                                                                                                                                                                                                                                                             AI3.3, AI6.2, AI6.3,
G.9.1.1.7      Version management?                                                            N/A                             12.6.1       Control Of Technical Vulnerabilities   AI3.3    Infrastructure maintenance   N/A       N/A       N/A              DS5.5, DS5.7, DS9.2
                                                                                                                                           Remote Diagnostic And Configuration             Protection of security
G.9.1.1.8      Disabling unnecessary services?                                                N/A                             11.4.4       Port Protection                        DS5.7    technology                   N/A       N/A       N/A              DS5.7, DS5.9, DS5.11

G.9.1.1.9      Remote equipment management?                                                   N/A                             10.6.1.b     Network Controls                       PO4.11   Segregation of duties        N/A       N/A       N/A            PO4.1, DS5.9, DS5.11
                                                                                                                                                                                                                                                           AI3.3, AI6.2, AI6.3,
G.9.1.1.10     Logging of all patches?                                                        N/A                             12.6.1.h     Control Of Technical Vulnerabilities   AI3.3    Infrastructure maintenance   N/A       N/A       OPS.2.12.A.3.5 DS5.5, DS5.7, DS9.2




The Shared Assessments Program                                                                                                      Page 31 of 191                                                                                                  SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                 AUP 5.0 Relevance                                   ISO 27002:2005 Relevance                        COBIT 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC            COBIT 4.1 Relevance
                                                                                                                                                                                                                                                                              AI3.3, AI6.2, AI6.3,
G.9.1.1.11     High risk systems are patched first?                                              N/A                                   12.6.1.j      Control Of Technical Vulnerabilities   AI3.3    Infrastructure maintenance          N/A       N/A       N/A              DS5.5, DS5.7, DS9.2
               Are network devices regularly reviewed and/or monitored for continued                                                                                                                 Security testing, surveillance                          IS.2.B.10.10
G.9.1.2        compliance to security requirements?                                              N/A                                   15.2.2        Technical Compliance Checking          DS5.5    and monitoring                      N/A       N/A       WPS.1.2.1.1      DS5.5, DS5.7, ME2.5


                                                                                                                                                                                                                                                                              PO4.8, PO6.2, ME2.1,
                                                                                                                                                     Compliance With Security Policies And           Responsibility for risk, security                                        ME2.2, ME2.3, ME2.4,
G.9.1.2.1      Is non-compliance reported and resolved?                                          N/A                                   15.2.1        Standards                             PO4.8     and compliance                      N/A       N/A       N/A              ME2.5, ME2.6, ME2.7
                                                                                                                                                                                                                                                             IS.1.4.1.2.2
                                                                                                                                                                                                                                                             IS.2.B.9.1
G.9.2          Is every connection to an external network terminated at a firewall?              G.17 Network Security – Firewall(s)   11.4.5        Segregation In Networks                DS5.10   Network security                    N/A       N/A       IS.2.B.9.3       DS5.9, DS5.11
                                                                                                                                                                                                                                                             IS.2.B.2.2
               Are network devices configured to prevent communications from unapproved                                                                                                                                                                      IS.2.B.10.4
G.9.3          networks?                                                                         G.17 Network Security – Firewall(s)   11.4.5        Segregation In Networks                DS5.10   Network security                    N/A       N/A       IS.2.M.4.3       DS5.9, DS5.11
G.9.4          Are routing protocols configured to use authentication?                           N/A                                   11.4.7        Network Routing Control                DS5.10   Network security                    N/A       N/A       N/A              DS5.9, DS5.11

                                                                                                                                                                                                     Enterprise information                                                   PO2.2, PO2.3, PO6.2,
G.9.5          Do network devices deny all access by default?                                    N/A                                   11.1.1.B      Access Control Policy                  PO2.1    architecture model                  N/A       N/A       IS.2.B.10.3      DS5.2, DS5.3, DS5.4
               Is there a process to request, approve, log, and review access to networks                                                                                                                                                                    IS.2.B.7
G.9.6          across network devices?                                                           N/A                                   11.4.1.b      Policy On Use Of Network Services      DS5.3    Identity management                 N/A       N/A       IS.2.B.10.2      DS5.9, DS5.11
                                                                                                                                                                                                                                                             IS.2.B.9.4
G.9.7          Are network traffic events logged to support historical or incident research?     G.4 Network Logging                   10.6.1.d      Network Controls                       PO4.11   Segregation of duties               N/A       N/A       IS.2.M.5         PO4.1, DS5.9, DS5.11
                                                                                                                                                                                                                                                             IS.2.A.7
                                                                                                                                                                                                                                                             IS.2.B.12
G.9.7.1        Do network device logs contain the following:                                     G.4 Network Logging                   10.6.1.d      Network Controls                       PO4.11   Segregation of duties               N/A       N/A       IS.2.B.17.5      PO4.1, DS5.9, DS5.11
                                                                                                                                                                                                     Application control and
G.9.7.1.1      Source IP address?                                                                N/A                                   10.10.1.j     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.2      Source TCP port?                                                                  N/A                                   10.10.1.j     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.3      Destination IP address?                                                           N/A                                   10.10.1.j     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.4      Destination TCP port?                                                             N/A                                   10.10.1.j     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.5      Protocol?                                                                         N/A                                   10.10.1.j     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.6      Device errors?                                                                    N/A                                   10.10.5       Fault Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                       10.10.1.b                                                     Application control and
G.9.7.1.7      Configuration change time?                                                        N/A                                   & 10.10.1.f   Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                       10.10.1.a                                                     Application control and
G.9.7.1.8      User ID making configuration change?                                              N/A                                   & 10.10.1.f   Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                       10.10.1.d
                                                                                                                                       &                                                             Application control and
G.9.7.1.9      Security alerts?                                                                  N/A                                   10.10.1.e     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.10     Successful logins?                                                                N/A                                   10.10.1.d     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.11     Failed login attempts?                                                            N/A                                   10.10.1.d     Audit Logging                          AI2.3    auditability                        N/A       N/A       AUDIT.2.D.1.18 AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.12     Configuration changes?                                                            N/A                                   10.10.1.f     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Security testing, surveillance                                           DS5.5, DS5.7, ME2.2,
G.9.7.1.13     Administrative activity?                                                          N/A                                   10.10.4       Administrator And Operator Logs        DS5.5    and monitoring                      N/A       N/A       N/A              ME2.5
                                                                                                                                                                                                     Application control and
G.9.7.1.14     Disabling of audit logs?                                                          N/A                                   10.10.1.l     Audit Logging                          AI2.3    auditability                        N/A       N/A       IS.2.B.13        AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.15     Deletion of audit logs?                                                           N/A                                   10.10.1.l     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.16     Changes to security settings?                                                     N/A                                   10.10.1.f     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.17     Changes to access privileges?                                                     N/A                                   10.10.1.g     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.1.18     Event date and time?                                                              N/A                                   10.10.1.b     Audit Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.9.7.2        In the event of a network device audit log failure, does the network device:      N/A                                   10.10.5       Fault Logging                          AI2.3    auditability                        N/A       N/A       N/A              AI2.3, DS5.7
G.9.7.2.1      Generate an alert?                                                                N/A                                   N/A                                                  N/A                                          N/A       N/A       N/A              N/A
G.9.7.2.2      Prevent further connections?                                                      N/A                                   N/A                                                  N/A                                          N/A       N/A       N/A              N/A
G.9.7.2.3      Continue operating normally?                                                      N/A                                   N/A                                                  N/A                                          N/A       N/A       N/A              N/A
               Are network system audit log sizes monitored to ensure availability of disk                                                                                                           Security testing, surveillance
G.9.7.3        space?                                                                            N/A                                   10.10.3.c     Protection Of Log Information          DS5.5    and monitoring                      N/A       N/A       N/A              DS5.5, DS5.7
                                                                                                                                                                                                     Security testing, surveillance
G.9.7.4        Is the overwriting of audit logs disabled?                                        N/A                                   10.10.3.b     Protection Of Log Information          DS5.5    and monitoring                      N/A       N/A       N/A              DS5.5, DS5.7
                                                                                                                                                                                                     Security testing, surveillance
G.9.7.5        Are audit logs backed up?                                                         N/A                                   10.10.3       Protection Of Log Information          DS5.5    and monitoring                      N/A       N/A       N/A              DS5.5, DS5.7
                                                                                                                                                                                                     Security testing, surveillance                          IS.2.M.1.1
G.9.7.6        Are the logs from network devices aggregated to a central server?                 N/A                                   10.10.3       Protection Of Log Information          DS5.5    and monitoring                      N/A       N/A       IS.2.M.7         DS5.5, DS5.7
                                                                                                                                                                                                                                                             IS.2.B.9.5       AI3.3, AI6.2, AI6.3,
G.9.8          Are security patches regularly reviewed and applied to network devices?           N/A                                   12.6.1.d      Control Of Technical Vulnerabilities   AI3.3    Infrastructure maintenance          N/A       N/A       D&A.1.11.1.2     DS5.5, DS5.7, DS9.2
                                                                                                                                                                                                     Change standards and                                                     AI6.1, AI6.2, AI6.3,
G.9.9          Is there an approval process prior to implementing or installing a network device? N/A                                  10.1.2.d      Change Management                      AI6.1    procedures                          N/A       N/A       IS.2.B.9.6       AI6.4, AI6.5



The Shared Assessments Program                                                                                                             Page 32 of 191                                                                                                             SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                       AUP 5.0 Relevance                                  ISO 27002:2005 Relevance                        COBIT 4.0 Relevance               PCI 1.1      PCI 1.2      FFIEC              COBIT 4.1 Relevance
               Is communication through the network device controlled at both the port and IP
G.9.10         address level?                                                                          N/A                                   11.4.7       Network Routing Control                DS5.10   Network security                  N/A          N/A          N/A                DS5.9, DS5.11
               Is there a documented standard for the ports allowed through the network                G.18 Network Security – Authorized                                                                 Protection of security
G.9.11         devices?                                                                                Network Traffic                       10.6.2.c     Security Of Network Services           DS5.7    technology                        N/A          N/A          N/A            DS5.7, DS5.9, DS5.11
G.9.12         Do production servers share IP subnet ranges with other networks?                       N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A            N/A
G.9.13         Are critical network segments isolated?                                                 G.17 Network Security – Firewall(s)   11.4.5       Segregation In Networks                DS5.10   Network security                  N/A          N/A          IS.2.B.2.3     DS5.9, DS5.11
               Is a solution present to prevent unauthorized devices from physically connecting                                                                                                           Protection of security                                                     DS5.7, DS5.9, DS5.11,
G.9.14         to the internal network?                                                                N/A                                   11.4.3       Equipment Identification In Networks   DS5.7    technology                        N/A          N/A          AUDIT.2.D.1.17 DS9.2
               Are internal systems required to pass through a content filtering proxy prior to
G.9.15         accessing the Internet?                                                                 N/A                                   11.4.7       Network Routing Control                DS5.10   Network security                  N/A          N/A          IS.1.4.1.2.2       DS5.9, DS5.11
               Is there an approval process to allow the implementation of extranet
G.9.16         connections?                                                                            N/A                                   11.4.1.b     Policy On Use Of Network Services      DS5.3    Identity management               N/A          N/A          N/A                DS5.9, DS5.11
                                                                                                       G.2 Network Management – Encrypted
G.9.17           Are insecure protocols (e.g., telnet used to access network devices)?                 Authentication Credentials            11.4.1.d     Policy on use of network services      DS5.3    Identity management               N/A          N/A          N/A                DS5.9, DS5.11
                                                                                                       G.3 Externally Facing Open                         Remote Diagnostic And Configuration             Protection of security
G.9.18           Is assess to diagnostic or maintenance ports on network devices restricted?           Administrative Ports                  11.4.4       Port Protection                        DS5.7    technology                        N/A          N/A          IS.2.B.4           DS5.7, DS5.9, DS5.11
G.9.19           Are there Extranet connections into the environment?                                  N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
G.9.19.1         Who owns the network devices and termination points in existing extranets:            N/A                                   11.4.7       Network Routing Control                DS5.10   Network security                  N/A          N/A          N/A                DS5.9, DS5.11
G.9.19.1.1       Company?                                                                              N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
G.9.19.1.2       Third party?                                                                          N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
G.9.19.1.3       Mixed environment?                                                                    N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A

G.9.19.2         Who manages the network devices and termination points in existing extranets:         N/A                                   11.4.7       Network Routing Control                DS5.10   Network security                  N/A          N/A          N/A                DS5.9, DS5.11
G.9.19.2.1       Company?                                                                              N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
G.9.19.2.2       Third party?                                                                          N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
G.9.19.2.3       Mixed environment?                                                                    N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
                 Are non-company owned network devices segregated from the network via
G.9.19.3         firewall?                                                                             N/A                                   11.4.7       Network Routing Control                DS5.10   Network security                  N/A          N/A          N/A                DS5.9, DS5.11
                 Do Internet-facing network devices block traffic that would allow for configuration   G.3 Externally Facing Open                         Remote Diagnostic And Configuration             Protection of security
G.9.19.4         changes from external sources?                                                        Administrative Ports                  11.4.4       Port Protection                        DS5.7    technology                        N/A          N/A          N/A                DS5.7, DS5.9, DS5.11
                 Do Internet-facing network devices block traffic that would allow for degradation                                                        Remote Diagnostic And Configuration             Protection of security
G.9.19.5         or denial of service from external sources?                                           N/A                                   11.4.4       Port Protection                        DS5.7    technology                        N/A          N/A          N/A                DS5.7, DS5.9, DS5.11
                                                                                                                                                          Mobile Computing And                            Enterprise IT risk and internal                                                PO6.2, DS5.2, DS5.3,
G.9.19.6         Is there a separate network segment or endpoints for remote access?                   N/A                                   11.7.1       Communications                         PO6.2    control framework                 N/A          N/A          N/A                DS5.7

                                                                                                                                                                                                                                                                      AUDIT.2.D.1.14,
G.9.19.7         Are firewall rule sets and network access control lists reviewed:                     N/A                                   N/A                                                 N/A                                        N/A          #N/A         E-BANK.1.4.1.3     N/A
G.9.19.7.1       Every three months or less?                                                           N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
G.9.19.7.2       Between three months and one year?                                                    N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
G.9.19.7.3       Never?                                                                                N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
                 Is there a DMZ environment within the network that transmits, processes or
G.9.20           stores Target Data?                                                                   N/A                                   N/A                                                 N/A                                        N/A          N/A          IS.2.B.5           N/A
G.9.20.1         Are the IP address associated with DMZ devices Internet routable?                     N/A                                   N/A                                                 DS5.10   Network security                  N/A          N/A          N/A                N/A
                 Is the network on which Internet-facing systems reside segregated from the
G.9.20.2         internal network, i.e., DMZ?                                                          N/A                                   11.4.5       Segregation In Networks                DS5.10   Network security                  N/A          N/A          N/A                DS5.9, DS5.11

G.9.20.3         Is the DMZ limited to only those servers that require access from the Internet?       N/A                                   11.4.5       Segregation In Networks                N/A                                        N/A          N/A          N/A                DS5.9, DS5.11
                 Is an administrative relay or intermediary system present to initiate any interactive
G.9.20.4         OS level access into DMZ?                                                             N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
                                                                                                                                                                                                          Security testing, surveillance
G.9.20.5         Is the DMZ segregated by two physically separate firewalls?                           N/A                                   N/A                                                 DS5.5    and monitoring                    N/A          N/A          N/A                N/A
                 Are the logs for DMZ monitoring tools and devices stored on the internal
G.9.20.6         network?                                                                              N/A                                   10.10.3      Protection Of Log Information          N/A                                        1.4          1.4          N/A                DS5.5, DS5.7
G.9.20.7         Are there separate DMZ segments for devices that:                                     N/A                                   N/A                                                 DS5.10   Network security                  N/A          N/A          N/A                N/A
G.9.20.7.1       Only accept traffic initiated from the Internet?                                      N/A                                   11.4.5       Segregation In Networks                DS5.10   Network security                  N/A          N/A          N/A                DS5.9, DS5.11
G.9.20.7.2       Only initiate outbound traffic to the Internet?                                       N/A                                   11.4.5       Segregation In Networks                DS5.10   Network security                  3.1, 1.3.5   3.1, 1.3.5   N/A                DS5.9, DS5.11
                                                                                                                                                                                                          Security testing, surveillance
G.9.20.7.3       Accept and initiate connections to / from the Internet?                               N/A                                   11.4.5       Segregation In Networks                DS5.5    and monitoring                    N/A          N/A          N/A                DS5.9, DS5.11
                                                                                                                                                                                                          Security testing, surveillance
G.9.20.8         Are systems that manage and monitor the DMZ located in a separate network?            N/A                                   10.10.3      Protection Of Log Information          DS5.5    and monitoring                    N/A          N/A          N/A                DS5.5, DS5.7
                                                                                                                                                                                                                                                                      IS.1.4.1.2.2
                                                                                                                                                                                                                                                                      IS.1.4.1.7
                                                                                                                                                                                                                                                                      IS.1.7.7
                                                                                                       G.19 Network Security – IDS/IPS                                                                    Protection of security                                      IS.2.M.9.1 E-
G.9.21           Is there a Network Intrusion Detection/Prevention System?                             Attributes                            10.10.3      Protection Of Log Information          DS5.7    technology                        N/A          N/A          BANK.1.4.2.7       DS5.5, DS5.7
                                                                                                                                                                                                                                            1.4,         1.4,
G.9.21.1         Is there a network Intrusion Detection system?                                        N/A                                   10.6.2       Security Of Network Services           N/A                                        12.9.5       12.9.5       IS.2.C.8           DS5.7, DS5.9, DS5.11
G.9.21.1.1       If so, is it in place on the following network segments:                              N/A                                   N/A                                                 N/A                                        N/A          N/A          IS.2.B.9.7         N/A
G.9.21.1.1.1     Internet point-of-presence?                                                           N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
G.9.21.1.1.2     DMZ?                                                                                  N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
G.9.21.1.1.3     Extranet?                                                                             N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
G.9.21.1.1.4     Internal production network?                                                          N/A                                   N/A                                                 N/A                                        N/A          N/A          N/A                N/A
                                                                                                                                                                                                          Security testing, surveillance
G.9.21.1.1.5     Network segment hosting Target Data?                                                  N/A                                   N/A                                                 DS5.5    and monitoring                    N/A          N/A          N/A                N/A

                 Is the IDS configured to generate alerts when incidents and values exceed                                                                                                                Malicious software prevention,                                                 DS 5.5, ME1.2, ME2.2,
G.9.21.1.2       normal thresholds?                                                                    N/A                                   10.10.2.c.4 Monitoring System Use                   DS5.9    detection and correction          N/A          N/A          N/A                ME2.5, ME4.7
                                                                                                       G.1 Network Security – IDS/IPS
G.9.21.1.3       Is there a process to regularly update signatures based on new threats?               Signature Updates                     10.4.1.d     Controls Against Malicious Code        PO4.11   Segregation of duties             N/A          N/A          N/A                DS5.9




The Shared Assessments Program                                                                                                                     Page 33 of 191                                                                                                                SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                                ISO 27002:2005 Relevance                        COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
                                                                                                                                                                                                    Security testing, surveillance
G.9.21.1.4     Is the system monitored 24x7x365?                                                   N/A                                 10.6.1.d     Network Controls                       DS5.5    and monitoring                    N/A       N/A       E-BANK.1.4.3.6 PO4.1, DS5.9, DS5.11

                                                                                                                                                                                                    Enterprise IT risk and internal                                          DS 5.5, ME1.2, ME2.2,
G.9.21.1.5     In the event of a NIDS functionality failure, is an alert generated?                N/A                                 10.10.2.d    Monitoring System Use                  PO6.2    control framework                 N/A       N/A       N/A                ME2.5, ME4.7
                                                                                                                                                    Policy On The Use Of Cryptographic
G.9.21.1.6     Does NIDS inspect encrypted traffic?                                                N/A                                 12.3.1.g     Controls                               N/A                                        N/A       N/A       N/A                PO6, AI2, DS5
                                                                                                                                                                                                    Protection of security
G.9.21.1.7     Does NIDS events feed into the Incident Management process?                       N/A                                   N/A                                                 DS5.7    technology                        N/A       N/A       N/A                N/A
               Is a host-based intrusion detection system employed in the production application                                                                                                    Protection of security
G.9.21.1.8     environment?                                                                      N/A                                   10.6.2       Security Of Network Services           DS5.7    technology                        N/A       N/A       IS.2.C.8           DS5.7, DS5.9, DS5.11
                                                                                                                                                                                                    Protection of security
G.9.21.2       Is there a Network Intrusion Prevention System?                                     N/A                                 10.6.2       Security Of Network Services           DS5.7    technology                        N/A       N/A       N/A                DS5.7, DS5.9, DS5.11

G.9.21.2.1     If so, is it in place on the following network segments:                            N/A                                 10.6.2       Security Of Network Services           N/A                                        N/A       N/A       N/A                DS5.7, DS5.9, DS5.11
G.9.21.2.1.1   Internet point-of-presence?                                                         N/A                                 N/A                                                 N/A                                        N/A       N/A       N/A                N/A
G.9.21.2.1.2   DMZ?                                                                                N/A                                 N/A                                                 N/A                                        N/A       N/A       N/A                N/A
G.9.21.2.1.3   Extranet?                                                                           N/A                                 N/A                                                 N/A                                        N/A       N/A       N/A                N/A
G.9.21.2.1.4   Internal production network?                                                        N/A                                 N/A                                                 N/A                                        N/A       N/A       N/A                N/A
                                                                                                                                                                                                    Security testing, surveillance
G.9.21.2.1.5   Network segment hosting Target Data?                                                N/A                                 N/A                                                 DS5.5    and monitoring                    N/A       N/A       N/A                N/A

               Is the IPS configured to generate alerts when incidents and values exceed                                                                                                            Malicious software prevention,                                           DS 5.5, ME1.2, ME2.2,
G.9.21.2.2     normal thresholds?                                                                  N/A                                 10.10.2.c.4 Monitoring System Use                   DS5.9    detection and correction          N/A       N/A       N/A                ME2.5, ME4.7
                                                                                                   G.1 Network Security – IDS/IPS                                                                   Security testing, surveillance
G.9.21.2.3     Is there a process to regularly update signatures based on new threats?             Signature Updates                   10.4.1.d     Controls Against Malicious Code        DS5.5    and monitoring                    N/A       N/A       N/A                DS5.9

                                                                                                                                                                                                                                                                             DS 5.5, ME1.2, ME2.2,
G.9.21.2.4     In the event of a NIPS functionality failure, is an alert generated?                N/A                                 10.10.2.d    Monitoring System Use                  PO4.11   Segregation of duties             N/A       N/A       N/A                ME2.5, ME4.7

G.10           Is wireless networking technology used?                                             G.15 Unapproved Wireless Networks   10.6.1.c     Network Controls                       PO2.3    Data classification scheme        N/A       N/A       N/A                PO4.1, DS5.9, DS5.11
                                                                                                                                                    Information Exchange Policies And               Technological direction
G.10.1         Is there wireless networking policy?                                                N/A                                 10.8.1.e     Procedures                             PO3.1    planning                          N/A       N/A       N/A                PO2.3, PO6.2, DS11.1

                                                                                                                                                                                                                                                                             PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                             PO6.3, PO9.4, DS5.2,
                                                                                                                                                    Review Of The Information Security              IT policy and control                                                    DS5.3, ME2.2, ME2.5,
G.10.1.1       Has it been approved by management?                                                 N/A                                 5.1.2        Policy                                 PO6.1    environment                       N/A       N/A       N/A                ME2.7, ME4.7
                                                                                                                                                                                                                                                                             PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                    IT policy and control                                                    PO6.5, DS5.2, DS5.3,
G.10.1.2       Has the policy been published?                                                      N/A                                 5.1.1        Information Security Policy Document   PO6.1    environment                       N/A       N/A       N/A                ME2.1
                                                                                                                                                                                                                                                                             PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                    Technological direction                                                  PO6.5, DS5.2, DS5.3,
G.10.1.3       Has it been communicated to appropriate constituents?                               N/A                                 5.1.1        Information Security Policy Document   PO3.1    planning                          N/A       N/A       N/A                ME2.1

                                                                                                                                                                                                                                                                             PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                             PO6.3, PO9.4, DS5.2,
                                                                                                                                                    Review Of The Information Security                                                                                       DS5.3, ME2.2, ME2.5,
G.10.1.4       Is there an owner to maintain and review the policy?                                N/A                                 5.1.2        Policy                                 N/A                                        N/A       N/A       N/A                ME2.7, ME4.7
G.10.2         Is there an approval process to use wireless network devices?                       N/A                                 N/A                                                 DS5.10   Network security                  N/A       N/A       N/A                N/A
G.10.3         How are wireless access points deployed in the network:                             N/A                                 11.4.5       Segregation In Networks                N/A                                        1.3.8     1.3.8     N/A                DS5.9, DS5.11
G.10.3.1       Logically segregated from the network (VLAN)?                                       N/A                                 N/A                                                 N/A                                        N/A       N/A       N/A                N/A
G.10.3.2       Physically segregated?                                                              N/A                                 N/A                                                 N/A                                        N/A       N/A       N/A                N/A
G.10.3.3       Both?                                                                               N/A                                 N/A                                                 DS5.10   Network security                  N/A       N/A       N/A                N/A
G.10.4         Is this wireless network segment firewalled from the rest of the network?           N/A                                 11.4.5       Segregation In Networks                N/A                                        N/A       N/A       N/A                DS5.9, DS5.11
               Are two active network connections allowed at the same time and are they
G.10.5         routable? (e.g., bridged internet connections)?                                     N/A                                 N/A                                                 DS5.10   Network security                  N/A       N/A       N/A                N/A
                                                                                                                                                    User Authentication For External
G.10.6         Are wireless connections authenticated?                                             N/A                                 11.4.2       Connections                            DS5.10   Network security                  2.1       2.1       IS.2.A.13          DS5.9, DS5.11
                                                                                                                                                    User Authentication For External                Security testing, surveillance
G.10.6.1       Is authentication two factor?                                                       N/A                                 11.4.2       Connections                            DS5.5    and monitoring                    2.1       N/A       N/A                DS5.9, DS5.11

                                                                                                                                                                                                                                                                             DS 5.5, ME1.2, ME2.2,
G.10.7         Are logins via wireless connections logged?                                         N/A                                 10.10.2      Monitoring System Use                  PO4.11   Segregation of duties             2.1       2.1       N/A                ME2.5, ME4.7

G.10.8         Are wireless connections encrypted?                                                 G.16 Wireless Networks Encryption   10.6.1       Network Controls                       N/A                                        2.1       2.1       N/A                PO4.1, DS5.9, DS5.11
G.10.8.1       If so, what encryption methodology is used:                                         N/A                                 N/A                                                 N/A                                        2.1       2.1       N/A                N/A
G.10.8.1.1     WEP?                                                                                N/A                                 N/A                                                 N/A                                        2.1       2.1       N/A                N/A
G.10.8.1.2     WPA?                                                                                N/A                                 N/A                                                 N/A                                        2.1       2.1       N/A                N/A
G.10.8.1.3     WPA2?                                                                               N/A                                 N/A                                                 N/A                                        2.1       2.1       N/A                N/A
                                                                                                                                                                                                    Protection of security
G.10.8.1.4     Other (Please explain in the "Additional Information" column)?                      N/A                                 N/A                                                 DS5.7    technology                        N/A       N/A       N/A                N/A
                                                                                                                                                    Remote Diagnostic And Configuration
G.10.9         Are wireless access points SNMP community strings changed?                          N/A                                 11.4.4       Port Protection                        N/A                                        2.1       2.1       N/A                DS5.7, DS5.9, DS5.11
G.10.10        Is there regular scans for rogue wireless access points?                            N/A                                 N/A                                                 N/A                                        N/A       N/A       N/A                N/A
G.11           Are dial lines used (voice, facsimile, modem, etc.)?                                N/A                                 N/A                                                 PO2.3    Data classification scheme        N/A       N/A       N/A                N/A
               Are appropriate precautions taken when Target Data is verbally transmitted (e.g.,                                                    Information Exchange Policies And
G.11.1         phone calls)?                                                                       N/A                                 10.8.1.k     Procedures                             PO2.3    Data classification scheme        N/A       N/A       N/A                PO2.3, PO6.2, DS11.1
                                                                                                                                                    Information Exchange Policies And
G.11.2         The use of facsimile machines controlled?                                           N/A                                 10.8.1.m     Procedures                             N/A                                        N/A       N/A       N/A                PO2.3, PO6.2, DS11.1



The Shared Assessments Program                                                                                                               Page 34 of 191                                                                                                          SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                ISO 27002:2005 Relevance                        COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance
               Are any modems used or installed (dial modem, phone home, cable modem,
G.11.3         DSL, etc.)?                                                                         N/A                 N/A                                                 DS5.3    Identity management               N/A       N/A       N/A             N/A
               Is approval required prior to connecting any outbound or inbound modem lines,
               cable modem lines, and/or DSL phone lines to a desktop or other access point
G.11.3.1       directly connected to the company-managed network?                                  N/A                 11.4.1.b     Policy On Use Of Network Services      DS5.10   Network security                  N/A       N/A       IS.2.B.17.4     DS5.9, DS5.11
                                                                                                                                    User Authentication For External
G.11.3.2        Is a modem ever set to auto-answer?                                                N/A                 11.4.2       Connections                            DS5.10   Network security                  N/A       N/A       N/A             DS5.9, DS5.11
                                                                                                                                    User Authentication For External
G.11.3.2.1      If auto-answer is enabled, does it:                                                N/A                 11.4.2       Connections                            DS5.10   Network security                  N/A       N/A       N/A             DS5.9, DS5.11
                                                                                                                                    User Authentication For External
G.11.3.2.1.1    Utilize an authentication or encryption device?                                    N/A                 11.4.2       Connections                            DS5.3    Identity management               N/A       N/A       OPS.1.8.2.4     DS5.9, DS5.11
                                                                                                                                                                                    Enterprise IT risk and internal
G.11.3.2.1.2    Attach to a host physically and logically isolated from the network?               N/A                 11.4.1.d     Policy On Use Of Network Services      PO6.2    control framework                 N/A       N/A       N/A             DS5.9, DS5.11
G.11.3.2.1.3    Receive fax transmissions?                                                         N/A                 11.3.3.c     Clear Desk And Clear Screen Policy     DS5.10   Network security                  N/A       N/A       N/A             PO6.2, DS5.7
                                                                                                                                    User Authentication For External
G.11.3.2.1.4    Call back?                                                                         N/A                 11.4.2       Connections                            N/A                                        N/A       N/A       N/A             DS5.9, DS5.11
G.11.3.2.2      Are dial-up connections logged?                                                    N/A                 N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.11.3.2.2.1    If so, do these logs include caller identification?                                N/A                 N/A                                                 N/A                                        N/A       N/A       N/A             N/A
                Does the company regularly perform war-dialing on all analog lines to detect
G.11.4          unauthorized modems?                                                               N/A                 N/A                                                 PO2.3    Data classification scheme        N/A       N/A       N/A             N/A
                Is there any removable media (e.g., CDs, DVD, tapes, disk drives, USB devices,                                                                                                                                                            PO2.3, DS11.2,
G.12            etc)?                                                                              N/A                 10.7.1       Management Of Removable Media          PO2.3    Data classification scheme        N/A       N/A       N/A             DS11.3, DS11.4
                                                                                                                                    Information Exchange Policies And                                                                     IS.2.J.8
G.12.1          Is all Target Data encrypted while at rest?                                        N/A                 10.8.1.g     Procedures                             PO2.3    Data classification scheme        N/A       N/A       RPS.2.C.2.8     PO2.3, PO6.2, DS11.1
                                                                                                                                                                                                                                          IS.1.4.1.10
                                                                                                                                                                                                                                          IS.2.E.2
                Is there a policy that addresses the use and management of removable media?                                                                                         Technological direction                               IS.2.L.2.1      PO2.3, DS11.2,
G.12.2          (e.g., CDs, DVDs, tapes, disk drives, etc.)?                                       N/A                 10.7.1       Management Of Removable Media          PO3.1    planning                          N/A       N/A       IS.2.L.2.1      DS11.3, DS11.4

                                                                                                                                                                                                                                                          PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                          PO6.3, PO9.4, DS5.2,
                                                                                                                                    Review Of The Information Security              IT policy and control                                                 DS5.3, ME2.2, ME2.5,
G.12.2.1        Has it been approved by management?                                                N/A                 5.1.2        Policy                                 PO6.1    environment                       N/A       N/A       N/A             ME2.7, ME4.7
                                                                                                                                                                                                                                                          PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                    IT policy and control                                                 PO6.5, DS5.2, DS5.3,
G.12.2.2        Has the policy been published?                                                     N/A                 5.1.1        Information Security Policy Document   PO6.1    environment                       N/A       N/A       N/A             ME2.1
                                                                                                                                                                                                                                                          PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                    Technological direction                                               PO6.5, DS5.2, DS5.3,
G.12.2.3        Has it been communicated to appropriate constituents?                              N/A                 5.1.1        Information Security Policy Document   PO3.1    planning                          N/A       N/A       N/A             ME2.1

                                                                                                                                                                                                                                                          PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                          PO6.3, PO9.4, DS5.2,
                                                                                                                                    Review Of The Information Security                                                                                    DS5.3, ME2.2, ME2.5,
G.12.2.4        Is there an owner to maintain and review the policy?                               N/A                 5.1.2        Policy                                 PO2.3    Data classification scheme        N/A       N/A       N/A             ME2.7, ME4.7
                                                                                                                                                                                                                                                          PO2.3, DS11.2,
G.12.2.5        Does the policy include the following:                                             N/A                 10.7.1       Management Of Removable Media          PO2.3    Data classification scheme        N/A       N/A       N/A             DS11.3, DS11.4
                                                                                                                                                                                                                                                          PO2.3, DS11.2,
G.12.2.5.1      When no longer required, Target Data is made unrecoverable?                        N/A                 10.7.1.a     Management Of Removable Media          PO2.3    Data classification scheme        N/A       N/A       N/A             DS11.3, DS11.4
                                                                                                                                                                                                                                                          PO2.3, DS11.2,
G.12.2.5.2      A procedure and documented audit log authorizing media removal?                    N/A                 10.7.1.b     Management Of Removable Media          PO2.3    Data classification scheme        N/A       N/A       N/A             DS11.3, DS11.4
                                                                                                                                                                                                                                                          PO2.3, DS11.2,
G.12.2.5.3      A registration process for the use of removable media (e.g., USB drives)?          N/A                 10.7.1.e     Management Of Removable Media          PO2.3    Data classification scheme        N/A       N/A       N/A             DS11.3, DS11.4
                                                                                                                                                                                    Enterprise IT risk and internal                                       PO2.3, DS11.2,
G.12.2.5.4      Controlling the use of USB ports on all computers?                                 N/A                 10.7.1.f     Management Of Removable Media          PO6.2    control framework                 N/A       N/A       N/A             DS11.3, DS11.4
                                                                                                                                    Policy On The Use Of Cryptographic              Media library management
G.12.3          Is sensitive data on removable media encrypted?                                    N/A                 12.3.1.c     Controls                               DS11.3   system                            N/A       N/A       N/A             PO6, AI2, DS5
                                                                                                                                                                                    Media library management                              OPS.1.9.3
G.12.4          Is there a process for the disposal of media?                                      N/A                 10.7.2       Disposal Of Media                      DS11.3   system                            N/A       #N/A      OPS.2.12.H.2    DS11.3, DS11.4
G.12.4.1        Does the process define the approved method for the disposal of media?             N/A                 10.7.2       Disposal Of Media                      N/A                                        9.10.     9.10.     N/A             DS11.3, DS11.4
G.12.4.2        Does the process address the following:                                            N/A                 N/A                                                 N/A                                        N/A       N/A       OPS.1.5.2.4     N/A
G.12.4.2.1      CDs?                                                                               N/A                 N/A                                                 N/A                                        9.10.1    9.10.1    N/A             N/A
G.12.4.2.2      Paper documents?                                                                   N/A                 N/A                                                 N/A                                        9.10.1    9.10.1    N/A             N/A
G.12.4.2.3      Hard drives?                                                                       N/A                 N/A                                                 N/A                                        9.10.1    9.10.1    N/A             N/A
G.12.4.2.4      Diskettes?                                                                         N/A                 N/A                                                 N/A                                        9.10.1    9.10.1    N/A             N/A
G.12.4.2.5      Tapes?                                                                             N/A                 N/A                                                 N/A                                        9.10.1    9.10.1    N/A             N/A
G.12.4.2.6      Memory sticks?                                                                     N/A                 N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.12.4.2.7      DVDs?                                                                              N/A                 N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.12.4.2.8      Flash cards?                                                                       N/A                 N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.12.4.2.9      USB drives?                                                                        N/A                 N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.12.4.2.10     ZIP drives?                                                                        N/A                 N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.12.4.2.11     Handheld / Mobile devices?                                                         N/A                 N/A                                                 N/A                                        N/A       N/A       N/A             N/A
                                                                                                                                                                                    Media library management
G.12.4.2.12     Other (Please explain in the "Additional Information" column)?                     N/A                 N/A                                                 DS11.3   system                            N/A       N/A       N/A             N/A
G.12.4.3        Is the disposal/destruction of media logged in order to maintain an audit trail?   N/A                 10.7.2.e     Disposal Of Media                      DS11.4   Disposal                          N/A       N/A       N/A             DS11.3, DS11.4

G.12.5          Is physical media that contains Target Data re-used when no longer required?       N/A                 9.2.6        Secure disposal or re-use of equipment DS11.4   Disposal                          N/A       N/A       N/A             DS11.4
                                                                                                                                                                                    Media library management
G.12.5.1        Is all Target Data made un-recoverable (wiped or overwritten) prior to re-use?     N/A                 9.2.6        Secure disposal or re-use of equipment DS11.3   system                            N/A       N/A       N/A             DS11.4

G.12.5.2        Is physical media that contains Target Data destroyed when no longer required?     N/A                 10.7.2       Disposal Of Media                      DS11.4   Disposal                          N/A       N/A       N/A             DS11.3, DS11.4



The Shared Assessments Program                                                                                               Page 35 of 191                                                                                                       SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                 AUP 5.0 Relevance                ISO 27002:2005 Relevance                        COBIT 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC            COBIT 4.1 Relevance
                                                                                                                                                                                  Media library management
G.12.5.3       Is media checked for Target Data or licensed software prior to disposal?          N/A                 9.2.6        Secure disposal or re-use of equipment DS11.3   system                              N/A       N/A       N/A              DS11.4
                                                                                                                                                                                  Media library management
G.12.5.4       Is there a process for the destruction of media?                                  N/A                 10.7.2       Disposal Of Media                      DS11.3   system                              9.10.     N/A       N/A              DS11.3, DS11.4
G.12.5.4.1     Does the process define the approved method for the destruction of media?         N/A                 10.7.2       Disposal Of Media                      N/A                                          N/A       N/A       N/A              DS11.3, DS11.4
G.12.5.5       Does the process address the following:                                           N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.1     CDs?                                                                              N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.2     Paper documents?                                                                  N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.3     Hard drives?                                                                      N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.4     Diskettes?                                                                        N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.5     Tapes?                                                                            N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.6     Memory sticks?                                                                    N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.7     DVDs?                                                                             N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.8     Flash cards?                                                                      N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.9     USB drives?                                                                       N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.10    ZIP drives?                                                                       N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.5.5.11    Handheld / Mobile devices?                                                        N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                  Media library management
G.12.5.5.12    Other (Please explain in the "Additional Information" column)?                    N/A                 N/A                                                 DS11.3   system                              N/A       N/A       N/A              N/A
                                                                                                                                                                                  Enterprise IT risk and internal
G.12.5.6       Is the destruction of media logged in order to maintain an audit trail?           N/A                 10.7.2.e     Disposal Of Media                      PO6.2    control framework                   N/A       N/A       N/A              DS11.3, DS11.4
                                                                                                                                                                                  Technological direction
G.12.6         Is there a process to address the reuse of media?                                 N/A                 10.7.3       Information Handling Procedures        PO3.1    planning                            N/A       N/A       N/A              PO6.2, DS11.6

                                                                                                                                                                                                                                                           PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                           PO6.3, PO9.4, DS5.2,
                                                                                                                                  Review Of The Information Security              IT policy and control                                                    DS5.3, ME2.2, ME2.5,
G.12.6.1       Has it been approved by management?                                               N/A                 5.1.2        Policy                                 PO6.1    environment                         N/A       N/A       N/A              ME2.7, ME4.7
                                                                                                                                                                                                                                                           PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                  IT policy and control                                                    PO6.5, DS5.2, DS5.3,
G.12.6.2       Has the policy been published?                                                    N/A                 5.1.1        Information Security Policy Document   PO6.1    environment                         N/A       N/A       N/A              ME2.1
                                                                                                                                                                                                                                                           PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                  Technological direction                                                  PO6.5, DS5.2, DS5.3,
G.12.6.3       Has it been communicated to appropriate constituents?                             N/A                 5.1.1        Information Security Policy Document   PO3.1    planning                            N/A       N/A       N/A              ME2.1

                                                                                                                                                                                                                                                           PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                           PO6.3, PO9.4, DS5.2,
                                                                                                                                  Review Of The Information Security                                                                                       DS5.3, ME2.2, ME2.5,
G.12.6.4       Is there an owner to maintain and review the policy?                              N/A                 5.1.2        Policy                                 N/A                                          N/A       N/A       N/A              ME2.7, ME4.7
G.12.6.5       Is an inventory of removable media conducted:                                     N/A                 N/A                                                 N/A                                          N/A       #N/A      IS.1.4.1.10      N/A
G.12.6.5.1     Every three months or less?                                                       N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.6.5.2     Between three months and one year?                                                N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.6.5.3     Greater than one year?                                                            N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.12.6.5.4     Never?                                                                            N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.13           Is data sent or received (physical or electronic)?                                N/A                 N/A                                                 PO2.3    Data classification scheme          N/A       N/A       N/A              N/A
G.13.1         Is Target Data transmitted electronically?                                        N/A                 N/A                                                 PO2.3    Data classification scheme          N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                          IS.2.B.15
                                                                                                                                                                                                                                          IS.2.J.8 E-
                                                                                                                                                                                                                                          BANK.1.5.2.2
                                                                                                                                  Information Exchange Policies And                                                                       RPS.1.3.2.1
G.13.1.1       Is all Target Data encrypted while in transit?                                    N/A                 10.8.1.g     Procedures                             N/A                                          4.1       4.1       RPS.2.C.4        PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And
G.13.1.2       Are there policy(s) or procedure(s) for information exchange?                     N/A                 10.8.1       Procedures                             PO2.3    Data classification scheme          N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
G.13.1.2.1     Do the policies or procedures include the following:                              N/A                 N/A                                                 PO2.3    Data classification scheme          N/A       N/A       N/A              N/A
                                                                                                                                  Information Exchange Policies And                                                                       IS.2.B.19 E-
G.13.1.2.1.1   Detection and protection against malicious code?                                  N/A                 10.8.1.b     Procedures                             PO2.3    Data classification scheme          N/A       N/A       BANK.1.4.2.6     PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And               Enterprise IT risk and internal
G.13.1.2.1.2   Protecting Target Data in the form of an attachment?                              N/A                 10.8.1.c     Procedures                             PO6.2    control framework                   N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And
G.13.1.2.1.3   Not leaving hard copy contain Target Data on printing or facsimile facilities?    N/A                 10.8.1.i     Procedures                             PO2.3    Data classification scheme          N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
G.13.1.2.1.4   Requiring media with Target Data is locked away when not required?                N/A                 11.3.3.a     Clear Desk And Clear Screen Policy     PO2.3    Data classification scheme          N/A       N/A       N/A              PO6.2, DS5.7
                                                                                                                                  Information Exchange Policies And
G.13.1.3       Is there a policy or procedure to protect data for the following transmissions:   N/A                 10.8.1       Procedures                             PO2.3    Data classification scheme          8.4       8.4       IS.2.L.1.3       PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And
G.13.1.3.1     Electronic file transfer?                                                         N/A                 10.8.1       Procedures                             PO2.3    Data classification scheme          N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And
G.13.1.3.2     Transporting on removable electronic media?                                       N/A                 10.8.1       Procedures                             PO2.3    Data classification scheme          N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And
G.13.1.3.3     Email?                                                                            N/A                 10.8.1       Procedures                             PO2.3    Data classification scheme          N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And
G.13.1.3.4     Fax?                                                                              N/A                 10.8.1       Procedures                             PO2.3    Data classification scheme          N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And
G.13.1.3.5     Paper documents?                                                                  N/A                 10.8.1       Procedures                             PO2.3    Data classification scheme          N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And
G.13.1.3.6     Peer-to-peer?                                                                     N/A                 10.8.1       Procedures                             PO2.3    Data classification scheme          N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And
G.13.1.3.7     Instant Messaging?                                                                N/A                 10.8.1       Procedures                             N/A                                          N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
                                                                                                                                  Information Exchange Policies And               Responsibility for risk, security
G.13.1.3.8     File sharing?                                                                     N/A                 10.8.1       Procedures                             PO4.8    and compliance                      N/A       N/A       N/A              PO2.3, PO6.2, DS11.1
G.13.1.4       Do file transfer requests undergo a review and approval process?                  N/A                 N/A                                                 N/A                                          N/A       N/A       N/A              N/A



The Shared Assessments Program                                                                                             Page 36 of 191                                                                                                          SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                                                        AUP 5.0 Relevance                ISO 27002:2005 Relevance                        COBIT 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance
G.13.1.5         For incoming file transfers, when is data removed from the DMZ:                          N/A                 15.1.3       Protection Of Organizational Records   N/A                                       N/A       N/A       N/A             PO4.8, DS11.2
G.13.1.5.1       Immediately upon receipt?                                                                N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.5.2       Hourly via scheduled process?                                                            N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.5.3       Daily via scheduled process?                                                             N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.5.4       Weekly scheduled process?                                                                N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.5.5       Manually by recipient?                                                                   N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.5.6       Never?                                                                                   N/A                 N/A                                                 PO2.3    Data classification scheme       N/A       N/A       N/A             N/A
G.13.1.6         Is all Target Data encrypted outside of company owned facilities?                        N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
                                                                                                                                           Information Exchange Policies And
G.13.1.6.1       Are transmissions of Target Data encrypted using:                                        N/A                 10.8.1.g     Procedures                             N/A                                       N/A       N/A       N/A             PO2.3, PO6.2, DS11.1
G.13.1.6.1.1     The Internet?                                                                            N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.6.1.2     Dedicated line to external parties?                                                      N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.6.1.3     The DMZ?                                                                                 N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.6.1.4     Between the DMZ and internal network?                                                    N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.6.1.5     The internal network?                                                                    N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.6.2       Are transmissions of Target Data encrypted end-to-end within the network?                N/A                 N/A                                                 PO2.3    Data classification scheme       4.1       4.1       N/A             N/A
                 Is a mutual authentication protocol utilized between the network and a third party
G.13.1.7         to validate the integrity and origin of the data?                                        N/A                 N/A                                                 PO2.3    Data classification scheme       N/A       N/A       N/A             N/A
                 Does the file transfer software send notification to the sender upon completion of                           10.8.2.a &                                                                                                                        PO2.3, PO3.4, AI5.2,
G.13.1.8         the transmission?                                                                        N/A                 10.8.2.b   Exchange Agreements                      N/A                                       N/A       N/A       N/A             DS2.3
                 Does the file transfer software send notification to the sender upon failure of the                          10.8.2.a &                                                                                                                        PO2.3, PO3.4, AI5.2,
G.13.1.9         transmission?                                                                            N/A                 10.8.2.b   Exchange Agreements                      N/A                                       N/A       N/A       N/A             DS2.3
                 In the event of transmission failure, does the file transfer software attempt to retry
G.13.1.10        the transmission?                                                                        N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.11        Are file transfers logged?                                                               N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.11.1      If so, do the logs include the following:                                                N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.11.1.1    Connection attempted?                                                                    N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.11.1.2    Connection established?                                                                  N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.11.1.3    File exchange commenced?                                                                 N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.11.1.4    File exchange error occurred?                                                            N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.11.1.5    File exchange accomplished?                                                              N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.11.1.6    Connection terminated?                                                                   N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.1.11.1.7    Authentication attempted?                                                                N/A                 N/A                                                 DS5.11   Exchange of sensitive data       N/A       N/A       N/A             N/A
G.13.1.11.1.8    Security events?                                                                         N/A                 N/A                                                 DS5.11   Exchange of sensitive data       N/A       N/A       N/A             N/A
G.13.2           Is data sent or received via physical media?                                             N/A                 10.8.3       Physical Media In Transit              DS5.11   Exchange of sensitive data       N/A       N/A       N/A             DS11.6
                 Are transport containers for physical media sufficient to protect the contents from                                                                                                                                            RPS.2.E.1.4
G.13.2.1         any physical damage likely during transit?                                               N/A                 10.8.3.b     Physical Media In Transit              PO2.3    Data classification scheme       N/A       N/A       RPS.2.L.4       DS11.6
                 Are transport containers for physical media locked or have tamper evident                                                                                                                                                      RPS.2.E.1.4
G.13.2.2         packaging during transit?                                                                N/A                 10.8.3.c     Physical Media In Transit              N/A                                       N/A       N/A       RPS.2.L.4       DS11.6
                                                                                                                                                                                                                                                                PO2.3, PO3.4, AI5.2,
G.13.2.3         Is the location of physical media tracked?                                               N/A                 10.8.2.c     Exchange Agreements                    PO2.3    Data classification scheme       N/A       N/A       N/A             DS2.3
G.13.2.3.1       Are the following tracking elements recorded:                                            N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
                                                                                                                                                                                                                                                                PO2.3, PO3.4, AI5.2,
G.13.2.3.1.1     Unique media tracking identifier?                                                        N/A                 10.8.2.h     Exchange Agreements                    PO2.3    Data classification scheme       N/A       N/A       N/A             DS2.3
G.13.2.3.1.2     Date media was shipped or received?                                                      N/A                 N/A                                                 PO2.3    Data classification scheme       N/A       N/A       N/A             N/A
                                                                                                                                                                                                                                                                PO2.3, PO3.4, AI5.2,
G.13.2.3.1.3     Transport company name?                                                                  N/A                 10.8.2.f     Exchange Agreements                    N/A                                       N/A       N/A       N/A             DS2.3
                                                                                                                                                                                                                                                                PO2.3, PO3.4, AI5.2,
G.13.2.3.1.4     Name/signature of transport company employee?                                            N/A                 10.8.2.f   Exchange Agreements                      N/A                                       N/A       N/A       N/A             DS2.3
G.13.2.3.1.5     Destination of media?                                                                    N/A                 N/A                                                 PO2.3    Data classification scheme       N/A       N/A       N/A             N/A
G.13.2.3.1.6     Source of media?                                                                         N/A                 N/A                                                 PO2.3    Data classification scheme       N/A       N/A       N/A             N/A
                                                                                                                              10.8.2.a &                                                                                                                        PO2.3, PO3.4, AI5.2,
G.13.2.3.1.7     Delivery confirmation?                                                                   N/A                 10.8.2.b   Exchange Agreements                      N/A                                       N/A       N/A       N/A             DS2.3
                                                                                                                                                                                                                                                                PO2.3, PO3.4, AI5.2,
G.13.2.4         Is the shipped media labeled?                                                            N/A                 10.8.2.h     Exchange Agreements                    N/A                                       N/A       N/A       N/A             DS2.3
G.13.2.4.1       Does the label include any of the following:                                             N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.2.4.1.1     Unique Identifier?                                                                       N/A                 N/A                                                 DS5.11   Exchange of sensitive data       N/A       N/A       N/A             N/A
                                                                                                                                                                                           Cryptographic key
G.13.2.4.1.2     Company name?                                                                            N/A                 N/A                                                 DS5.8    management                       N/A       N/A       N/A             N/A
G.13.2.5         Is a bonded courier used to transport physical media?                                    N/A                 10.8.3.b     Physical Media In Transit              PO2.3    Data classification scheme       N/A       N/A       N/A             DS11.6
G.13.3           Is Instant Messaging used?                                                               N/A                 10.8.4       Electronic Messaging                   N/A                                       N/A       N/A       N/A             DS5.8, DS11.6
                 Is there a policy that prohibits the exchange of Target Data or confidential                                              Information Exchange Policies And
G.13.3.1         information through Instant Messaging?                                                   N/A                 10.8.1       Procedures                             PO2.3    Data classification scheme       N/A       N/A       N/A             PO2.3, PO6.2, DS11.1
                 Do Instant Messaging solutions undergo a security review and approval process
G.13.3.2         prior to implementation?                                                                 N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
                                                                                                                                           Information Exchange Policies And
G.13.3.3         Are all Instant Messaging transmissions encrypted?                                       N/A                 10.8.1.g     Procedures                             N/A                                       N/A       N/A       N/A             PO2.3, PO6.2, DS11.1
G.13.3.4         Is there an internal instant messaging solution?                                         N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.3.4.1       Are the following functions permitted using internal instant messaging:                  N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.3.4.1.1     File transfer?                                                                           N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.3.4.1.2     Video conferencing?                                                                      N/A                 N/A                                                 PO2.3    Data classification scheme       N/A       N/A       N/A             N/A
                                                                                                                                                                                           Security testing, surveillance
G.13.3.4.1.3     Desktop sharing?                                                                         N/A                 N/A                                                 DS5.5    and monitoring                   N/A       N/A       N/A             N/A
                                                                                                                                           Information Exchange Policies And
G.13.3.4.2       Are messages encrypted?                                                                  N/A                 10.8.1.g     Procedures                             N/A                                       N/A       N/A       N/A             PO2.3, PO6.2, DS11.1

                                                                                                                                                                                                                                                                DS 5.5, ME1.2, ME2.2,
G.13.3.4.3       Are messages logged and monitored?                                                       N/A                 10.10.2.a    Monitoring System Use                  N/A                                       N/A       N/A       N/A             ME2.5, ME4.7
G.13.3.5         Is there external instant messaging solution?                                            N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A
G.13.3.5.1       Are any of the following permitted using external instant messaging:                     N/A                 N/A                                                 N/A                                       N/A       N/A       N/A             N/A



The Shared Assessments Program                                                                                                      Page 37 of 191                                                                                                      SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                     AUP 5.0 Relevance                          ISO 27002:2005 Relevance                      COBIT 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
                                                                                                                                                                                              Cryptographic key
G.13.3.5.1.1   File transfer?                                                                        N/A                           N/A                                               DS5.8    management                          N/A       N/A       N/A                N/A
G.13.3.5.1.2   Video conferencing?                                                                   N/A                           N/A                                               N/A                                          N/A       N/A       N/A                N/A
G.13.3.5.1.3   Personal communications?                                                              N/A                           10.8.4.e     Electronic Messaging                 PO2.3    Data classification scheme          N/A       N/A       N/A                DS5.8, DS11.6
                                                                                                                                                                                              Security testing, surveillance
G.13.3.5.2     Desktop sharing?                                                                      N/A                           N/A                                               DS5.5    and monitoring                      N/A       N/A       N/A                N/A
                                                                                                                                                Information Exchange Policies And             Cryptographic key
G.13.3.5.3     Are messages encrypted?                                                               N/A                           10.8.1.g     Procedures                           DS5.8    management                          N/A       N/A       N/A                PO2.3, PO6.2, DS11.1

                                                                                                                                                                                                                                                                         DS 5.5, ME1.2, ME2.2,
G.13.3.5.4     Are messages logged and monitored?                                                    N/A                           10.10.2.a    Monitoring System Use                PO2.3    Data classification scheme          N/A       N/A       N/A                ME2.5, ME4.7
G.13.4         Is e-mail used?                                                                       N/A                           10.8.4       Electronic Messaging                 PO2.3    Data classification scheme          N/A       N/A       N/A                DS5.8, DS11.6
                                                                                                                                                Information Exchange Policies And
G.13.4.1       Is there a policy to protect Target Data when transmitted through email?              N/A                           10.8.1       Procedures                           PO2.3    Data classification scheme          N/A       N/A       N/A                PO2.3, PO6.2, DS11.1
                                                                                                                                                Information Exchange Policies And
G.13.4.2       Is automatic forwarding of email messages prohibited?                                 N/A                           10.8.1.j     Procedures                           N/A                                          N/A       N/A       N/A                PO2.3, PO6.2, DS11.1
                                                                                                                                                Information Exchange Policies And             Malicious software prevention,
G.13.4.3       Is Target Data transmitted through email encrypted?                                   N/A                           10.8.1.g     Procedures                           DS5.9    detection and correction            N/A       N/A       N/A                PO2.3, PO6.2, DS11.1
G.13.4.4       Is email relaying disabled on all email servers for unauthorized systems?             G.12 Email Relaying           N/A                                               N/A                                          N/A       N/A       N/A                N/A
               Is there a content filtering solution that scans incoming/outgoing email for Target
G.13.4.5       Data?                                                                                 N/A                           10.4.1.d.2 Controls Against Malicious Code        N/A                                          N/A       N/A       N/A                DS5.9
G.13.4.5.1     If so, does it filter for the following:                                              N/A                           N/A                                               N/A                                          N/A       N/A       N/A                N/A
G.13.4.5.1.1   Content?                                                                              N/A                           N/A                                               N/A                                          N/A       N/A       N/A                N/A
G.13.4.5.1.2   Spam?                                                                                 N/A                           N/A                                               N/A                                          N/A       N/A       N/A                N/A
G.13.4.5.1.3   Viruses / malware?                                                                    N/A                           N/A                                               N/A                                          N/A       N/A       N/A                N/A
G.13.4.5.1.4   Attachment type?                                                                      N/A                           N/A                                               DS5.3    Identity management                 N/A       N/A       N/A                N/A
G.13.5         Are application servers used for processing or storing Target Data?                   N/A                           10.8.5     Business Information Systems           N/A                                          N/A       N/A       N/A                DS11.6
               Do application servers processing Target Data require mutual authentication                                                                                                    Application control and
G.13.5.1       when communicating with other systems?                                                N/A                           11.6.1.c     Information Access Restriction       AI2.3    auditability                        N/A       N/A       N/A                DS5.4
               Do applications using IBM's MQSeries only use certificate-based mutual
G.13.5.2       authentication?                                                                       N/A                           N/A                                               PO4.11   Segregation of duties               N/A       N/A       N/A                N/A
               Are logs generated for security relevant activities on network devices, operating
G.13.5.3       systems, and applications?                                                            N/A                           10.10.1      Audit Logging                        N/A                                          N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                              Protection of security
G.13.5.3.1     Are these logs analyzed in near real-time through an automatic process?               N/A                           10.6.1.d     Network Controls                     DS5.7    technology                          N/A       N/A       N/A                PO4.1, DS5.9, DS5.11

G.13.5.4       Do incidents and anomalous activity feed into the Incident Management process? N/A                                  N/A                                               N/A                                          N/A       N/A       N/A                N/A
                                                                                                                                                                                              Protection of   security
G.13.6         Do systems and network devices utilize a common time synchronization service? N/A                                   10.10.6      Clock Synchronization                DS5.7    technology                          N/A       N/A       IS.2.B.12          DS5.7
               Are any of the following systems/devices synchronized off of this central time                                                                                                 Protection of   security
G.13.6.1       source:                                                                        N/A                                  N/A                                               DS5.7    technology                          N/A       N/A       N/A                N/A
                                                                                                                                                                                              Protection of   security
G.13.6.1.1     UNIX/Linux systems?                                                                   N/A                           10.10.6      Clock Synchronization                DS5.7    technology                          N/A       N/A       N/A                DS5.7
                                                                                                                                                                                              Protection of   security
G.13.6.1.2     Windows systems?                                                                      N/A                           10.10.6      Clock Synchronization                DS5.7    technology                          N/A       N/A       N/A                DS5.7
                                                                                                                                                                                              Protection of   security
G.13.6.1.3     Routers?                                                                              N/A                           10.10.6      Clock Synchronization                DS5.7    technology                          N/A       N/A       N/A                DS5.7
                                                                                                                                                                                              Protection of   security
G.13.6.1.4     Firewalls?                                                                            N/A                           10.10.6      Clock Synchronization                DS5.7    technology                          N/A       N/A       N/A                DS5.7
                                                                                                                                                                                              Protection of   security
G.13.6.1.5     Mainframe computers?                                                                  N/A                           10.10.6      Clock Synchronization                DS5.7    technology                          N/A       N/A       N/A                DS5.7
G.13.6.1.6     Open VMS systems?                                                                     N/A                           10.10.6      Clock Synchronization                N/A                                          N/A       N/A       N/A                DS5.7
G.13.6.2       Are all systems and network devices synchronized off the same time source?            N/A                           10.10.6      Clock Synchronization                PO4.11   Segregation of duties               N/A       N/A       N/A                DS5.7
                                                                                                                                                                                              Security testing, surveillance
G.14           Are UNIX or Linux operating systems used for storing or processing Target Data? N/A                                 N/A                                               DS5.5    and monitoring                      N/A       N/A       N/A                N/A
                                                                                                                                                                                                                                                      IS.1.4.1.3.1
                                                                                                                                                                                                                                                      IS.2.C.1
                                                                                                     I.3 Secure System Hardening                                                              Responsibility for risk, security                       OPS.1.5.1.5 E-
G.14.1         Are UNIX hardening standards documented?                                              Standards                     10.6.1.e     Network Controls                     PO4.8    and compliance                      N/A       N/A       BANK.1.4.2.5       PO4.1, DS5.9, DS5.11
               Are UNIX servers periodically monitored for continued compliance to security                                                                                                   Knowledge transfer to
G.14.1.1       requirements?                                                                         N/A                           15.2.2       Technical Compliance Checking        AI4.4    operations and support staff        N/A       N/A       IS.2.C.4           DS5.5, DS5.7, ME2.5


                                                                                                                                                                                                                                                                         PO4.8, PO6.2, ME2.1,
                                                                                                                                                Compliance With Security Policies And         Responsibility for risk, security                                          ME2.2, ME2.3, ME2.4,
G.14.1.1.1     Is non-compliance reported and resolved?                                              N/A                           15.2.1       Standards                             PO4.8   and compliance                      N/A       N/A       N/A                ME2.5, ME2.6, ME2.7
                                                                                                                                                                                                                                                                         AI4.4, DS5.7, DS9.2,
G.14.1.2       Is access to system documentation restricted?                                         N/A                           10.7.4       Security of system documentation     N/A                                          N/A       N/A       N/A                DS9.3, DS13.1


                                                                                                                                                                                                                                                                         PO4.8, PO6.2, ME2.1,
               Are UNIX servers periodically reviewed to ensure compliance with server build                                                    Compliance With Security Policies And                                                                                    ME2.2, ME2.3, ME2.4,
G.14.1.3       standards?                                                                            N/A                           15.2.1       Standards                             N/A                                         N/A       N/A       N/A                ME2.5, ME2.6, ME2.7
               Is there a process to document file system implementations that are different
G.14.1.4       from the standard build?                                                              N/A                           N/A                                               N/A                                          N/A       N/A       N/A                N/A
G.14.1.5       Do application accounts share home directories?                                       N/A                           N/A                                               N/A                                          N/A       N/A       N/A                N/A

G.14.1.6       Do application accounts share their primary group with non-application groups?        N/A                           N/A                                               N/A                                          N/A       N/A       N/A                N/A
G.14.1.7       Do application processes run under unique application accounts?                       N/A                           N/A                                               N/A                                          N/A       N/A       N/A                N/A
G.14.1.8       Do application processes run under GID 0?                                             N/A                           N/A                                               N/A                                          N/A       N/A       N/A                N/A



The Shared Assessments Program                                                                                                           Page 38 of 191                                                                                                          SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                                                       AUP 5.0 Relevance                                    ISO 27002:2005 Relevance                          COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
G.14.1.9         Do users own their user account‘s home directory?                                       N/A                                     N/A                                                   PO2.3    Data classification scheme        N/A       N/A       N/A                N/A
G.14.1.10        Is file sharing restricted by group privileges?                                         N/A                                     10.8.5.c     Business Information Systems             AI6.3    Emergency changes                 N/A       N/A       N/A                DS11.6
G.14.1.11        Are user files assigned 777 privileges?                                                 N/A                                     7.2.1        Classification Guidelines                DS5.3    Identity management               N/A       N/A       N/A                PO2, AI2, DS9
                                                                                                                                                                                                                Enterprise IT risk and internal
G.14.1.12        Are root-level rights to access or modify crontabs required?                            N/A                                     11.5.4       Use Of System Utilities                  PO6.2    control framework                 N/A       N/A       N/A                AI6.3, DS5.7
                                                                                                                                                                                                                Enterprise IT risk and internal
G.14.1.13        Are users required to ‗su‘ or ‗sudo‘ into root?                                         N/A                                     11.5.2       User Identification And Authentication   PO6.2    control framework                 N/A       N/A       N/A                DS5.3
                                                                                                                                                              Mobile Computing And                                                                                                       PO6.2, DS5.2, DS5.3,
G.14.1.14        Is direct root logon permitted from a remote session?                                   N/A                                     11.7.1       Communications                           N/A                                        N/A       N/A       N/A                DS5.7
                                                                                                                                                              Mobile Computing And                                                                                                       PO6.2, DS5.2, DS5.3,
G.14.1.15        Does remote SU/root access require dual-factor authentication?                          N/A                                     11.7.1       Communications                           AI6.3    Emergency changes                 N/A       N/A       IS.2.C.5           DS5.7
G.14.1.16        Do search paths for a superuser contain the current working directory?                  N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A

G.14.1.17        Is permission to edit service configuration files restricted to authorized personnel?   N/A                                     11.5.4       Use Of System Utilities                  N/A                                        N/A       N/A       N/A                AI6.3, DS5.7
G.14.1.18        Are distributed file systems implemented?                                               N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A
G.14.1.19        Are permissions for device special files restricted to the owner?                       N/A                                     10.8.5.g     Business Information Systems             DS5.10   Network security                  N/A       N/A       N/A                DS11.6
G.14.1.20        Is Write access to account home directories restricted to owner and root?               N/A                                     10.8.5.g     Business Information Systems             AI6.3    Emergency changes                 N/A       N/A       N/A                DS11.6
                 Are remote access tools that do not require authentication (e.g., rhost, shost,                                                              User Authentication For External
G.14.1.21        etc.) allowed?                                                                          N/A                                     11.4.2       Connections                              AI6.3    Emergency changes                 N/A       N/A       IS.2.C.5           DS5.9, DS5.11
                                                                                                                                                                                                                Security testing, surveillance
G.14.1.22        Is access to modify startup and shutdown scripts restricted to root-level users?        N/A                                     11.5.4       Use Of System Utilities                  DS5.5    and monitoring                    N/A       N/A       N/A                AI6.3, DS5.7
                                                                                                                                                                                                                Security testing, surveillance
G.14.1.23        Are unnecessary services turned off?                                                    N/A                                     11.5.4.h     Use Of System Utilities                  DS5.5    and monitoring                    N/A       N/A       IS.2.C.2         AI6.3, DS5.7
                                                                                                                                                                                                                                                                      IS.1.4.1.3.5
                                                                                                                                                                                                                                                                      OPS.2.12.B
                 Is there a process to regularly review logs using a specific methodology to                                                                                                                    Application control and                               AUDIT.2.D.1.7 E- DS 5.5, ME1.2, ME2.2,
G.14.1.24        uncover potential incidents?                                                            N/A                                     10.10.2      Monitoring System Use                    AI2.3    auditability                      N/A       N/A       BANK.1.4.3.5     ME2.5, ME4.7

                                                                                                                                                                                                                Application control and                                                  DS 5.5, ME1.2, ME2.2,
G.14.1.24.1      If so, is this process documented and maintained?                                       N/A                                     10.10.2      Monitoring System Use                    AI2.3    auditability                      N/A       N/A       N/A                ME2.5, ME4.7

                                                                                                         G.7 Administrative Activity Logging, G.8                                                               Application control and                               IS.2.A.7 IS.2.C.9
G.14.1.25        Do operating system logs contain the following:                                         Log-on Activity Logging                  10.10.1     Audit Logging                            AI2.3    auditability                      N/A       N/A       IS.2.M.9.2        AI2.3, DS5.7
                                                                                                                                                                                                                Application control and
G.14.1.25.1      Successful logins?                                                                      N/A                                     10.10.1.d    Audit Logging                            AI2.3    auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                Application control and
G.14.1.25.2      Failed login attempts?                                                                  N/A                                     10.10.1.d    Audit Logging                            AI2.3    auditability                      N/A       N/A       AUDIT.2.D.1.18 AI2.3, DS5.7
                                                                                                                                                                                                                Application control and
G.14.1.25.3      System configuration changes?                                                           N/A                                     10.10.1.f    Audit Logging                            AI2.3    auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                Application control and
G.14.1.25.4      Administrative activity?                                                                N/A                                     10.10.1.g    Audit Logging                            AI2.3    auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                Application control and
G.14.1.25.5      Disabling of audit logs?                                                                N/A                                     10.10.1.l    Audit Logging                            AI2.3    auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                Security testing, surveillance
G.14.1.25.6      Deletion of audit logs?                                                                 N/A                                     10.10.1.l    Audit Logging                            DS5.5    and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                Application control and
G.14.1.25.7      Changes to security settings?                                                           N/A                                     10.10.1.f    Audit Logging                            AI2.3    auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                Application control and                                                  DS5.5, DS5.7, ME2.2,
G.14.1.25.8      Changes to access privileges?                                                           N/A                                     10.10.4.c    Administrator And Operator Logs          AI2.3    auditability                      N/A       N/A       N/A                ME2.5
                                                                                                                                                                                                                Security testing, surveillance
G.14.1.25.9      User administration activity?                                                           N/A                                     10.10.1.g    Audit Logging                            DS5.5    and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                Security testing, surveillance
G.14.1.25.10     File permission changes?                                                                N/A                                     10.10.1.i    Audit Logging                            DS5.5    and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                Security testing, surveillance                                           DS5.5, DS5.7, ME2.2,
G.14.1.25.11     Failed SU / sudo commands?                                                              N/A                                     10.10.4.c    Administrator And Operator Logs          DS5.5    and monitoring                    N/A       N/A       N/A                ME2.5
                                                                                                                                                                                                                                                                                         DS5.5, DS5.7, ME2.2,
G.14.1.25.12     Successful su / sudo commands?                                                          N/A                                     10.10.4.c    Administrator And Operator Logs          N/A                                        N/A       N/A       N/A                ME2.5
                                                                                                                                                                                                                                                                      IS.2.C.9
G.14.1.26        Operating system logs are retained for a minimum of:                                    G.9 Log Retention                       10.10.3      Protection Of Log Information            N/A                                        N/A       N/A       OPS.2.12.B         DS5.5, DS5.7
G.14.1.26.1      One day or less?                                                                        N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A
G.14.1.26.2      Between one day and one week?                                                           N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A
G.14.1.26.3      Between one week and one month?                                                         N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A
G.14.1.26.4      Between one month and six months?                                                       N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A
                                                                                                                                                                                                                Application control and
G.14.1.26.5      Between six months and one year?                                                        N/A                                     N/A                                                   AI2.3    auditability                      10.7      10.7      N/A                N/A
G.14.1.26.6      Greater than one year?                                                                  N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A
G.14.1.27        In the event of an operating system audit log failure, does the system:                 N/A                                     10.10.5      Fault Logging                            N/A                                        N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                Application control and
G.14.1.27.1      Generate an alert?                                                                      N/A                                     N/A                                                   AI2.3    auditability                      N/A       N/A       N/A                N/A
                                                                                                                                                                                                                Security testing, surveillance
G.14.1.27.2      Suspend processing?                                                                     N/A                                     N/A                                                   DS5.5    and monitoring                    N/A       N/A       N/A                N/A
                                                                                                                                                                                                                Security testing, surveillance
G.14.1.28        Do audit logs trace an event to a specific individual and/or user ID?                   N/A                                     10.10.1.a    Audit Logging                            DS5.5    and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
G.14.1.29        Are audit logs stored on alternate systems?                                             N/A                                     10.10.3      Protection Of Log Information            N/A                                        N/A       N/A       N/A                DS5.5, DS5.7
                 Are audit logs protected against modification, deletion, and/or inappropriate
G.14.1.30        access?                                                                                 N/A                                     10.10.3      Protection Of Log Information            N/A                                        N/A       N/A       IS.2.M.6           DS5.5, DS5.7
G.14.1.30.1      If so, are the following controls in place:                                             N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A
G.14.1.30.1.1    Access control lists?                                                                   N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A
G.14.1.30.1.2    Alternate storage location?                                                             N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A
G.14.1.30.1.3    Limited administrative access?                                                          N/A                                     N/A                                                   N/A                                        N/A       N/A       N/A                N/A



The Shared Assessments Program                                                                                                                         Page 39 of 191                                                                                                            SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                          AUP 5.0 Relevance                          ISO 27002:2005 Relevance                          COBIT 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
G.14.1.30.1.4  Real-time replication?                                                     N/A                           N/A                                                   N/A                                          N/A       N/A       N/A                N/A
                                                                                                                                                                                       Enterprise IT risk and internal
G.14.1.30.1.5   Hashing?                                                                  N/A                           N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
G.14.1.30.1.6   Encryption?                                                               N/A                           N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.14.1.31       Is the minimum password length:                                           H.1 Password Controls         11.3.1.d     Password Use                             N/A                                          N/A       N/A       N/A                PO6.2, DS5.4
G.14.1.31.1     Five characters or less?                                                  N/A                           N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.14.1.31.2     Six characters?                                                           N/A                           N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.14.1.31.3     Seven characters?                                                         N/A                           N/A                                                   N/A                                          N/A       N/A       N/A                N/A
                                                                                                                                                                                       Enterprise IT risk and internal
G.14.1.31.4     Eight characters?                                                         N/A                           N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
G.14.1.31.5     Nine characters or more?                                                  N/A                           N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.14.1.32       Password composition requires:                                            H.1 Password Controls         11.3.1.d     Password Use                             N/A                                          N/A       N/A       IS.2.A.4.4         PO6.2, DS5.4
G.14.1.32.1     Uppercase letter?                                                         N/A                           N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.14.1.32.2     Lowercase letter?                                                         N/A                           N/A                                                   N/A                                          N/A       N/A       N/A                N/A
                                                                                                                                                                                       Enterprise IT risk and internal
G.14.1.32.3     Number?                                                                   N/A                           N/A                                                   PO6.2    control framework                   N/A       N/A       N/A              N/A
G.14.1.32.4     Special character?                                                        N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                               IS.2.A.4.3
                                                                                                                                                                                                                                               AUDIT.2.D.1.5 E-
                                                                                                                                                                                                                                               BANK.1.4.5.4
G.14.1.33       Is the minimum password expiration:                                       N/A                           11.3.1.c     Password Use                             N/A                                          N/A       N/A       RPS.2.C.3        PO6.2, DS5.4
G.14.1.33.1     30 days or less?                                                          N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.14.1.33.2     31 to 60 days?                                                            N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.14.1.33.3     61 to 90 days?                                                            N/A                           N/A                                                   DS5.3    Identity management                 N/A       N/A       N/A              N/A
G.14.1.33.4     Greater than 91 days?                                                     N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.14.1.34       Password history contains:                                                N/A                           11.5.3.f     Password Management System               N/A                                          N/A       N/A       N/A              DS5.4
G.14.1.34.1     Five or less?                                                             N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.14.1.34.2     Six to 11?                                                                N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.14.1.34.3     12 or more?                                                               N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.14.1.35       Password can be changed at a minimum of:                                  N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.14.1.35.1     One hour?                                                                 N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                       Enterprise IT risk and internal
G.14.1.35.2     One day?                                                                  N/A                           N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
                                                                                                                                                                                       Enterprise IT risk and internal
G.14.1.35.3     More than one day?                                                        N/A                           N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
G.14.1.36       Are initial password required to be changed at first logon?               H.1 Password Controls         11.3.1.f     Password use                             DS5.3    Identity management                 N/A       N/A       N/A                PO6.2, DS5.4
G.14.1.37       Can a PIN or secret question be a stand-alone method of authentication?   N/A                           11.3.1.d     Password Use                             DS5.3    Identity management                 N/A       N/A       N/A                PO6.2, DS5.4
G.14.1.38       Are all passwords encrypted in transit?                                   N/A                           11.5.1.i     Secure Log-On Procedures                 DS5.3    Identity management                 N/A       N/A       IS.2.A.5.1         DS5.4, DS5.7

                                                                                                                                                                                                                                               IS.2.A.5
                                                                                                                                                                                                                                               IS.2.A.5.2
                                                                                                                                                                                                                                               AUDIT.2.D.1.5 E-
                                                                                                                                                                                                                                               BANK.1.4.5.11
G.14.1.39       Are all passwords encrypted or hashed in storage?                         N/A                           11.5.3.i     Password Management System               DS5.3    Identity management                 N/A       N/A       RPS.2.C.3        DS5.4
G.14.1.40       Are passwords displayed when entered into a system?                       N/A                           11.5.1.g     Secure Log-On Procedures                 DS5.3    Identity management                 N/A       N/A       N/A              DS5.4, DS5.7
G.14.1.41       Is password shadowing enabled?                                            N/A                           11.5.3.i     Password Management System               DS5.3    Identity management                 N/A       N/A       N/A              DS5.4
G.14.1.42       Are all user accounts uniquely assigned to a specific individual?         N/A                           11.5.2       User Identification And Authentication   N/A                                          N/A       N/A       E-BANK.1.4.6.1 DS5.3
G.14.1.43       Invalid attempts prior to lockout:                                        N/A                           11.5.1.e     Secure Log-On Procedures                 N/A                                          N/A       N/A       E-BANK.1.4.5.3 DS5.4, DS5.7
G.14.1.43.1     Two or less?                                                              N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.14.1.43.2     Three to five?                                                            N/A                           N/A                                                   DS5.3    Identity management                 N/A       N/A       N/A              N/A
G.14.1.43.3     Six or more?                                                              N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.14.1.44       Failed login attempt count resets to zero at a minimum of:                N/A                           11.5.1.e.2   Secure Log-On Procedures                 N/A                                          N/A       N/A       N/A              DS5.4, DS5.7
G.14.1.44.1     One hour or less?                                                         N/A                           N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.14.1.44.2     Never , i.e., administrator intervention required?                        N/A                           N/A                                                   PO4.11   Segregation of duties               N/A       N/A       N/A              N/A
                                                                                                                                                                                       Security testing, surveillance
G.15            Are Windows systems used for storing or processing Target Data?           N/A                           N/A                                                   DS5.5    and monitoring                      N/A       N/A       N/A                N/A
                                                                                                                                                                                                                                               IS.1.4.1.3.1
                                                                                                                                                                                                                                               IS.2.C.1
                                                                                          I.3 Secure System Hardening                                                                  Responsibility for risk, security                       OPS.1.5.1.5 E-
G.15.1          Are Windows hardening standards documented?                               Standards                     10.6.1.e     Network Controls                         PO4.8    and compliance                      N/A       N/A       BANK.1.4.2.5       PO4.1, DS5.9, DS5.11
                Are Windows servers monitored for continued compliance to security                                                                                                     Knowledge transfer to
G.15.1.1        requirements?                                                             N/A                           15.2.2       Technical Compliance Checking            AI4.4    operations and support staff        N/A       N/A       IS.2.C.4           DS5.5, DS5.7, ME2.5


                                                                                                                                                                                                                                                                  PO4.8, PO6.2, ME2.1,
                                                                                                                                     Compliance With Security Policies And             Responsibility for risk, security                                          ME2.2, ME2.3, ME2.4,
G.15.1.1.1      Is non-compliance reported and resolved?                                  N/A                           15.2.1       Standards                             PO4.8       and compliance                      N/A       N/A       N/A                ME2.5, ME2.6, ME2.7
                                                                                                                                                                                                                                                                  AI4.4, DS5.7, DS9.2,
G.15.1.2        Is access to system documentation restricted?                             N/A                           10.7.4       Security of system documentation         AI3.3    Infrastructure maintenance          N/A       N/A       N/A                DS9.3, DS13.1


                                                                                                                                                                                                                                                                  PO4.8, PO6.2, ME2.1,
                Are Windows servers reviewed to ensure compliance with server build                                                  Compliance With Security Policies And                                                                                        ME2.2, ME2.3, ME2.4,
G.15.1.3        standards?                                                                N/A                           15.2.1       Standards                             N/A                                             N/A       N/A       N/A                ME2.5, ME2.6, ME2.7
                                                                                                                                                                                                                                                                  AI3.3, AI6.2, AI6.3,
G.15.1.4        Are systems updated with the latest patches?                              I.4 System Patching           12.6.1.d     Control Of Technical Vulnerabilities     N/A                                          N/A       N/A       IS.2.C.3           DS5.5, DS5.7, DS9.2
                                                                                                                                                                                       Enterprise information
G.15.1.5        Are file and directory permissions strictly applied to groups?            N/A                           10.8.5.c     Business Information Systems             PO2.1    architecture model                  N/A       N/A       N/A                DS11.6
G.15.1.6        Are file partitions other than NTFS used on Windows systems?              N/A                           N/A                                                   DS5.3    Identity management                 N/A       N/A       N/A                N/A




The Shared Assessments Program                                                                                                Page 40 of 191                                                                                                              SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                    AUP 5.0 Relevance                                    ISO 27002:2005 Relevance                  COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance

                                                                                                                                                                                                                                                                            PO2.2, PO2.3, PO6.2,
G.15.1.7        Are user rights set to only allow access to those with a need to know?              N/A                                     11.1.1.c     Access Control Policy             DS5.4   User account management           N/A       N/A       N/A                DS5.2, DS5.3, DS5.4
G.15.1.8        Are guest accounts disabled?                                                        N/A                                     11.2.3.h     User Password Management          DS5.4   User account management           N/A       N/A       N/A                DS5.3
                Are account options set to minimize unauthorized use, change of account
G.15.1.9        content or status?                                                                  N/A                                     11.2.2.b     Privilege Management              N/A                                       N/A       N/A       N/A                DS5.4
G.15.1.10       Are device options set to minimize unauthorized access or use?                      N/A                                     11.2.2.b     Privilege Management              DS5.4   User account management           N/A       N/A       N/A                DS5.4
                Are domain options set to use encryption, signing, and machine password
G.15.1.11       change management?                                                                  N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A

G.15.1.12       Are interactive logon options configured to minimize unauthorized access or use?    N/A                                     11.2.2.d     Privilege Management              N/A                                       N/A       N/A       N/A                DS5.4
                Are Microsoft network client and server options set to use encryption and digital
G.15.1.13       signing?                                                                            N/A                                     N/A                                            AI6.3   Emergency changes                 N/A       N/A       N/A                N/A
                Is the system configured to restrict anonymous connections (e.g.,
G.15.1.14       RestrictAnonymous registry setting)?                                                N/A                                     N/A                                            AI6.3   Emergency changes                 N/A       N/A       N/A                N/A
G.15.1.15       Is the server shutdown right only available to system administrators?               N/A                                     11.5.4       Use Of System Utilities           AI6.3   Emergency changes                 N/A       N/A       N/A                AI6.3, DS5.7
G.15.1.16       Is the recovery console write only available to system administrators?              N/A                                     11.5.4       Use Of System Utilities           N/A                                       N/A       N/A       N/A                AI6.3, DS5.7
                                                                                                                                                                                                   Security testing, surveillance
G.15.1.17       Are all unused services turned off?                                                 N/A                                     11.5.4.h     Use Of System Utilities           DS5.5   and monitoring                    N/A       N/A       IS.2.C.2           AI6.3, DS5.7
                                                                                                                                                                                                   Security testing, surveillance
G.15.1.18       Are Windows servers required to join the corporate domain or Active Directory?      N/A                                     N/A                                            DS5.5   and monitoring                    N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                                         IS.1.4.1.3.5
                                                                                                                                                                                                                                                         OPS.2.12.B
                Is there a process to regularly review logs using a specific methodology to                                                                                                        Application control and                               AUDIT.2.D.1.7 E- DS 5.5, ME1.2, ME2.2,
G.15.1.19       uncover potential incidents?                                                        N/A                                     10.10.2      Monitoring System Use             AI2.3   auditability                      N/A       N/A       BANK.1.4.3.5     ME2.5, ME4.7

                                                                                                                                                                                                   Application control and                                                  DS 5.5, ME1.2, ME2.2,
G.15.1.19.1     If so, is this process documented and maintained?                                   N/A                                     10.10.2      Monitoring System Use             AI2.3   auditability                      N/A       N/A       N/A                ME2.5, ME4.7

                                                                                                    G.7 Administrative Activity Logging, G.8                                                       Application control and                               IS.2.A.7 IS.2.C.9
G.15.1.20       Do operating system logs contain the following:                                     Log-on Activity Logging                  10.10.1     Audit Logging                     AI2.3   auditability                      N/A       N/A       IS.2.M.9.2        AI2.3, DS5.7
                                                                                                                                                                                                   Application control and
G.15.1.20.1     Successful logins?                                                                  N/A                                     10.10.1.d    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                   Application control and
G.15.1.20.2     Failed login attempts?                                                              N/A                                     10.10.1.d    Audit Logging                     AI2.3   auditability                      N/A       N/A       AUDIT.2.D.1.18 AI2.3, DS5.7
                                                                                                                                                                                                   Application control and
G.15.1.20.3     System configuration changes?                                                       N/A                                     10.10.1.f    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                   Application control and
G.15.1.20.4     Administrative activity?                                                            N/A                                     10.10.1.g    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                   Application control and
G.15.1.20.5     Disabling of audit logs?                                                            N/A                                     10.10.1.l    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                   Security testing, surveillance
G.15.1.20.6     Deletion of audit logs?                                                             N/A                                     10.10.1.l    Audit Logging                     DS5.5   and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                   Application control and
G.15.1.20.7     Changes to security settings?                                                       N/A                                     10.10.1.f    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                   Application control and                                                  DS5.5, DS5.7, ME2.2,
G.15.1.20.8     Changes to access privileges?                                                       N/A                                     10.10.4.c    Administrator And Operator Logs   AI2.3   auditability                      N/A       N/A       N/A                ME2.5
                                                                                                                                                                                                   Application control and
G.15.1.20.9     User administration activity?                                                       N/A                                     10.10.1.g    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                   Security testing, surveillance
G.15.1.20.10    File permission changes?                                                            N/A                                     10.10.1.i    Audit Logging                     DS5.5   and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
G.15.1.20.11    Windows / Active Directory policy changes?                                          N/A                                     10.10.1.f    Audit Logging                     N/A                                       N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                                                         IS.2.C.9
G.15.1.21       Operating system logs are retained for a minimum of:                                G.9 Log Retention                       10.10.3      Protection Of Log Information     N/A                                       N/A       N/A       OPS.2.12.B         DS5.5, DS5.7
G.15.1.21.1     One day or less?                                                                    N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.15.1.21.2     Between one day and one week?                                                       N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.15.1.21.3     Between one week and one month?                                                     N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.15.1.21.4     Between one month and six months?                                                   N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                   Application control and
G.15.1.21.5     Between six months and one year?                                                    N/A                                     N/A                                            AI2.3   auditability                      N/A       N/A       N/A                N/A
G.15.1.21.6     Greater than one year?                                                              N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.15.1.22       In the event of an operating system audit log failure, does the system:             N/A                                     10.10.5      Fault Logging                     N/A                                       N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                   Application control and
G.15.1.22.1     Generate an alert?                                                                  N/A                                     N/A                                            AI2.3   auditability                      N/A       N/A       N/A                N/A
                                                                                                                                                                                                   Security testing, surveillance
G.15.1.22.2     Suspend processing?                                                                 N/A                                     N/A                                            DS5.5   and monitoring                    N/A       N/A       N/A                N/A
                                                                                                                                                                                                   Security testing, surveillance
G.15.1.23       Do audit logs trace an event to a specific individual and/or user ID?               N/A                                     10.10.1.a    Audit Logging                     DS5.5   and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
G.15.1.24       Are audit logs stored on alternate systems?                                         N/A                                     10.10.3      Protection Of Log Information     N/A                                       N/A       N/A       N/A                DS5.5, DS5.7
                Are audit logs protected against modification, deletion, and/or inappropriate
G.15.1.25       access?                                                                             N/A                                     10.10.3      Protection Of Log Information     N/A                                       N/A       N/A       IS.2.M.6           DS5.5, DS5.7
G.15.1.25.1     If so, are the following controls in place:                                         N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.15.1.25.1.1   Access control lists?                                                               N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.15.1.25.1.2   Alternate storage location?                                                         N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.15.1.25.1.3   Limited administrative access?                                                      N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.15.1.25.1.4   Real-time replication?                                                              N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                   Enterprise IT risk and internal
G.15.1.25.1.5   Hashing?                                                                            N/A                                     N/A                                            PO6.2   control framework                 N/A       N/A       N/A                N/A
G.15.1.25.1.6   Encryption?                                                                         N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.15.1.26       Is the minimum password length:                                                     H.1 Password Controls                   11.3.1.d     Password Use                      N/A                                       N/A       N/A       N/A                PO6.2, DS5.4



The Shared Assessments Program                                                                                                                    Page 41 of 191                                                                                                    SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                                                 AUP 5.0 Relevance                    ISO 27002:2005 Relevance                        COBIT 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC            COBIT 4.1 Relevance
G.15.1.26.1      Five characters or less?                                                          N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.26.2      Six characters?                                                                   N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.26.3      Seven characters?                                                                 N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                        Enterprise IT risk and internal
G.15.1.26.4      Eight characters?                                                                 N/A                     N/A                                                 PO6.2    control framework                   N/A       N/A       N/A              N/A
G.15.1.26.5      Nine characters or more?                                                          N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.27        Password composition requires:                                                    H.1 Password Controls   11.3.1.d     Password Use                           N/A                                          N/A       N/A       IS.2.A.4.4       PO6.2, DS5.4
G.15.1.27.1      Uppercase letter?                                                                 N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.27.2      Lowercase letter?                                                                 N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                        Enterprise IT risk and internal
G.15.1.27.3      Number?                                                                           N/A                     N/A                                                 PO6.2    control framework                   N/A       N/A       N/A              N/A
G.15.1.27.4      Special character?                                                                N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                                IS.2.A.4.3
                                                                                                                                                                                                                                                AUDIT.2.D.1.5 E-
                                                                                                                                                                                                                                                BANK.1.4.5.4
G.15.1.28        Is the minimum password expiration:                                               N/A                     11.3.1.c     Password Use                           N/A                                          N/A       N/A       RPS.2.C.3        PO6.2, DS5.4
G.15.1.28.1      30 days or less?                                                                  N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.28.2      31 to 60 days?                                                                    N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.28.3      61 to 90 days?                                                                    N/A                     N/A                                                 DS5.3    Identity management                 N/A       N/A       N/A              N/A
G.15.1.28.4      Greater than 91 days?                                                             N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.29        Password history contains:                                                        N/A                     11.5.3.f     Password Management System             N/A                                          N/A       N/A       N/A              DS5.4
G.15.1.29.1      Five or less?                                                                     N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.29.2      Six to 11?                                                                        N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.29.3      12 or more?                                                                       N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.30        Password can be changed at a minimum of:                                          N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.30.1      One hour?                                                                         N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                        Enterprise IT risk and internal
G.15.1.30.2      One day?                                                                          N/A                     N/A                                                 PO6.2    control framework                   N/A       N/A       N/A              N/A
                                                                                                                                                                                        Enterprise IT risk and internal
G.15.1.30.3      More than one day?                                                                N/A                     N/A                                                 PO6.2    control framework                   N/A       N/A       N/A              N/A
G.15.1.31        Are initial password required to be changed at first logon?                       H.1 Password Controls   11.3.1.f     Password use                           DS5.3    Identity management                 N/A       N/A       N/A              PO6.2, DS5.4
G.15.1.32        Can a PIN or secret question be a stand-alone method of authentication?           N/A                     11.3.1.d     Password Use                           DS5.3    Identity management                 N/A       N/A       N/A              PO6.2, DS5.4
G.15.1.33        Are all passwords encrypted in transit?                                           N/A                     11.5.1.i     Secure Log-On Procedures               DS5.3    Identity management                 N/A       N/A       IS.2.A.5.1       DS5.4, DS5.7

                                                                                                                                                                                                                                                IS.2.A.5
                                                                                                                                                                                                                                                IS.2.A.5.2
                                                                                                                                                                                                                                                AUDIT.2.D.1.5 E-
                                                                                                                                                                                                                                                BANK.1.4.5.11
G.15.1.34        Are all passwords encrypted or hashed in storage?                                 N/A                     11.5.3.i     Password Management System             N/A                                          N/A       N/A       RPS.2.C.3        DS5.4
G.15.1.35        Are passwords displayed when entered into a system?                               N/A                     11.5.1.g     Secure Log-On Procedures               N/A                                          N/A       N/A       RPS.2.C.3        DS5.4, DS5.7
G.15.1.36        Are LanMan (LM) hashes disabled?                                                  N/A                     N/A                                                 DS5.3    Identity management                 N/A       N/A       N/A              N/A

G.15.1.37        Are systems set to prevent the transmission and reception of LM authentication?   N/A                     N/A                                                 DS5.3    Identity management                 N/A       N/A       N/A              N/A
G.15.1.38        Are all user accounts uniquely assigned to a specific individual?                 N/A                     11.5.2     User Identification And Authentication   N/A                                          N/A       N/A       E-BANK.1.4.6.1   DS5.3
G.15.1.39        Invalid attempts prior to lockout:                                                N/A                     11.5.1.e   Secure Log-On Procedures                 N/A                                          N/A       N/A       E-BANK.1.4.5.3   DS5.4, DS5.7
G.15.1.39.1      Two or less?                                                                      N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.39.2      Three to five?                                                                    N/A                     N/A                                                 DS5.3    Identity management                 N/A       N/A       N/A              N/A
G.15.1.39.3      Six or more?                                                                      N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.40        Failed login attempt count resets to zero at a minimum of:                        N/A                     11.5.1.e.2 Secure Log-On Procedures                 N/A                                          N/A       N/A       N/A              DS5.4, DS5.7
G.15.1.40.1      One hour or less?                                                                 N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.15.1.40.2      Never , i.e., administrator intervention required?                                N/A                     N/A                                                 PO4.11   Segregation of duties               N/A       N/A       N/A              N/A
                                                                                                                                                                                        Responsibility for risk, security
G.16             Is a mainframe used for storing or processing Target Data?                        N/A                     N/A                                                 PO4.8    and compliance                      N/A       N/A       N/A              N/A
                                                                                                                                                                                        Responsibility for risk, security
G.16.1           Are Mainframe security controls documented?                                       N/A                     10.6.1.e     Network Controls                       PO4.8    and compliance                      N/A       N/A       N/A              PO4.1, DS5.9, DS5.11


                                                                                                                                                                                                                                                                 PO4.8, PO6.2, ME2.1,
                                                                                                                                        Compliance With Security Policies And           Knowledge transfer to                                                    ME2.2, ME2.3, ME2.4,
G.16.1.1         Are reviews performed to validate compliance with documented standards?           N/A                     15.2.1       Standards                             AI4.4     operations and support staff        N/A       N/A       N/A              ME2.5, ME2.6, ME2.7


                                                                                                                                                                                                                                                                 PO4.8, PO6.2, ME2.1,
                                                                                                                                        Compliance With Security Policies And                                                                                    ME2.2, ME2.3, ME2.4,
G.16.1.1.1       Is non-compliance reported and resolved?                                          N/A                     15.2.1       Standards                             N/A                                           N/A       N/A       N/A              ME2.5, ME2.6, ME2.7
                                                                                                                                                                                                                                                                 AI4.4, DS5.7, DS9.2,
G.16.1.2         Is access to system documentation restricted?                                     N/A                     10.7.4       Security of system documentation       N/A                                          N/A       N/A       N/A              DS9.3, DS13.1
G.16.1.3         Does the ESM database environment and contents possess:                           N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.16.1.3.1       Data integrity?                                                                   N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.16.1.3.2       Configuration integrity?                                                          N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.16.1.3.3       Assured availability?                                                             N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
G.16.1.4         Are installation-written exit routines used for the ESM?                          N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A
                 Have installation-written exit routines been verified they do not duplicate ESM                                                                                        Enterprise information
G.16.1.5         security functions?                                                               N/A                     N/A                                                 PO2.1    architecture model                  N/A       N/A       N/A              N/A
G.16.1.6         Does ESM control the ability to run a started task to the environment?            N/A                     N/A                                                 N/A                                          N/A       N/A       N/A              N/A

                                                                                                                                                                                                                                                                 PO2.2, PO2.3, PO6.2,
G.16.1.7         Does ESM protect the authorized program facility?                                 N/A                     11.1.1.c     Access Control Policy                  PO4.11   Segregation of duties               N/A       N/A       N/A              DS5.2, DS5.3, DS5.4
G.16.1.8         Is the job entry subsystem protected?                                             N/A                     10.8.5.g     Business Information Systems           PO2.3    Data classification scheme          N/A       N/A       N/A              DS11.6




The Shared Assessments Program                                                                                                   Page 42 of 191                                                                                                         SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                                    ISO 27002:2005 Relevance                     COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance

G.16.1.9        Are SNA and TCP/IP mainframe networks protected?                                   N/A                                     10.6.1       Network Controls                    N/A                                        N/A       N/A       N/A                PO4.1, DS5.9, DS5.11
                                                                                                                                                        Information Exchange Policies And
G.16.1.10       Is the transfer of Target Data encrypted?                                          N/A                                     10.8.1.g     Procedures                          N/A                                        N/A       N/A       N/A                PO2.3, PO6.2, DS11.1
G.16.1.11       Does network monitoring software use a security interface?                         N/A                                     N/A                                              DS5.3    Identity management               N/A       N/A       N/A                N/A
G.16.1.12       Are transaction, commands, databases, and resources protected?                     N/A                                     10.8.5.g     Business Information Systems        DS5.3    Identity management               N/A       N/A       N/A                DS11.6
G.16.1.13       Is authentication required for access to any transaction or database system?       N/A                                     11.6.1       Information Access Restriction      N/A                                        N/A       N/A       N/A                DS5.4
G.16.1.14       Is there connection security for databases and transaction systems?                N/A                                     11.6.1       Information Access Restriction      N/A                                        N/A       N/A       N/A                DS5.4
                Does monitoring software for transaction and database systems use a security
G.16.1.15       interface?                                                                         N/A                                     N/A                                              AI6.3    Emergency changes                 N/A       N/A       N/A                N/A
                Are resource access, transmission links, and security interfaces active for data
G.16.1.16       transport systems?                                                                 N/A                                     N/A                                              AI6.3    Emergency changes                 N/A       N/A       N/A                N/A

G.16.1.17       Are job scheduling systems secured to control the submission of production jobs?   N/A                                     11.5.4       Use Of System Utilities             AI6.3    Emergency changes                 N/A       N/A       N/A                AI6.3, DS5.7
                Do storage management personnel (e.g., tape operators) have privileged access                                                                                                        Enterprise IT risk and internal
G.16.1.18       to mainframe systems?                                                              N/A                                     11.5.4       Use Of System Utilities             PO6.2    control framework                 N/A       N/A       OPS.2.12.C         AI6.3, DS5.7
G.16.1.19       Is the use of data transfer products secured?                                      N/A                                     11.5.4       Use Of System Utilities             DS5.3    Identity management               N/A       N/A       N/A                AI6.3, DS5.7
G.16.1.20       Are the controls the same for archive and production data?                         N/A                                     10.7.3       Information Handling Procedures     N/A                                        N/A       N/A       N/A                PO6.2, DS11.6
G.16.1.21       Are security interfaces for systems monitoring software always active?             N/A                                     11.6.1.d     Information Access Restriction      PO4.11   Segregation of duties             N/A       N/A       N/A                DS5.4
                                                                                                                                                                                                     Security testing, surveillance
G.16.1.22       Are UNIX systems services secured on the mainframe?                                N/A                                     N/A                                              DS5.5    and monitoring                    N/A       N/A       N/A                N/A
                Are ESM (RACF) and inherent security configuration settings configured to                                                                                                            Security testing, surveillance
G.16.1.23       support the access control standards and requirements?                             N/A                                     10.6.1.e     Network Controls                    DS5.5    and monitoring                    N/A       N/A       N/A              PO4.1, DS5.9, DS5.11
                                                                                                                                                                                                                                                           IS.1.4.1.3.5
                                                                                                                                                                                                                                                           OPS.2.12.B
                Is there a process to regularly review logs using a specific methodology to                                                                                                          Application control and                               AUDIT.2.D.1.7 E- DS 5.5, ME1.2, ME2.2,
G.16.1.24       uncover potential incidents?                                                       N/A                                     10.10.2      Monitoring System Use               AI2.3    auditability                      N/A       N/A       BANK.1.4.3.5     ME2.5, ME4.7

                                                                                                                                                                                                     Application control and                                                  DS 5.5, ME1.2, ME2.2,
G.16.1.24.1     If so, is this process documented and maintained?                                  N/A                                     10.10.2      Monitoring System Use               AI2.3    auditability                      N/A       N/A       N/A                ME2.5, ME4.7

                                                                                                   G.7 Administrative Activity Logging, G.8                                                          Application control and                               IS.2.A.7 IS.2.C.9
G.16.1.25       Do operating system logs contain the following:                                    Log-on Activity Logging                  10.10.1     Audit Logging                       AI2.3    auditability                      N/A       N/A       IS.2.M.9.2        AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.16.1.25.1     Successful logins?                                                                 N/A                                     10.10.1.d    Audit Logging                       AI2.3    auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.16.1.25.2     Failed login attempts?                                                             N/A                                     10.10.1.d    Audit Logging                       AI2.3    auditability                      N/A       N/A       AUDIT.2.D.1.18 AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.16.1.25.3     System configuration changes?                                                      N/A                                     10.10.1.f    Audit Logging                       AI2.3    auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.16.1.25.4     Administrative activity?                                                           N/A                                     10.10.1.g    Audit Logging                       AI2.3    auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.16.1.25.5     Disabling of audit logs?                                                           N/A                                     10.10.1.l    Audit Logging                       AI2.3    auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                     Security testing, surveillance
G.16.1.25.6     Deletion of audit logs?                                                            N/A                                     10.10.1.l    Audit Logging                       DS5.5    and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.16.1.25.7     Changes to security settings?                                                      N/A                                     10.10.1.f    Audit Logging                       AI2.3    auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                     Application control and                                                  DS5.5, DS5.7, ME2.2,
G.16.1.25.8     Changes to access privileges?                                                      N/A                                     10.10.4.c    Administrator And Operator Logs     AI2.3    auditability                      N/A       N/A       N/A                ME2.5
                                                                                                                                                                                                     Security testing, surveillance
G.16.1.25.9     User administration activity?                                                      N/A                                     10.10.1.g    Audit Logging                       DS5.5    and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
G.16.1.25.10    File permission changes?                                                           N/A                                     10.10.1.i    Audit Logging                       N/A                                        N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                                                           IS.2.C.9
G.16.1.26       Operating system logs are retained for a minimum of:                               G.9 Log Retention                       10.10.3      Protection Of Log Information       N/A                                        N/A       N/A       OPS.2.12.B         DS5.5, DS5.7
G.16.1.26.1     One day or less?                                                                   N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
G.16.1.26.2     Between one day and one week?                                                      N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
G.16.1.26.3     Between one week and one month?                                                    N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
G.16.1.26.4     Between one month and six months?                                                  N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
                                                                                                                                                                                                     Application control and
G.16.1.26.5     Between six months and one year?                                                   N/A                                     N/A                                              AI2.3    auditability                      N/A       N/A       N/A                N/A
G.16.1.26.6     Greater than one year?                                                             N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
G.16.1.27       In the event of an operating system audit log failure, does the system:            N/A                                     10.10.5      Fault Logging                       N/A                                        N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                     Application control and
G.16.1.27.1     Generate an alert?                                                                 N/A                                     N/A                                              AI2.3    auditability                      N/A       N/A       N/A                N/A
                                                                                                                                                                                                     Security testing, surveillance
G.16.1.27.2     Suspend processing?                                                                N/A                                     N/A                                              DS5.5    and monitoring                    N/A       N/A       N/A                N/A
                                                                                                                                                                                                     Security testing, surveillance
G.16.1.28       Do audit logs trace an event to a specific individual and/or user ID?              N/A                                     10.10.1.a    Audit Logging                       DS5.5    and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
G.16.1.29       Are audit logs stored on alternate systems?                                        N/A                                     10.10.3      Protection Of Log Information       N/A                                        N/A       N/A       N/A                DS5.5, DS5.7
                Are audit logs protected against modification, deletion, and/or inappropriate
G.16.1.30       access?                                                                            N/A                                     10.10.3      Protection Of Log Information       N/A                                        N/A       N/A       IS.2.M.6           DS5.5, DS5.7
G.16.1.30.1     If so, are the following controls in place:                                        N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
G.16.1.30.1.1   Access control lists?                                                              N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
G.16.1.30.1.2   Alternate storage location?                                                        N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
G.16.1.30.1.3   Limited administrative access?                                                     N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
G.16.1.30.1.4   Real-time replication?                                                             N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
                                                                                                                                                                                                     Enterprise IT risk and internal
G.16.1.30.1.5   Hashing?                                                                           N/A                                     N/A                                              PO6.2    control framework                 N/A       N/A       N/A                N/A
G.16.1.30.1.6   Encryption?                                                                        N/A                                     N/A                                              N/A                                        N/A       N/A       N/A                N/A
G.16.1.31       Is the minimum password length:                                                    H.1 Password Controls                   11.3.1.d     Password Use                        N/A                                        N/A       N/A       N/A                PO6.2, DS5.4



The Shared Assessments Program                                                                                                                   Page 43 of 191                                                                                                       SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                                                     AUP 5.0 Relevance                    ISO 27002:2005 Relevance                          COBIT 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
G.16.1.31.1      Five characters or less?                                                              N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.16.1.31.2      Six characters?                                                                       N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.16.1.31.3      Seven characters?                                                                     N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
                                                                                                                                                                                              Enterprise IT risk and internal
G.16.1.31.4      Eight characters?                                                                     N/A                     N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
G.16.1.31.5      Nine characters or more?                                                              N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.16.1.32        Password composition requires:                                                        H.1 Password Controls   11.3.1.d     Password Use                             N/A                                          N/A       N/A       IS.2.A.4.4         PO6.2, DS5.4
G.16.1.32.1      Uppercase letter?                                                                     N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.16.1.32.2      Lowercase letter?                                                                     N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
                                                                                                                                                                                              Enterprise IT risk and internal
G.16.1.32.3      Number?                                                                               N/A                     N/A                                                   PO6.2    control framework                   N/A       N/A       N/A              N/A
G.16.1.32.4      Special character?                                                                    N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                                      IS.2.A.4.3
                                                                                                                                                                                                                                                      AUDIT.2.D.1.5 E-
                                                                                                                                                                                                                                                      BANK.1.4.5.4
G.16.1.33        Is the minimum password expiration:                                                   N/A                     11.3.1.c     Password Use                             N/A                                          N/A       N/A       RPS.2.C.3        PO6.2, DS5.4
G.16.1.33.1      30 days or less?                                                                      N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.16.1.33.2      31 to 60 days?                                                                        N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.16.1.33.3      61 to 90 days?                                                                        N/A                     N/A                                                   DS5.3    Identity management                 N/A       N/A       N/A              N/A
G.16.1.33.4      Greater than 91 days?                                                                 N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.16.1.34        Password history contains:                                                            N/A                     11.5.3.f     Password Management System               N/A                                          N/A       N/A       N/A              DS5.4
G.16.1.34.1      Five or less?                                                                         N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.16.1.34.2      Six to 11?                                                                            N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.16.1.34.3      12 or more?                                                                           N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.16.1.35        Password can be changed at a minimum of:                                              N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.16.1.35.1      One hour?                                                                             N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                              Enterprise IT risk and internal
G.16.1.35.2      One day?                                                                              N/A                     N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
                                                                                                                                                                                              Enterprise IT risk and internal
G.16.1.35.3      More than one day?                                                                    N/A                     N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
G.16.1.36        Are initial password required to be changed at first logon?                           H.1 Password Controls   11.3.1.f     Password use                             DS5.3    Identity management                 N/A       N/A       N/A                PO6.2, DS5.4
G.16.1.37        Can a PIN or secret question be a stand-alone method of authentication?               N/A                     11.3.1.d     Password Use                             DS5.3    Identity management                 N/A       N/A       N/A                PO6.2, DS5.4
G.16.1.38        Are all passwords encrypted in transit?                                               N/A                     11.5.1.i     Secure Log-On Procedures                 DS5.3    Identity management                 N/A       N/A       IS.2.A.5.1         DS5.4, DS5.7

                                                                                                                                                                                                                                                      IS.2.A.5
                                                                                                                                                                                                                                                      IS.2.A.5.2
                                                                                                                                                                                                                                                      AUDIT.2.D.1.5 E-
                                                                                                                                                                                                                                                      BANK.1.4.5.11
G.16.1.39        Are all passwords encrypted or hashed in storage?                                     N/A                     11.5.3.i     Password Management System               DS5.3    Identity management                 N/A       N/A       RPS.2.C.3        DS5.4
G.16.1.40        Are passwords displayed when entered into a system?                                   N/A                     11.5.1.g     Secure Log-On Procedures                 DS5.3    Identity management                 N/A       N/A       RPS.2.C.3        DS5.4, DS5.7
G.16.1.41        Are all user accounts uniquely assigned to a specific individual?                     N/A                     11.5.2       User Identification And Authentication   N/A                                          N/A       N/A       E-BANK.1.4.6.1 DS5.3
G.16.1.42        Invalid attempts prior to lockout:                                                    N/A                     11.5.1.e     Secure Log-On Procedures                 N/A                                          N/A       N/A       E-BANK.1.4.5.3 DS5.4, DS5.7
G.16.1.42.1      Two or less?                                                                          N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.16.1.42.2      Three to five?                                                                        N/A                     N/A                                                   DS5.3    Identity management                 N/A       N/A       N/A              N/A
G.16.1.42.3      Six or more?                                                                          N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.16.1.43        Failed login attempt count resets to zero at a minimum of:                            N/A                     11.5.1.e.2   Secure Log-On Procedures                 N/A                                          N/A       N/A       N/A              DS5.4, DS5.7
                                                                                                                                                                                              Enterprise IT risk and internal
G.16.1.43.1      One hour or less?                                                                     N/A                     N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
G.16.1.43.2      Never , i.e., administrator intervention required?                                    N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A

G.16.1.43.3      Are users required to log off mainframe computers when the session is finished? N/A                           11.3.2.b     Unattended User Equipment                PO4.11   Segregation of duties               N/A       N/A       N/A                PO6.2, DS5.7
                                                                                                                                                                                              Security testing, surveillance
G.17             Is an AS400 used for storing or processing Target Data?                               N/A                     N/A                                                   DS5.5    and monitoring                      N/A       N/A       N/A                N/A
                                                                                                                                                                                              Responsibility for risk, security
G.17.1           Are AS400 security controls documented?                                               N/A                     10.6.1.e     Network Controls                         PO4.8    and compliance                      N/A       N/A       N/A                PO4.1, DS5.9, DS5.11
                 Are AS400 systems periodically monitored to ensure continued compliance with                                                                                                 Knowledge transfer to
G.17.1.1         the documented standards?                                                             N/A                     15.2.2       Technical Compliance Checking            AI4.4    operations and support staff        N/A       N/A       IS.2.C.4           DS5.5, DS5.7, ME2.5


                                                                                                                                                                                                                                                                         PO4.8, PO6.2, ME2.1,
                                                                                                                                            Compliance With Security Policies And             Enterprise information                                                     ME2.2, ME2.3, ME2.4,
G.17.1.1.1       Is non-compliance reported and resolved?                                              N/A                     15.2.1       Standards                             PO2.1       architecture model                  N/A       N/A       N/A                ME2.5, ME2.6, ME2.7
                                                                                                                                                                                              Enterprise information                                                     AI4.4, DS5.7, DS9.2,
G.17.1.2         Is access to system documentation restricted?                                         N/A                     10.7.4       Security of system documentation         PO2.1    architecture model                  N/A       N/A       N/A                DS9.3, DS13.1

                                                                                                                                                                                              Enterprise information                                                     PO2.2, PO2.3, PO6.2,
G.17.1.3         Are group profile assignments based on constituent role?                              N/A                     11.1.1.f     Access Control Policy                    PO2.1    architecture model                  N/A       N/A       N/A                DS5.2, DS5.3, DS5.4

                                                                                                                                                                                                                                                                         PO2.2, PO2.3, PO6.2,
G.17.1.4         Do group profile assignments undergo an approval process?                             N/A                     11.1.1.i     Access Control Policy                    DS5.4    User account management             N/A       N/A       N/A                DS5.2, DS5.3, DS5.4

                                                                                                                                                                                                                                                                         PO2.2, PO2.3, PO6.2,
G.17.1.5         Are user profiles created with the principle of least privilege?                      N/A                     11.1.1.B     Access Control Policy                    DS5.4    User account management             N/A       N/A       N/A                DS5.2, DS5.3, DS5.4
G.17.1.6         Do users have *SAVSYS authority to do saves and restores?                             N/A                     11.2.1.c     User Registration                        DS5.4    User account management             N/A       N/A       N/A                DS5.4
                 Is authority to start and stop TCP/IP and its servers restricted to administrative-
G.17.1.7         level users?                                                                          N/A                     11.2.2.b     Privilege Management                     N/A                                          N/A       N/A       N/A                DS5.4
                 Is authority to run AS/400 configuration commands restricted to administrative-
G.17.1.8         level users?                                                                          N/A                     11.2.2.b     Privilege Management                     DS5.4    User account management             N/A       N/A       N/A                DS5.4
G.17.1.9         Is the QSYS library the first library in the library list?                            N/A                     N/A                                                   DS5.4    User account management             N/A       N/A       N/A                N/A




The Shared Assessments Program                                                                                                       Page 44 of 191                                                                                                              SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                                    ISO 27002:2005 Relevance                  COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance

G.17.1.10       Are users restricted from signing on the system from more than one workstation? N/A                                        11.2.1.a     User Registration                 DS5.4   User account management           N/A       N/A       N/A                DS5.4
G.17.1.11       Is public authority set to *Exclude for Sensitive Commands?                     N/A                                        11.2.2.b     Privilege Management              DS5.4   User account management           N/A       N/A       N/A                DS5.4
                Is access to library list commands on production AS400 systems restricted to
G.17.1.12       appropriate users?                                                              N/A                                        11.2.2.a     Privilege Management              N/A                                       N/A       N/A       N/A                DS5.4

G.17.1.13       Has authority *PUBLIC to the QPWFSERVER authorization list been revoked?           N/A                                     11.2.2.b     Privilege Management              N/A                                       N/A       N/A       N/A                DS5.4
                Are security exit programs installed and functioning for server functions that
G.17.1.14       provide an exit?                                                                   N/A                                     N/A                                            DS5.4   User account management           N/A       N/A       N/A                N/A
                Are library-level and object-level protections on system libraries (Q-Libraries)                                                                                                  Enterprise information
G.17.1.15       shipped from the vendor implemented to the vendor‘s specifications?                N/A                                     N/A                                            PO2.1   architecture model                N/A       N/A       N/A                N/A
                                                                                                                                                                                                  Enterprise information
G.17.1.16       Is each library list constructed for a community of users?                         N/A                                     11.2.2.b     Privilege Management              PO2.1   architecture model                N/A       N/A       N/A                DS5.4

                Are job descriptions used to provide application-specific library lists to an                                                                                                                                                                              PO2.2, PO2.3, PO6.2,
G.17.1.17       application‘s user community?                                                      N/A                                     11.1.1.f     Access Control Policy             N/A                                       N/A       N/A       N/A                DS5.2, DS5.3, DS5.4

                Are objects configured to allow users access without requiring AS400 Special                                                                                                                                                                               PO2.2, PO2.3, PO6.2,
G.17.1.18       Authorities?                                                                       N/A                                     11.1.1.a     Access Control Policy             N/A                                       N/A       N/A       N/A                DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                  Security testing, surveillance
G.17.1.19       Has the security audit journal (QUADJRN) been created?                             N/A                                     N/A                                            DS5.5   and monitoring                    N/A       N/A       N/A                N/A
                                                                                                                                                                                                  Security testing, surveillance
G.17.1.20       Is the size of the journal receivers defined in QUADJRN?                           N/A                                     N/A                                            DS5.5   and monitoring                    N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                                        IS.1.4.1.3.5
                                                                                                                                                                                                                                                        OPS.2.12.B
                Is there a process to regularly review logs using a specific methodology to                                                                                                       Application control and                               AUDIT.2.D.1.7 E- DS 5.5, ME1.2, ME2.2,
G.17.1.21       uncover potential incidents?                                                       N/A                                     10.10.2      Monitoring System Use             AI2.3   auditability                      N/A       N/A       BANK.1.4.3.5     ME2.5, ME4.7

                                                                                                                                                                                                  Application control and                                                  DS 5.5, ME1.2, ME2.2,
G.17.1.21.1     If so, is this process documented and maintained?                                  N/A                                     10.10.2      Monitoring System Use             AI2.3   auditability                      N/A       N/A       N/A                ME2.5, ME4.7

                                                                                                   G.7 Administrative Activity Logging, G.8                                                       Application control and                               IS.2.A.7 IS.2.C.9
G.17.1.22       Do operating system logs contain the following:                                    Log-on Activity Logging                  10.10.1     Audit Logging                     AI2.3   auditability                      N/A       N/A       IS.2.M.9.2        AI2.3, DS5.7
                                                                                                                                                                                                  Application control and
G.17.1.22.1     Successful logins?                                                                 N/A                                     10.10.1.d    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                  Application control and
G.17.1.22.2     Failed login attempts?                                                             N/A                                     10.10.1.d    Audit Logging                     AI2.3   auditability                      N/A       N/A       AUDIT.2.D.1.18 AI2.3, DS5.7
                                                                                                                                                                                                  Application control and
G.17.1.22.3     System configuration changes?                                                      N/A                                     10.10.1.f    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                  Application control and
G.17.1.22.4     Administrative activity?                                                           N/A                                     10.10.1.g    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                  Application control and
G.17.1.22.5     Disabling of audit logs?                                                           N/A                                     10.10.1.l    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                  Security testing, surveillance
G.17.1.22.6     Deletion of audit logs?                                                            N/A                                     10.10.1.l    Audit Logging                     DS5.5   and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                  Application control and
G.17.1.22.7     Changes to security settings?                                                      N/A                                     10.10.1.f    Audit Logging                     AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                  Application control and                                                  DS5.5, DS5.7, ME2.2,
G.17.1.22.8     Changes to access privileges?                                                      N/A                                     10.10.4.c    Administrator And Operator Logs   AI2.3   auditability                      N/A       N/A       N/A                ME2.5
                                                                                                                                                                                                  Security testing, surveillance
G.17.1.22.9     User administration activity?                                                      N/A                                     10.10.1.g    Audit Logging                     DS5.5   and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
G.17.1.22.10    File permission changes?                                                           N/A                                     10.10.1.i    Audit Logging                     N/A                                       N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                                                        IS.2.C.9
G.17.1.23       Operating system logs are retained for a minimum of:                               G.9 Log Retention                       10.10.3      Protection Of Log Information     N/A                                       N/A       N/A       OPS.2.12.B         DS5.5, DS5.7
G.17.1.23.1     One day or less?                                                                   N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.17.1.23.2     Between one day and one week?                                                      N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.17.1.23.3     Between one week and one month?                                                    N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.17.1.23.4     Between one month and six months?                                                  N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                  Application control and
G.17.1.23.5     Between six months and one year?                                                   N/A                                     N/A                                            AI2.3   auditability                      N/A       N/A       N/A                N/A
G.17.1.23.6     Greater than one year?                                                             N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.17.1.24       In the event of an operating system audit log failure, does the system:            N/A                                     10.10.5      Fault Logging                     N/A                                       N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                  Application control and
G.17.1.24.1     Generate an alert?                                                                 N/A                                     N/A                                            AI2.3   auditability                      N/A       N/A       N/A                N/A
                                                                                                                                                                                                  Security testing, surveillance
G.17.1.24.2     Suspend processing?                                                                N/A                                     N/A                                            DS5.5   and monitoring                    N/A       N/A       N/A                N/A
                                                                                                                                                                                                  Security testing, surveillance
G.17.1.25       Do audit logs trace an event to a specific individual and/or user ID?              N/A                                     10.10.1.a    Audit Logging                     DS5.5   and monitoring                    N/A       N/A       N/A                AI2.3, DS5.7
G.17.1.26       Are audit logs stored on alternate systems?                                        N/A                                     10.10.3      Protection Of Log Information     N/A                                       N/A       N/A       N/A                DS5.5, DS5.7
                Are audit logs protected against modification, deletion, and/or inappropriate
G.17.1.27       access?                                                                            N/A                                     10.10.3      Protection Of Log Information     N/A                                       N/A       N/A       IS.2.M.6           DS5.5, DS5.7
G.17.1.27.1     If so, are the following controls in place:                                        N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.17.1.27.1.1   Access control lists?                                                              N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.17.1.27.1.2   Alternate storage location?                                                        N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.17.1.27.1.3   Limited administrative access?                                                     N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.17.1.27.1.4   Real-time replication?                                                             N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                  Enterprise IT risk and internal
G.17.1.27.1.5   Hashing?                                                                           N/A                                     N/A                                            PO6.2   control framework                 N/A       N/A       N/A                N/A
G.17.1.27.1.6   Encryption?                                                                        N/A                                     N/A                                            N/A                                       N/A       N/A       N/A                N/A
G.17.1.28       Is the minimum password length:                                                    H.1 Password Controls                   11.3.1.d     Password Use                      N/A                                       N/A       N/A       N/A                PO6.2, DS5.4



The Shared Assessments Program                                                                                                                   Page 45 of 191                                                                                                    SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                                                  AUP 5.0 Relevance                    ISO 27002:2005 Relevance                          COBIT 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
G.17.1.28.1      Five characters or less?                                                           N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.17.1.28.2      Six characters?                                                                    N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.17.1.28.3      Seven characters?                                                                  N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
                                                                                                                                                                                           Enterprise IT risk and internal
G.17.1.28.4      Eight characters?                                                                  N/A                     N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
G.17.1.28.5      Nine characters or more?                                                           N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.17.1.29        Password composition requires:                                                     H.1 Password Controls   11.3.1.d     Password Use                             N/A                                          N/A       N/A       IS.2.A.4.4         PO6.2, DS5.4
G.17.1.29.1      Uppercase letter?                                                                  N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.17.1.29.2      Lowercase letter?                                                                  N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
                                                                                                                                                                                           Enterprise IT risk and internal
G.17.1.29.3      Number?                                                                            N/A                     N/A                                                   PO6.2    control framework                   N/A       N/A       N/A              N/A
G.17.1.29.4      Special character?                                                                 N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                                   IS.2.A.4.3
                                                                                                                                                                                                                                                   AUDIT.2.D.1.5 E-
                                                                                                                                                                                                                                                   BANK.1.4.5.4
G.17.1.30        Is the minimum password expiration:                                                N/A                     11.3.1.c     Password Use                             N/A                                          N/A       N/A       RPS.2.C.3        PO6.2, DS5.4
G.17.1.30.1      30 days or less?                                                                   N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.17.1.30.2      31 to 60 days?                                                                     N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.17.1.30.3      61 to 90 days?                                                                     N/A                     N/A                                                   DS5.3    Identity management                 N/A       N/A       N/A              N/A
G.17.1.30.4      Greater than 91 days?                                                              N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.17.1.31        Password history contains:                                                         N/A                     11.5.3.f     Password Management System               N/A                                          N/A       N/A       N/A              DS5.4
G.17.1.31.1      Five or less?                                                                      N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.17.1.31.2      Six to 11?                                                                         N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.17.1.31.3      12 or more?                                                                        N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.17.1.32        Password can be changed at a minimum of:                                           N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.17.1.32.1      One hour?                                                                          N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
                                                                                                                                                                                           Enterprise IT risk and internal
G.17.1.32.2      One day?                                                                           N/A                     N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
                                                                                                                                                                                           Enterprise IT risk and internal
G.17.1.32.3      More than one day?                                                                 N/A                     N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
G.17.1.33        Are initial password required to be changed at first logon?                        H.1 Password Controls   11.3.1.f     Password use                             DS5.3    Identity management                 N/A       N/A       N/A                PO6.2, DS5.4
G.17.1.34        Can a PIN or secret question be a stand-alone method of authentication?            N/A                     11.3.1.d     Password Use                             DS5.3    Identity management                 N/A       N/A       N/A                PO6.2, DS5.4
G.17.1.35        Are all passwords encrypted in transit?                                            N/A                     11.5.1.i     Secure Log-On Procedures                 DS5.3    Identity management                 N/A       N/A       IS.2.A.5.1         DS5.4, DS5.7

                                                                                                                                                                                                                                                   IS.2.A.5
                                                                                                                                                                                                                                                   IS.2.A.5.2
                                                                                                                                                                                                                                                   AUDIT.2.D.1.5 E-
                                                                                                                                                                                                                                                   BANK.1.4.5.11
G.17.1.36        Are all passwords encrypted or hashed in storage?                                  N/A                     11.5.3.i     Password Management System               DS5.3    Identity management                 N/A       N/A       RPS.2.C.3        DS5.4
G.17.1.37        Are passwords displayed when entered into a system?                                N/A                     11.5.1.g     Secure Log-On Procedures                 DS5.3    Identity management                 N/A       N/A       RPS.2.C.3        DS5.4, DS5.7
G.17.1.38        Are all user accounts uniquely assigned to a specific individual?                  N/A                     11.5.2       User Identification And Authentication   N/A                                          N/A       N/A       E-BANK.1.4.6.1 DS5.3
G.17.1.39        Invalid attempts prior to lockout:                                                 N/A                     11.5.1.e     Secure Log-On Procedures                 N/A                                          N/A       N/A       E-BANK.1.4.5.3 DS5.4, DS5.7
G.17.1.39.1      Two or less?                                                                       N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.17.1.39.2      Three to five?                                                                     N/A                     N/A                                                   DS5.3    Identity management                 N/A       N/A       N/A              N/A
G.17.1.39.3      Six or more?                                                                       N/A                     N/A                                                   N/A                                          N/A       N/A       N/A              N/A
G.17.1.40        Failed login attempt count resets to zero at a minimum of:                         N/A                     11.5.1.e.2   Secure Log-On Procedures                 N/A                                          N/A       N/A       N/A              DS5.4, DS5.7
                                                                                                                                                                                           Enterprise IT risk and internal
G.17.1.40.1      One hour or less?                                                                  N/A                     N/A                                                   PO6.2    control framework                   N/A       N/A       N/A                N/A
G.17.1.40.2      Never , i.e., administrator intervention required?                                 N/A                     N/A                                                   N/A                                          N/A       N/A       N/A                N/A
G.17.1.41        Are users required to log off when the session is finished?                        N/A                     11.3.2.b     Unattended User Equipment                PO4.11   Segregation of duties               N/A       N/A       N/A                PO6.2, DS5.7
                 Is an Open VMS (VAX or Alpha) system used for storing or processing Target                                                                                                Security testing, surveillance
G.18             Data?                                                                              N/A                     N/A                                                   DS5.5    and monitoring                      N/A       N/A       N/A                N/A
                                                                                                                                                                                           Responsibility for risk, security
G.18.1           Are Open VMS security controls documented?                                         N/A                     10.6.1.e     Network Controls                         PO4.8    and compliance                      N/A       N/A       N/A                PO4.1, DS5.9, DS5.11
                 Are VMS systems periodically monitored for continued compliance to                                                                                                        Knowledge transfer to
G.18.1.1         documented standards?                                                              N/A                     15.2.2       Technical Compliance Checking            AI4.4    operations and support staff        N/A       N/A       IS.2.C.4           DS5.5, DS5.7, ME2.5


                                                                                                                                                                                                                                                                      PO4.8, PO6.2, ME2.1,
                                                                                                                                         Compliance With Security Policies And                                                                                        ME2.2, ME2.3, ME2.4,
G.18.1.1.1       Is non-compliance reported and resolved?                                           N/A                     15.2.1       Standards                             N/A                                             N/A       N/A       N/A                ME2.5, ME2.6, ME2.7
                                                                                                                                                                                                                                                                      AI4.4, DS5.7, DS9.2,
G.18.1.2         Is access to system documentation restricted?                                      N/A                     10.7.4       Security of system documentation         PO2.3    Data classification scheme          N/A       N/A       N/A                DS9.3, DS13.1
                 Do system files and directories prevent the presence of unsecured user mail
G.18.1.3         files?                                                                             N/A                     N/A                                                   DS5.4    User account management             N/A       N/A       N/A                N/A
G.18.1.4         Are UIC protections in place on VMS systems?                                       N/A                     7.2.1        Classification Guidelines                N/A                                          N/A       N/A       N/A                PO2, AI2, DS9
G.18.1.5         Are WORLD WRITE permissions ever allowed?                                          N/A                     11.2.2.b     Privilege Management                     DS5.4    User account management             N/A       N/A       N/A                DS5.4
G.18.1.6         Is auto logon permitted?                                                           N/A                     10.8.5.g     Business Information Systems             N/A                                          N/A       N/A       N/A                DS11.6
G.18.1.7         Are duplicate User IDs present?                                                    N/A                     11.2.1.i     User Registration                        DS5.4    User account management             N/A       N/A       N/A                DS5.4
G.18.1.8         Is there a policy to require users to activate accounts within seven days?         N/A                     N/A                                                   DS5.4    User account management             N/A       N/A       N/A                N/A
                 Is administrative privilege restricted to those constituents responsible for VMS                                                                                          Security testing, surveillance
G.18.1.9         administration?                                                                    N/A                     11.2.2.b     Privilege Management                     DS5.5    and monitoring                      N/A       N/A       N/A                DS5.4
                 Are wildcard characters allowed in the node or user name components of a proxy                                                                                            Application control and
G.18.1.10        specification?                                                                     N/A                     11.2.1.a     User Registration                        AI2.3    auditability                        N/A       N/A       N/A                DS5.4

                                                                                                                                                                                           Security testing, surveillance                                             DS 5.5, ME1.2, ME2.2,
G.18.1.11        Are access attempts to objects that have alarm ACEs monitored and alarmed?         N/A                     10.10.2.c    Monitoring System Use                    DS5.5    and monitoring                      N/A       N/A       N/A                ME2.5, ME4.7
                                                                                                                                                                                           Security testing, surveillance
G.18.1.12        Is the SET AUDIT command enabled?                                                  N/A                     10.10.1      Audit Logging                            DS5.5    and monitoring                      N/A       N/A       N/A                AI2.3, DS5.7




The Shared Assessments Program                                                                                                    Page 46 of 191                                                                                                              SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                     AUP 5.0 Relevance                                    ISO 27002:2005 Relevance                  COBIT 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance

                                                                                                                                                                                                    Security testing, surveillance                                          DS 5.5, ME1.2, ME2.2,
G.18.1.13       Are changes to the system authorization files audited?                               N/A                                     10.10.2.e    Monitoring System Use             DS5.5   and monitoring                   N/A       N/A       N/A                ME2.5, ME4.7

                Are unauthorized attempts (detached, dial-up, local, network, and remote)                                                                                                           Security testing, surveillance                                          DS 5.5, ME1.2, ME2.2,
G.18.1.14       alarmed and audited?                                                                 N/A                                     10.10.2.a    Monitoring System Use             DS5.5   and monitoring                   N/A       N/A       N/A                ME2.5, ME4.7

                                                                                                                                                                                                    Security testing, surveillance                                          DS 5.5, ME1.2, ME2.2,
G.18.1.15       Are the following Object Access Events alarmed and audited:                          N/A                                     10.10.2      Monitoring System Use             DS5.5   and monitoring                   N/A       N/A       N/A                ME2.5, ME4.7

                                                                                                                                                                                                    Security testing, surveillance                                          DS 5.5, ME1.2, ME2.2,
G.18.1.15.1     File access through privileges BYPASS, SYSPRV?                                       N/A                                     10.10.2.b    Monitoring System Use             DS5.5   and monitoring                   N/A       N/A       N/A                ME2.5, ME4.7

                                                                                                                                                                                                    Security testing, surveillance                                          DS 5.5, ME1.2, ME2.2,
G.18.1.15.2     File access failures?                                                                N/A                                     10.10.2.c    Monitoring System Use             DS5.5   and monitoring                   N/A       N/A       N/A                ME2.5, ME4.7

                Is the use of the INSTALL utility to make changes to installed images audited and                                                                                                   Security testing, surveillance                                          DS 5.5, ME1.2, ME2.2,
G.18.1.16       alarmed?                                                                          N/A                                        10.10.2.b    Monitoring System Use             DS5.5   and monitoring                   N/A       N/A       N/A                ME2.5, ME4.7

                Are login failures (batch, detached, dialup, local, network, remote, and                                                                                                            Security testing, surveillance                                          DS 5.5, ME1.2, ME2.2,
G.18.1.17       subprocess) alarmed and audited?                                                     N/A                                     10.10.2.c    Monitoring System Use             DS5.5   and monitoring                   N/A       N/A       N/A                ME2.5, ME4.7

                                                                                                                                                                                                    Security testing, surveillance                                          DS 5.5, ME1.2, ME2.2,
G.18.1.18       Are changes to the operating system parameters alarmed and audited?                  N/A                                     10.10.2.e    Monitoring System Use             DS5.5   and monitoring                   N/A       N/A       N/A                ME2.5, ME4.7

                Are accounting events (e.g., batch, detached, interactive, login failure, message,                                                                                                  Security testing, surveillance                                        DS 5.5, ME1.2, ME2.2,
G.18.1.19       network, print, process, and subprocess) audited?                                    N/A                                     10.10.2.a    Monitoring System Use             DS5.5   and monitoring                   N/A       N/A       N/A              ME2.5, ME4.7
                                                                                                                                                                                                                                                         IS.1.4.1.3.5
                                                                                                                                                                                                                                                         OPS.2.12.B
                Is there a process to regularly review logs using a specific methodology to                                                                                                         Application control and                              AUDIT.2.D.1.7 E- DS 5.5, ME1.2, ME2.2,
G.18.1.20       uncover potential incidents?                                                         N/A                                     10.10.2      Monitoring System Use             AI2.3   auditability                     N/A       N/A       BANK.1.4.3.5     ME2.5, ME4.7

                                                                                                                                                                                                    Application control and                                                 DS 5.5, ME1.2, ME2.2,
G.18.1.20.1     If so, is this process documented and maintained?                                    N/A                                     10.10.2      Monitoring System Use             AI2.3   auditability                     N/A       N/A       N/A                ME2.5, ME4.7

                                                                                                     G.7 Administrative Activity Logging, G.8                                                       Application control and                              IS.2.A.7 IS.2.C.9
G.18.1.21       Do operating system logs contain the following:                                      Log-on Activity Logging                  10.10.1     Audit Logging                     AI2.3   auditability                     N/A       N/A       IS.2.M.9.2        AI2.3, DS5.7
                                                                                                                                                                                                    Application control and
G.18.1.21.1     Successful logins?                                                                   N/A                                     10.10.1.d    Audit Logging                     AI2.3   auditability                     N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                    Application control and
G.18.1.21.2     Failed login attempts?                                                               N/A                                     10.10.1.d    Audit Logging                     AI2.3   auditability                     N/A       N/A       AUDIT.2.D.1.18 AI2.3, DS5.7
                                                                                                                                                                                                    Application control and
G.18.1.21.3     System configuration changes?                                                        N/A                                     10.10.1.f    Audit Logging                     AI2.3   auditability                     N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                    Application control and
G.18.1.21.4     Administrative activity?                                                             N/A                                     10.10.1.g    Audit Logging                     AI2.3   auditability                     N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                    Application control and
G.18.1.21.5     Disabling of audit logs?                                                             N/A                                     10.10.1.l    Audit Logging                     AI2.3   auditability                     N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                    Security testing, surveillance
G.18.1.21.6     Deletion of audit logs?                                                              N/A                                     10.10.1.l    Audit Logging                     DS5.5   and monitoring                   N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                    Application control and
G.18.1.21.7     Changes to security settings?                                                        N/A                                     10.10.1.f    Audit Logging                     AI2.3   auditability                     N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                    Application control and                                                 DS5.5, DS5.7, ME2.2,
G.18.1.21.8     Changes to access privileges?                                                        N/A                                     10.10.4.c    Administrator And Operator Logs   AI2.3   auditability                     N/A       N/A       N/A                ME2.5
                                                                                                                                                                                                    Security testing, surveillance
G.18.1.21.9     User administration activity?                                                        N/A                                     10.10.1.g    Audit Logging                     DS5.5   and monitoring                   N/A       N/A       N/A                AI2.3, DS5.7
G.18.1.21.10    File permission changes?                                                             N/A                                     10.10.1.i    Audit Logging                     N/A                                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                                                         IS.2.C.9
G.18.1.22       Operating system logs are retained for a minimum of:                                 G.9 Log Retention                       10.10.3      Protection Of Log Information     N/A                                      N/A       N/A       OPS.2.12.B         DS5.5, DS5.7
G.18.1.22.1     One day or less?                                                                     N/A                                     N/A                                            N/A                                      N/A       N/A       N/A                N/A
G.18.1.22.2     Between one day and one week?                                                        N/A                                     N/A                                            N/A                                      N/A       N/A       N/A                N/A
G.18.1.22.3     Between one week and one month?                                                      N/A                                     N/A                                            N/A                                      N/A       N/A       N/A                N/A
G.18.1.22.4     Between one month and six months?                                                    N/A                                     N/A                                            N/A                                      N/A       N/A       N/A                N/A
                                                                                                                                                                                                    Application control and
G.18.1.22.5     Between six months and one year?                                                     N/A                                     N/A                                            AI2.3   auditability                     N/A       N/A       N/A                N/A
G.18.1.22.6     Greater than one year?                                                               N/A                                     N/A                                            N/A                                      N/A       N/A       N/A                N/A
G.18.1.23       In the event of an operating system audit log failure, does the system:              N/A                                     10.10.5      Fault Logging                     N/A                                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                    Application control and
G.18.1.23.1     Generate an alert?                                                                   N/A                                     N/A                                            AI2.3   auditability                     N/A       N/A       N/A                N/A
                                                                                                                                                                                                    Security testing, surveillance
G.18.1.23.2     Suspend processing?                                                                  N/A                                     N/A                                            DS5.5   and monitoring                   N/A       N/A       N/A                N/A
                                                                                                                                                                                                    Security testing, surveillance
G.18.1.24       Do audit logs trace an event to a specific individual and/or user ID?                N/A                                     10.10.1.a    Audit Logging                     DS5.5   and monitoring                   N/A       N/A       N/A                AI2.3, DS5.7
G.18.1.25       Are audit logs stored on alternate systems?                                          N/A                                     10.10.3      Protection Of Log Information     N/A                                      N/A       N/A       N/A                DS5.5, DS5.7
                Are audit logs protected against modification, deletion, and/or inappropriate
G.18.1.26       access?                                                                              N/A                                     10.10.3      Protection Of Log Information     N/A                                      N/A       N/A       IS.2.M.6           DS5.5, DS5.7
G.18.1.26.1     If so, are the following controls in place:                                          N/A                                     N/A                                            N/A                                      N/A       N/A       N/A                N/A
G.18.1.26.1.1   Access control lists?                                                                N/A                                     N/A                                            N/A                                      N/A       N/A       N/A                N/A
G.18.1.26.1.2   Alternate storage location?                                                          N/A                                     N/A                                            N/A                                      N/A       N/A       N/A                N/A
G.18.1.26.1.3   Limited administrative access?                                                       N/A                                     N/A                                            N/A                                      N/A       N/A       N/A                N/A
G.18.1.26.1.4   Real-time replication?                                                               N/A                                     N/A                                            N/A                                      N/A       N/A       N/A                N/A



The Shared Assessments Program                                                                                                                     Page 47 of 191                                                                                                   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                 AUP 5.0 Relevance                               ISO 27002:2005 Relevance                        COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC           COBIT 4.1 Relevance
                                                                                                                                                                                                 Security testing, surveillance
G.18.1.26.1.5   Hashing?                                                                         N/A                                N/A                                                 DS5.5    and monitoring                    N/A       N/A       N/A             N/A
                                                                                                                                                                                                 Security testing, surveillance
G.18.1.26.1.6   Encryption?                                                                      N/A                                N/A                                                 DS5.5    and monitoring                    N/A       N/A       N/A             N/A

                                                                                                                                                                                                 Security testing, surveillance                                        DS 5.5, ME1.2, ME2.2,
G.18.1.27       Are the following security auditing components enabled:                          N/A                                10.10.2      Monitoring System Use                  DS5.5    and monitoring                    N/A       N/A       N/A             ME2.5, ME4.7

                                                                                                                                                                                                 Security testing, surveillance                                        DS 5.5, ME1.2, ME2.2,
G.18.1.27.1     Operator Communication Manager (OPCOM) process?                                  N/A                                10.10.2.b    Monitoring System Use                  DS5.5    and monitoring                    N/A       N/A       N/A             ME2.5, ME4.7

                                                                                                                                                                                                 Enterprise IT risk and internal                                       DS 5.5, ME1.2, ME2.2,
G.18.1.27.2     Audit Server (AUDIT_SERVER) process?                                             N/A                                10.10.2.e    Monitoring System Use                  PO6.2    control framework                 N/A       N/A       N/A             ME2.5, ME4.7

                Does open VMS perform auditing and logging to support incident and access                                                                                                                                                                              DS 5.5, ME1.2, ME2.2,
G.18.1.28       research?                                                                        N/A                                10.10.2.a    Monitoring System Use                  N/A                                        N/A       N/A       N/A             ME2.5, ME4.7
G.18.1.29       Is the minimum password length:                                                  H.1 Password Controls              11.3.1.d     Password Use                           N/A                                        N/A       N/A       N/A             PO6.2, DS5.4
G.18.1.29.1     Five characters or less?                                                         N/A                                N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.18.1.29.2     Six characters?                                                                  N/A                                N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.18.1.29.3     Seven characters?                                                                N/A                                N/A                                                 N/A                                        N/A       N/A       N/A             N/A
                                                                                                                                                                                                 Enterprise IT risk and internal
G.18.1.29.4     Eight characters?                                                                N/A                                N/A                                                 PO6.2    control framework                 N/A       N/A       N/A             N/A
G.18.1.29.5     Nine characters or more?                                                         N/A                                N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.18.1.30       Password composition requires:                                                   H.1 Password Controls              11.3.1.d     Password Use                           N/A                                        N/A       N/A       IS.2.A.4.4      PO6.2, DS5.4
G.18.1.30.1     Uppercase letter?                                                                N/A                                N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.18.1.30.2     Lowercase letter?                                                                N/A                                N/A                                                 N/A                                        N/A       N/A       N/A             N/A
                                                                                                                                                                                                 Enterprise IT risk and internal
G.18.1.30.3     Number?                                                                          N/A                                N/A                                                 PO6.2    control framework                 N/A       N/A       N/A              N/A
G.18.1.30.4     Special character?                                                               N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
                                                                                                                                                                                                                                                       IS.2.A.4.3
                                                                                                                                                                                                                                                       AUDIT.2.D.1.5 E-
                                                                                                                                                                                                                                                       BANK.1.4.5.4
G.18.1.31       Is the minimum password expiration:                                              N/A                                11.3.1.c     Password Use                           N/A                                        N/A       N/A       RPS.2.C.3        PO6.2, DS5.4
G.18.1.31.1     30 days or less?                                                                 N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
G.18.1.31.2     31 to 60 days?                                                                   N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
G.18.1.31.3     61 to 90 days?                                                                   N/A                                N/A                                                 DS5.3    Identity management               N/A       N/A       N/A              N/A
G.18.1.31.4     Greater than 91 days?                                                            N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
G.18.1.32       Password history contains:                                                       N/A                                11.5.3.f     Password Management System             N/A                                        N/A       N/A       N/A              DS5.4
G.18.1.32.1     Five or less?                                                                    N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
G.18.1.32.2     Six to 11?                                                                       N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
G.18.1.32.3     12 or more?                                                                      N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
G.18.1.33       Password can be changed at a minimum of:                                         N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
G.18.1.33.1     One hour?                                                                        N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
                                                                                                                                                                                                 Enterprise IT risk and internal
G.18.1.33.2     One day?                                                                         N/A                                N/A                                                 PO6.2    control framework                 N/A       N/A       N/A             N/A
                                                                                                                                                                                                 Enterprise IT risk and internal
G.18.1.33.3     More than one day?                                                               N/A                                N/A                                                 PO6.2    control framework                 N/A       N/A       N/A             N/A
G.18.1.34       Are initial password required to be changed at first logon?                      H.1 Password Controls              11.3.1.f     Password use                           DS5.3    Identity management               N/A       N/A       N/A             PO6.2, DS5.4
G.18.1.35       Can a PIN or secret question be a stand-alone method of authentication?          N/A                                11.3.1.d     Password Use                           DS5.3    Identity management               N/A       N/A       N/A             PO6.2, DS5.4
G.18.1.36       Are all passwords encrypted in transit?                                          N/A                                11.5.1.i     Secure Log-On Procedures               DS5.3    Identity management               N/A       N/A       IS.2.A.5.1      DS5.4, DS5.7

                                                                                                                                                                                                                                                       IS.2.A.5
                                                                                                                                                                                                                                                       IS.2.A.5.2
                                                                                                                                                                                                                                                       AUDIT.2.D.1.5 E-
                                                                                                                                                                                                                                                       BANK.1.4.5.11
G.18.1.37       Are all passwords encrypted or hashed in storage?                                N/A                                11.5.3.i     Password Management System             DS5.3    Identity management               N/A       N/A       RPS.2.C.3        DS5.4
G.18.1.38       Are passwords displayed when entered into a system?                              N/A                                11.5.1.g     Secure Log-On Procedures               DS5.3    Identity management               N/A       N/A       RPS.2.C.3        DS5.4, DS5.7
                                                                                                                                                                                                                                                       IS.1.4.1.2.2 E-
G.18.1.39       Are all user accounts uniquely assigned to a specific individual?                N/A                                11.5.2     User Identification And Authentication   N/A                                        N/A       N/A       BANK.1.4.6.1     DS5.3
G.18.1.40       Invalid attempts prior to lockout:                                               N/A                                11.5.1.e   Secure Log-On Procedures                 N/A                                        N/A       N/A       E-BANK.1.4.5.3 DS5.4, DS5.7
G.18.1.40.1     Two or less?                                                                     N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
G.18.1.40.2     Three to five?                                                                   N/A                                N/A                                                 DS5.3    Identity management               N/A       N/A       N/A              N/A
G.18.1.40.3     Six or more?                                                                     N/A                                N/A                                                 N/A                                        N/A       N/A       N/A              N/A
G.18.1.41       Failed login attempt count resets to zero at a minimum of:                       N/A                                11.5.1.e.2 Secure Log-On Procedures                 N/A                                        N/A       N/A       N/A              DS5.4, DS5.7
                                                                                                                                                                                                 Enterprise IT risk and internal
G.18.1.41.1     One hour or less?                                                                N/A                                N/A                                                 PO6.2    control framework                 N/A       N/A       N/A             N/A
G.18.1.41.2     Never , i.e., administrator intervention required?                               N/A                                N/A                                                 N/A                                        N/A       N/A       N/A             N/A
G.18.1.42       Are users required to log off when the session is finished?                      N/A                                11.3.2.b     Unattended User Equipment              DS5.11   Exchange of sensitive data        N/A       N/A       N/A             PO6.2, DS5.7
G.19            Are Web services provided?                                                       N/A                                N/A                                                 DS5.11   Exchange of sensitive data        N/A       N/A       N/A             N/A

G.19.1          Are electronic commerce web sites or applications used to process Target Data?   N/A                                10.9.1       Electronic Commerce                    DS5.11   Exchange of sensitive data        N/A       N/A       N/A             AC4, AC6, DS5.11
                Are cryptographic controls used for the electronic commerce application (e.g.,
G.19.1.1        SSL)?                                                                            G.11 Website – Client Encryption   10.9.1       Electronic Commerce                    AC9      Data processing integrity         N/A       N/A       N/A             AC4, AC6, DS5.11
G.19.1.2        Are all parties required to authenticate to the application?                     N/A                                10.9.1.a     Electronic Commerce                    N/A                                        N/A       N/A       N/A             AC4, AC6, DS5.11
G.19.1.3        Are any transaction details stored in the DMZ?                                   N/A                                10.9.2.e     On-Line Transactions                   PO2.3    Data classification scheme        N/A       N/A       N/A             AC3, AC4, AC5, AC6
G.19.2          Is Windows IIS for these Web services used?                                      N/A                                N/A                                                 DS5.4    User account management           N/A       N/A       N/A             N/A
                                                                                                                                                                                                                                                                       PO2.3, PO3.4, AI5.2,
G.19.2.1        Is anonymous access to FTP disabled?                                             N/A                                10.8.2       Exchange Agreements                    PO2.3    Data classification scheme        N/A       N/A       N/A             DS2.3
                Is membership to the IIS Administrators group restricted to those with web
G.19.2.2        administration roles and responsibilities?                                       N/A                                11.2.2.b     Privilege Management                   N/A                                        N/A       N/A       N/A             DS5.4



The Shared Assessments Program                                                                                                            Page 48 of 191                                                                                                       SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                 AUP 5.0 Relevance              ISO 27002:2005 Relevance                       COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
                                                                                                                                Information Exchange Policies And
G.19.2.3       Does each website have its own dedicated virtual directory structure?             N/A                 10.8.1     Procedures                            AI6.3    Emergency changes                 N/A       N/A       N/A                PO2.3, PO6.2, DS11.1
G.19.2.4       Are IIS security options restricted to authorized users?                          N/A                 10.8.5.g   Business Information Systems          N/A                                        N/A       N/A       N/A                DS11.6
                                                                                                                                                                               Application control and
G.19.2.5       Are all unused services turned off on IIS servers?                                N/A                 11.5.4.h   Use Of System Utilities               AI2.3    auditability                      N/A       N/A       N/A                AI6.3, DS5.7
G.19.2.6       Do IIS services run on standard ports?                                            N/A                 N/A                                              AI6.3    Emergency changes                 N/A       N/A       N/A                N/A
G.19.2.7       Is IIS configured to perform logging to support incident investigation?           N/A                 10.10.1    Audit Logging                         DS5.4    User account management           N/A       N/A       N/A                AI2.3, DS5.7
G.19.2.8       Are all sample applications and scripts removed?                                  N/A                 11.5.4.h   Use Of System Utilities               N/A                                        N/A       N/A       N/A                AI6.3, DS5.7
G.19.2.9       Is least privilege used when setting IIS content permissions?                     N/A                 11.2.1.c   User Registration                     N/A                                        N/A       N/A       N/A                DS5.4
                                                                                                                                                                               Application control and
G.19.2.10      Is the IIS content folder on the same drive as the operating system?              N/A                 N/A                                              AI2.3    auditability                      N/A       N/A       N/A                N/A
G.19.3         Is Apache used for these Web services?                                            N/A                 N/A                                              PO2.3    Data classification scheme        N/A       N/A       N/A                N/A
G.19.3.1       Is Apache configured to perform logging to support incident investigation?        N/A                 10.10.1    Audit Logging                         DS5.4    User account management           N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                                                                        PO2.3, PO3.4, AI5.2,
G.19.3.2       Is anonymous access to FTP disabled?                                              N/A                 10.8.2     Exchange Agreements                   N/A                                        N/A       N/A       N/A                DS2.3
               Is membership to the Apache group restricted to those with web administration
G.19.3.3       roles and responsibilities?                                                       N/A                 11.2.2.b   Privilege Management                  N/A                                        N/A       N/A       N/A                DS5.4
G.19.3.4       Does each website have its own dedicated virtual directory structure?             N/A                 N/A                                              N/A                                        N/A       N/A       N/A                N/A
G.19.3.5       Are Apache configuration options restricted to authorized users?                  N/A                 10.8.5.g   Business Information Systems          AI6.3    Emergency changes                 N/A       N/A       N/A                DS11.6
G.19.3.6       Do Apache services run on standard ports?                                         N/A                 N/A                                              DS5.4    User account management           N/A       N/A       N/A                N/A
G.19.3.7       Are all sample applications and scripts removed?                                  N/A                 11.5.4.h   Use Of System Utilities               N/A                                        N/A       N/A       N/A                AI6.3, DS5.7
                                                                                                                                                                               Enterprise information
G.19.3.8       Is least privilege used when setting Apache permissions?                          N/A                 11.2.1.c   User Registration                     PO2.1    architecture model                N/A       N/A       N/A                DS5.4
G.20           Are desktop computers used?                                                       N/A                 N/A                                              N/A                                        N/A       N/A       N/A                N/A
                                                                                                                                                                                                                                     IS.1.6.8
                                                                                                                                                                                                                                     IS.2.A.1.2
                                                                                                                                                                                                                                     IS.2.B.6
                                                                                                                                                                                                                                     D&A.1.3.1.3
                                                                                                                                                                                                                                     MGMT.1.2.1.4
                                                                                                                                                                                                                                     OPS.1.5.3.3
                                                                                                                                                                                                                                     OPS.2.12.H.3
               Is there a segregation of duties for granting access and accessing to Target                                                                                                                                          FEDLINE.1.5.2.     PO2.2, PO2.3, PO6.2,
G.20.1         Data?                                                                             N/A                 11.1.1.h   Access Control Policy                 PO4.11   Segregation of duties             N/A       N/A       1 RPS.1.3.1.3      DS5.2, DS5.3, DS5.4
               Is a user able to move Target Data to any Removable Media (e.g., floppy disk,                                                                                                                                         IS.1.4.1.10,       PO2.3, DS11.2,
G.20.2         recordable CD, USB drive) without detection?                                      N/A                 10.7.1.b   Management of removable media         PO4.11   Segregation of duties             N/A       N/A       OPS.1.5.2.4        DS11.3, DS11.4
G.20.3         Is the user of a system also responsible for reviewing its security audit logs?   N/A                 10.1.3     Segregation Of Duties                 PO4.11   Segregation of duties             N/A       N/A       IS.2.M.8           PO4.11, DS5.4
               Is the segregation of duties established to prevent the user of a system from
G.20.4         modifying or deleting its security audit logs?                                    N/A                 10.1.3     Segregation Of Duties                 PO4.11   Segregation of duties             N/A       N/A       IS.1.6.8           PO4.11, DS5.4
               Is there a segregation of duties for approving access requests and implementing                                                                                                                                       IS.1.6.8
G.20.5         the request?                                                                      N/A                 10.1.3     Segregation Of Duties                 DS5.10   Network security                  N/A       N/A       D&A.1.3.1.3        PO4.11, DS5.4
                                                                                                                                                                               Contracted staff policies and
G.20.6         Are constituents required to use an approved standard operating environment?      N/A                 10.6.1.e   Network Controls                      PO4.14   procedures                        N/A       N/A       IS.2.D.1           PO4.1, DS5.9, DS5.11
               Are internal users required to pass through a content filtering proxy prior to                                                                                  Contracted staff policies and
G.20.7         accessing the Internet?                                                           N/A                 11.4.7     Network Routing Control               PO4.14   procedures                        N/A       N/A       N/A                DS5.9, DS5.11
               Do applications that are not in the standard operating environment require an                                    Prevention Of Misuse Of Information                                                                                     PO4.14, PO6.2,
G.20.8         approval from security prior to implementation?                                   N/A                 15.1.5     Processing Facilities                 N/A                                        N/A       N/A       N/A                DS9.2, DS9.3
               Do freeware or shareware applications require approval from security prior to                                    Prevention Of Misuse Of Information                                                                                     PO4.14, PO6.2,
G.20.9         installation?                                                                     N/A                 15.1.5     Processing Facilities                 DS5.3    Identity management               N/A       N/A       N/A                DS9.2, DS9.3
G.20.10        Is Target Data ever stored on non-company managed PC(s)?                          N/A                 N/A                                              N/A                                        N/A       N/A       N/A                N/A
                                                                                                                                                                               Malicious software prevention,
G.20.11        Can a non-company managed PC connect directly into the company network?           N/A                 11.4.1     Policy On Use Of Network Services     DS5.9    detection and correction          N/A       N/A       N/A                DS5.9, DS5.11
               Is the installation of software on company-owned workstations restricted to                                                                                     Enterprise IT risk and internal
G.20.12        administrators?                                                                   N/A                 10.8.5.g   Business Information Systems          PO6.2    control framework                 N/A       N/A       N/A                DS11.6
                                                                                                                                                                               Enterprise IT risk and internal
G.20.13        Are users permitted to execute mobile code?                                       N/A                 10.4.2     Controls Against Mobile Code          PO6.2    control framework                 N/A       N/A       IS.2.B.10.6        DS5.9
               Are mobile computing devices (laptop, PDA, etc.) used to store, process or                                       Mobile Computing And                           Enterprise IT risk and internal                                          PO6.2, DS5.2, DS5.3,
G.20.14        access Target Data?                                                               N/A                 11.7.1     Communications                        PO6.2    control framework                 N/A       N/A       N/A                DS5.7
                                                                                                                                Mobile Computing And                                                                                                    PO6.2, DS5.2, DS5.3,
G.20.14.1      Are laptops required to be attended at all times when in public places?           N/A                 11.7.1     Communications                        N/A                                        N/A       N/A       N/A                DS5.7
                                                                                                                                Mobile Computing And                           Enterprise IT risk and internal                                          PO6.2, DS5.2, DS5.3,
G.20.14.2      Are laptops required to be secured at all times?                                  N/A                 11.7.1     Communications                        PO6.2    control framework                 N/A       N/A       N/A                DS5.7
               Is the installation of software on company-owned mobile computing devices                                                                                       Enterprise IT risk and internal
G.20.14.3      restricted to administrators?                                                     N/A                 10.8.5.g   Business Information Systems          PO6.2    control framework                 N/A       N/A       N/A                DS11.6
               Is Target Data (except for email) ever stored on remote mobile devices (e.g.,                                    Mobile Computing And                           Enterprise IT risk and internal                                          PO6.2, DS5.2, DS5.3,
G.20.14.4      Blackberry or Palm Pilot)?                                                        N/A                 11.7.1     Communications                        PO6.2    control framework                 N/A       N/A       N/A                DS5.7
               Are these devices subject to the same requirements as workstations when                                          Mobile Computing And                                                                                                    PO6.2, DS5.2, DS5.3,
G.20.14.5      applicable?                                                                       N/A                 11.7.1     Communications                        N/A                                        N/A       N/A       N/A                DS5.7
                                                                                                                                Mobile Computing And
G.20.14.6      Is encryption used to secure mobile computing devices?                            N/A                 11.7.1     Communications                        N/A                                        N/A       N/A       N/A                N/A




The Shared Assessments Program                                                                                          Page 49 of 191                                                                                                          SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                                   ISO 27002:2005 Relevance                       COBIT 4.0 Relevance       PCI 1.1     PCI 1.2   FFIEC             COBIT 4.1 Relevance

               H. Access Control
H.1            Are electronic systems used to store, process and/or transport Target Data?         N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
                                                                                                                                                                                                                                                      IS.1.4.1.1
                                                                                                                                                                                                                                                      IS.2.A.1
                                                                                                                                                                                                                                                      IS.2.G.4
                                                                                                                                                                                                      Enterprise information                          OPS.1.5.1.2 E-    PO2.2, PO2.3, PO6.2,
H.1.1          Is there an access control policy?                                                  B.1 Information Security Policy Content 11.1.1      Access Control Policy                  PO2.1   architecture model              5.1         5.1 BANK.1.4.2.9      DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                                        PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                      IT policy and control                                             PO6.5, DS5.2, DS5.3,
H.1.1.1        Has it been approved by management?                                                 N/A                                    5.1.1        Information Security Policy Document   PO6.1   environment               N/A         N/A       N/A               ME2.1
                                                                                                                                                                                                                                                                        PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                      IT policy and control                                             PO6.5, DS5.2, DS5.3,
H.1.1.2        Has the policy been published?                                                      N/A                                    5.1.1        Information Security Policy Document   PO6.1   environment               N/A         N/A       N/A               ME2.1
                                                                                                                                                                                                                                                                        PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                                      IT policy and control                                             PO6.5, DS5.2, DS5.3,
H.1.1.3        Has it been communicated to appropriate constituents?                               N/A                                    5.1.1        Information Security Policy Document   PO6.1   environment               N/A         N/A       N/A               ME2.1

                                                                                                                                                                                                                                                                        PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                        PO6.3, PO9.4, DS5.2,
                                                                                                                                                       Review Of The Information Security             Technological direction                                           DS5.3, ME2.2, ME2.5,
H.1.1.4        Is there an owner to maintain and review the policy?                                N/A                                    5.1.2        Policy                                 PO3.1   planning                  N/A         N/A       N/A               ME2.7, ME4.7
                                                                                                                                                                                                                                                      IS.1.4.1.3.2
                                                                                                                                                                                                                                                      IS.1.4.1.3.3
                                                                                                                                                                                                                                                      IS.2.A.1.1
               Do policies require access controls be in place on applications, operating                                                                                                             Enterprise information                          IS.2.A.2.2        PO2.2, PO2.3, PO6.2,
H.1.2          systems, databases, and network devices to ensure users have least privilege?       N/A                                    11.1.1.c     Access Control Policy                  PO2.1   architecture model              7.1         7.1 IS.2.B.8          DS5.2, DS5.3, DS5.4
                                                                                                                                                                                                                                                      IS.2.A.2.1
                                                                                                                                                                                                                                                      IS.2.A.2.3
H.2            Are unique user IDs used for access?                                                N/A                                    11.2.1.a     User Registration                      DS5.4   User account management   N/A         N/A       IS.2.A.4.7&" "&   DS5.4
               Can a userID contain data (such as SSN) that could reveal private information of                                                                                                                                                       E-
H.2.1          the user?                                                                           N/A                                    N/A                                                 N/A                                     8.1 N/A         BANK.1.4.5.13     N/A
               Can a userID contain data that could reveal the access level assigned to the user
H.2.2          (e.g., Admin)?                                                                      N/A                                    N/A                                                 N/A                                     8.2 N/A         N/A               N/A
H.2.3          Are inactive userID(s) deleted or disabled after:                                   H.4 Inactive Accounts                  N/A                                                 N/A                               N/A       #N/A        IS.2.A.5.1        N/A
H.2.3.1        Every three months or less?                                                         N/A                                    N/A                                                 N/A                               N/A       N/A         N/A               N/A
H.2.3.2        Three months to four months?                                                        N/A                                    N/A                                                 N/A                               N/A       N/A         N/A               N/A
H.2.3.3        Greater than four months?                                                           N/A                                    N/A                                                 N/A                               N/A       N/A         N/A               N/A
H.2.3.4        Never?                                                                              N/A                                    N/A                                                 N/A                               N/A       N/A         N/A               N/A
H.2.4          Can a user share a userID?                                                          N/A                                    11.2.1.a     User Registration                      DS5.4   User account management   8.5.8     8.5.8       N/A               DS5.4
                                                                                                                                                                                                                                                      IS.2.C.6
               Is there a process to grant and approve access to systems holding, processing,                                                                                                                                                         AUDIT.2.D.1.13
H.2.5          or transporting Target Data?                                                        N/A                                    11.2.1       User Registration                      DS5.4   User account management   8.5.16     8.5.16     AUDIT.2.D.1.15    DS5.4
H.2.5.1        Do access request approvals include:                                                H.3 Logical Access Authorization       N/A                                                 N/A                                      7.1        7.1 IS.2.A.2.4        N/A

                                                                                                                                                                                                      Enterprise information                                            PO2.2, PO2.3, PO6.2,
H.2.5.1.1      Formal request?                                                                     N/A                                    11.1.1.i     Access Control Policy                  PO2.1   architecture model        N/A         N/A       N/A               DS5.2, DS5.3, DS5.4

                                                                                                                                                                                                      Enterprise information                                            PO2.2, PO2.3, PO6.2,
H.2.5.1.2      Management approval?                                                                N/A                                    11.1.1.i     Access Control Policy                  PO2.1   architecture model        N/A         N/A       IS.2.A.2.5        DS5.2, DS5.3, DS5.4

                                                                                                                                                                                                      Enterprise information                                            PO2.2, PO2.3, PO6.2,
H.2.5.1.3      Implementation by administrator?                                                    N/A                                    11.1.1.D     Access Control Policy                  PO2.1   architecture model        N/A         N/A       N/A               DS5.2, DS5.3, DS5.4
H.2.5.1.4      Data owner approval?                                                                N/A                                    11.2.1.b     User Registration                      DS5.4   User account management   N/A         N/A       N/A               DS5.4
H.2.6          Are approved requests for granting access logged or archived?                       N/A                                    11.2.1.g     User Registration                      DS5.4   User account management   N/A         N/A       N/A               DS5.4
H.2.6.1        If so, does it include:                                                             N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.1.1      Requestor's name?                                                                   N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.1.2      Date and time requested?                                                            N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.1.3      Documented request?                                                                 N/A                                    11.2.1.g     User Registration                      DS5.4   User account management   N/A         N/A       N/A               DS5.4
H.2.6.1.4      Approver's name?                                                                    N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.1.5      Date and time approved?                                                             N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.1.6      Evidence of approval?                                                               N/A                                    11.2.1.b     User Registration                      DS5.4   User account management   N/A         N/A       N/A               DS5.4
H.2.6.1.7      Administrator's name?                                                               N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.1.8      Date and time implemented?                                                          N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.2        Approvals are retained for a minimum of:                                            N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.2.1      One month or less?                                                                  N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.2.2      Between one month and six months?                                                   N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.2.3      Between six months and one year?                                                    N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.2.4      Between one year and three years?                                                   N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.2.5      Greater than three years?                                                           N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.6.2.6      Other (Please explain in the "Additional Information" column)?                      N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.7          System access is limited by:                                                        N/A                                    11.2.1.c     User Registration                      DS5.4   User account management         7.1         7.1 N/A               DS5.4
H.2.7.1        Time of day?                                                                        N/A                                    11.5.6       Limitation Of Connection Time          DS5.3   Identity management       N/A         N/A       WPS.2.9.4.2       DS5.7
H.2.7.2        User account lifetime?                                                              N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.7.3        Privilege lifetime?                                                                 N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.7.4        Physical location?                                                                  N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.7.5        Physical device?                                                                    N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.7.6        Network subnet?                                                                     N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A
H.2.7.7        IP address?                                                                         N/A                                    N/A                                                 N/A                               N/A         N/A       N/A               N/A




The Shared Assessments Program                                                                                                                  Page 50 of 191                                                                                                SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                   AUP 5.0 Relevance                                  ISO 27002:2005 Relevance                         COBIT 4.0 Relevance        PCI 1.1        PCI 1.2     FFIEC              COBIT 4.1 Relevance
                                                                                                                                                                                                                                                             IS.2.A.3
                                                                                                                                                                                                                                                             IS.2.A.5.4
               Is there a process to review; access is only granted to those with a business                                                                                                                                                                 IS.2.A.3
H.2.8          need to know?                                                                       N/A                                   11.2.4       Review Of User Access Rights             DS5.4   User account management    8.5.1          8.5.1       RPS.2.C.2.2        DS5.4
H.2.8.1        User access rights are reviewed:                                                    N/A                                   11.2.4.a     Review Of User Access Rights             DS5.4   User account management    N/A            N/A         IS.2.A.5           DS5.4
H.2.8.1.1      Weekly?                                                                             N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.1.2      Monthly?                                                                            N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.1.3      Quarterly?                                                                          N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.1.4      Annually?                                                                           N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.1.5      Never?                                                                              N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.1.6      Other (Please explain in the "Additional Information" column)?                      N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.2        Are access rights review when a constituent changes roles?                          N/A                                   11.2.4.b     Review Of User Access Rights             DS5.4   User account management    N/A            N/A         IS.2.A.5.2         DS5.4
               Are reviews of privileged systems conducted to ensure unauthorized privileges
H.2.8.3        have not been obtained?                                                             N/A                                   11.2.4.d     Review Of User Access Rights             DS5.4   User account management    N/A            N/A         IS.2.A.1.3         DS5.4
H.2.8.3.1      Are privileged user access rights reviewed:                                         N/A                                   11.2.4.c     Review Of User Access Rights             DS5.4   User account management    N/A            N/A         IS.2.A.4           DS5.4
H.2.8.3.1.1    Weekly?                                                                             N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.3.1.2    Monthly?                                                                            N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.3.1.3    Quarterly?                                                                          N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.3.1.4    Annually?                                                                           N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.3.1.5    Never?                                                                              N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.3.1.6    Other (Please explain in the "Additional Information" column)?                      N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.4        Are changes to privileged user access rights logged?                                N/A                                   11.2.4.e     Review Of User Access Rights             DS5.4   User account management    N/A            N/A         IS.2.A.2           DS5.4
                                                                                                                                                                                                                                                             IS.2.A.8
                                                                                                                                                                                                                                                             IS.2.B.16
                                                                                                                                                                                                                                                             IS.2.C.11
H.2.8.5        Are logon banners presented at:                                                     L.1 Presence of Log-on Banners        11.5.1.b     Secure Log-On Procedures                 DS5.3   Identity management        N/A            N/A         IS.2.G.6           DS5.4, DS5.7
H.2.8.5.1      Workstations?                                                                       N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.5.2      Production systems?                                                                 N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.5.3      Internet-facing applications?                                                       N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.5.4      Internet-facing servers?                                                            N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.5.5      Internal applications?                                                              N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.8.5.6      Remote access?                                                                      N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
               Upon logon failure, does the error message describe the cause of the failure
H.2.9          (e.g., Invalid password, invalid user ID, etc.)?                                    N/A                                   11.5.1.c     Secure Log-On Procedures                 DS5.3   Identity management        N/A            N/A         IS.2.A.8           DS5.4, DS5.7
               Upon successful logon, does a message indicate the last time of successful
H.2.10         logon?                                                                              N/A                                   11.5.1.g     Secure Log-On Procedures                 DS5.3   Identity management        N/A            N/A         N/A                DS5.4, DS5.7
                                                                                                                                                                                                                                                             IS.2.A.4.5 E-
H.2.11         Is multi-factor authentication deployed for ―high-risk‖ environments?               N/A                                   11.5.2       User Identification And Authentication   DS5.3   Identity management        N/A            N/A         BANK.1.4.4.1       DS5.3
H.2.12         Do all users have a unique userID when accessing applications?                      N/A                                   11.5.2       User Identification And Authentication   DS5.3   Identity management        8.1, 8.2       8.1, 8.2    E-BANK.1.4.6.1     DS5.3
                                                                                                                                                                                                                                                             IS.2.A.1.4
H.2.13         Is the use of system utilities restricted to authorized users only?                 N/A                                   11.5.4       Use Of System Utilities                  AI6.3   Emergency changes          N/A            N/A         IS.2.C.7           AI6.3, DS5.7
H.2.14         Screen locks on an inactive workstation occurs at:                                  H.5 Controls for Unattended Systems   11.5.5       Session Time-Out                         DS5.3   Identity management        8.5.15         8.5.15      IS.2.D.6           DS5.7
H.2.14.1       15 minutes or less?                                                                 N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.14.2       16 to 30 minutes?                                                                   N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.14.3       31 to 60 minutes?                                                                   N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.14.4       61+ minutes?                                                                        N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
                                                                                                                                                                                                                                                             IS.2.D.6
                                                                                                                                                                                                                                                             WPS.2.9.4.1
H.2.15         Session timeout for inactivity occurs at:                                           H.5 Controls for Unattended Systems   11.5.5       Session Time-Out                         DS5.3   Identity management        N/A            N/A         RPS.2.C.3          DS5.7
H.2.15.1       Five minutes or less?                                                               N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.15.2       Six to 15 minutes?                                                                  N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.15.3       16 to 30 minutes?                                                                   N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
H.2.15.4       30 minutes, or greater?                                                             N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A
                                                                                                                                                      Application and information access
H.2.16         Is application development performed?                                               N/A                                   11.6         control                                  N/A                                N/A            N/A         N/A                DS5.7
               Are developers permitted access to production environments, including read                                                             Access Control To Program Source                 Application security and                                                 AI2.4, AI7.4, AI7.6,
H.2.16.1       access?                                                                             N/A                                   12.4.3.c     Code                                     AI2.4   availability               N/A            N/A         N/A                DS11.3, DS11.6
H.2.16.2       Is there a process for emergency access to production systems?                      N/A                                   11.2.2.c     Privilege Management                     DS5.4   User account management    N/A            N/A         N/A                DS5.4

               Is access to systems and applications based on defined roles and responsibilities                                                                                                       Enterprise information                                 IS.2.L.3 E-       PO2.2, PO2.3, PO6.2,
H.2.16.3       or job functions?                                                                   N/A                                   11.1.1       Access Control Policy                    PO2.1   architecture model                  7.1            7.1 BANK.1.5.1        DS5.2, DS5.3, DS5.4
H.2.16.4       Are the following roles defined:                                                    N/A                                   N/A                                                   N/A                                N/A            N/A          D&A.1.3.1.1       N/A
H.2.16.4.1     Developer?                                                                          N/A                                   N/A                                                   N/A                                N/A            N/A          N/A               N/A
H.2.16.4.2     Production Support?                                                                 N/A                                   N/A                                                   N/A                                N/A            N/A          N/A               N/A
H.2.16.4.3     Administrative Users?                                                               N/A                                   N/A                                                   N/A                                N/A            N/A          N/A               N/A
                                                                                                                                                                                                                                                              D&A.1.3.1.2
H.2.16.5       Are job role profiles established?                                                  N/A                                   N/A                                                   N/A                                         7.1            7.1 RPS.2.C.2.3       N/A
               Is there a process when an individual requires access outside an established
H.2.16.6       role?                                                                               N/A                                   11.2.2.b     Privilege Management                     DS5.4   User account management    N/A            N/A         N/A                DS5.4
               Is there a process to revise and update constituent access during internal
H.2.16.7       moves?                                                                              N/A                                   N/A                                                   N/A                                N/A            N/A         N/A                N/A

               Are user accounts not assigned to a designated person (i.e., system, vendor, or
H.2.17         service accounts) disallowed for normal operations and monitored for usage?         N/A                                   N/A                                                   N/A                                N/A            N/A         WPS.2.9.2.5        N/A
               Are passwords required to access systems holding, processing, or transporting
H.3            Target Data?                                                                        N/A                                   11.2.3       User Password Management                 DS5.3   Identity management        N/A            N/A         N/A                DS5.3
               Is there password policy for systems holding, processing, or transporting Target
H.3.1          Data?                                                                               N/A                                   11.2.3       User Password Management                 DS5.3   Identity management        N/A            N/A         IS.2.A.14          DS5.3




The Shared Assessments Program                                                                                                                 Page 51 of 191                                                                                                           SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                  AUP 5.0 Relevance                  ISO 27002:2005 Relevance                         COBIT 4.0 Relevance               PCI 1.1         PCI 1.2       FFIEC              COBIT 4.1 Relevance
                                                                                                                                                                                                                                                                         PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                      IT policy and control                                                              PO6.5, DS5.2, DS5.3,
H.3.1.1        Has it been approved by management?                                                N/A                     5.1.1      Information Security Policy Document     PO6.1   environment                       N/A             N/A           N/A                ME2.1
                                                                                                                                                                                                                                                                         PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                      IT policy and control                                                              PO6.5, DS5.2, DS5.3,
H.3.1.2        Has the policy been published?                                                     N/A                     5.1.1      Information Security Policy Document     PO6.1   environment                       N/A             N/A           N/A                ME2.1
                                                                                                                                                                                                                                                                         PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                      IT policy and control                                                              PO6.5, DS5.2, DS5.3,
H.3.1.3        Has it been communicated to appropriate constituents?                              N/A                     5.1.1      Information Security Policy Document     PO6.1   environment                       N/A             N/A           N/A                ME2.1

                                                                                                                                                                                                                                                                         PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                         PO6.3, PO9.4, DS5.2,
                                                                                                                                     Review Of The Information Security               Technological direction                                                            DS5.3, ME2.2, ME2.5,
H.3.1.4        Is there an owner to maintain and review the policy?                               N/A                     5.1.2      Policy                                   PO3.1   planning                          N/A             N/A           N/A                ME2.7, ME4.7
                                                                                                                                                                                                                                                      IS.2.A.4.4
               Are strong passwords required on systems holding, processing, or transporting                                                                                                                            8.5.10,         8.5.10,       RPS.1.2.2.2
H.3.2          Target Data?                                                                       N/A                     11.5.2     User Identification And Authentication   DS5.3   Identity management               8.5.11          8.5.11        RPS.2.C.2.4        DS5.3

H.3.3          Are password files and application system data stored in different file systems?   N/A                     11.5.3.h   Password Management System               DS5.3   Identity management                         8.4             8.4 IS.2.A.6           DS5.4
                                                                                                                                                                                                                                                      IS.2.A.2.6 E-
H.3.4          Are Initial passwords communicated to users by:                                    N/A                     N/A                                                 N/A                                       8.5.7           N/A           BANK.1.4.5.7       N/A
H.3.4.1        Email?                                                                             N/A                     11.2.3.d   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.4.2        Telephone call?                                                                    N/A                     11.2.3.d   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.4.3        Instant Messaging?                                                                 N/A                     11.2.3.d   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.4.4        User selected?                                                                     N/A                     11.2.3.d   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.4.5        Cell phone text message?                                                           N/A                     11.2.3.d   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.4.6        Paper document?                                                                    N/A                     11.2.3.d   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.4.7        Verbal?                                                                            N/A                     11.2.3.d   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.4.8        Encrypted communication?                                                           N/A                     11.2.3.d   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.4.9        Other (Please explain in the "Additional Information" column)?                     N/A                     11.2.3.d   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.5          Are new constituents issued random initial passwords?                              N/A                     11.2.3.b   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.6          Are users forced to change the password upon first logon?                          H.1 Password Controls   11.2.3.b   User Password Management                 DS5.3   Identity management               8.5.3           8.5.3         N/A                DS5.3
H.3.7          Are temporary passwords unique to an individual?                                   N/A                     11.2.3.e   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.8          Do temporary passwords expire after:                                               N/A                     N/A                                                 N/A                                       N/A             N/A           IS.2.A.5.1         N/A
H.3.8.1        10 days or less?                                                                   N/A                     N/A                                                 N/A                                       N/A             N/A           N/A                N/A
H.3.8.2        10 days to 30 days?                                                                N/A                     N/A                                                 N/A                                       N/A             N/A           N/A                N/A
H.3.8.3        Greater than 30 days?                                                              N/A                     N/A                                                 N/A                                       N/A             N/A           N/A                N/A
H.3.8.4        Never?                                                                             N/A                     N/A                                                 N/A                                       N/A             N/A           N/A                N/A
H.3.9          How is a user‘s identity verified prior to resetting a password:                   N/A                     N/A                                                 N/A                                       8.5.2           8.5.2         IS.2.A.4.2         N/A
H.3.9.1        Email return?                                                                      N/A                     11.2.3.c   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.9.2        Voice recognition?                                                                 N/A                     11.2.3.c   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.9.3        Secret questions?                                                                  N/A                     11.2.3.c   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.9.4        Administrator call return?                                                         N/A                     11.2.3.c   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.9.5        Identified physical presence?                                                      N/A                     11.2.3.c   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.9.6        Management approval?                                                               N/A                     11.2.3.c   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.9.7        Other (Please explain in the "Additional Information" column)?                     N/A                     11.2.3.c   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
H.3.10         Is there a policy to prohibit users from sharing passwords?                        N/A                     11.2.3.a   User Password Management                 DS5.3   Identity management               8.5.8           8.5.8         IS.2.A.4.1         DS5.3
H.3.11         Are users prohibited from keeping paper records of passwords?                      N/A                     11.2.3.g   User Password Management                 DS5.3   Identity management               N/A             N/A           N/A                DS5.3
               Are vendor default passwords removed, disabled or changed prior to placing the
H.3.12         device or system into production?                                                  N/A                     11.2.3.h   User Password Management                 DS5.3   Identity management                         7.2             7.2 IS.2.A.1           DS5.3
               Is password reset authority restricted to authorized persons and/or an automated
H.3.13         password reset tool?                                                               N/A                     11.2.3.c   User password management                 N/A                                       N/A             N/A           RPS.2.B.7          DS5.3
H.3.14         Are users required to:                                                             N/A                     N/A                                                 N/A                                       N/A             N/A           N/A                N/A
                                                                                                                                                                                      Enterprise IT risk and internal
H.3.14.1       Keep passwords confidential?                                                       N/A                     11.3.1.a   Password Use                             PO6.2   control framework                 N/A             N/A           N/A                PO6.2, DS5.4
                                                                                                                                                                                      Enterprise IT risk and internal
H.3.14.2       Not keep a record of passwords (paper, software file or handheld device)?          N/A                     11.3.1.b   Password Use                             PO6.2   control framework                 N/A             N/A           N/A                PO6.2, DS5.4
               Change passwords when there is an indication of possible system or password                                                                                            Enterprise IT risk and internal
H.3.14.3       compromise?                                                                        N/A                     11.3.1.c   Password Use                             PO6.2   control framework                 N/A             N/A           N/A                PO6.2, DS5.4
                                                                                                                                                                                                                                                      IS.2.A.4.3 E-
                                                                                                                                                                                      Enterprise IT risk and internal                                 BANK.1.4.5.5
H.3.14.4       Change passwords at regular intervals?                                             N/A                     11.3.1.e   Password Use                             PO6.2   control framework                 8.5.9           8.5.9         RPS.2.C.3          PO6.2, DS5.4
                                                                                                                                                                                      Enterprise IT risk and internal
H.3.14.5       Change temporary passwords at first logon?                                      H.1 Password Controls      11.3.1.f   Password Use                             PO6.2   control framework                 N/A             N/A           E-BANK.1.4.5.9 PO6.2, DS5.4
               Not include passwords in automated logon processes? (e.g., stored in a macro or                                                                                        Enterprise IT risk and internal
H.3.14.6       function key)?                                                                  N/A                        11.3.1.g   Password Use                             PO6.2   control framework                 N/A             N/A           N/A                PO6.2, DS5.4
                                                                                                                                                                                      Enterprise IT risk and internal
H.3.14.7       Terminate or secure active sessions when finished?                                 N/A                     11.3.2.a   Unattended User Equipment                PO6.2   control framework                 N/A             N/A           N/A                PO6.2, DS5.7
                                                                                                                                                                                      Enterprise IT risk and internal
H.3.14.8       Logoff terminals, PC or servers when the session is finished?                      N/A                     11.3.2.b   Unattended User Equipment                PO6.2   control framework                 N/A             N/A           N/A                PO6.2, DS5.7
                                                                                                                                                                                      Enterprise IT risk and internal
H.3.14.9       Lock (using key lock or equivalent control) when systems are unattended?           N/A                     11.3.2.c   Unattended User Equipment                PO6.2   control framework                 N/A             N/A           N/A                PO6.2, DS5.7
                                                                                                                                                                                                                                                                         AI1.2, AI2.4, DS5.7,
H.4            Is remote access permitted into the environment?                                   N/A                     11.7       Mobile Computing And Teleworking         N/A                                       N/A             N/A           N/A                DS5.10, DS5.11
                                                                                                                                     Mobile Computing And                             Enterprise IT risk and internal                                 BCP.1.4.3.7        PO6.2, DS5.2, DS5.3,
H.4.1          Is there a remote access policy?                                                   N/A                     11.7.1     Communications                           PO6.2   control framework                           8.3             8.3 IS.2.B.3           DS5.7
                                                                                                                                                                                                                                                                         PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                      IT policy and control                                                              PO6.5, DS5.2, DS5.3,
H.4.1.1        Has it been approved by management?                                                N/A                     5.1.1      Information Security Policy Document     PO6.1   environment                       N/A             N/A           N/A                ME2.1




The Shared Assessments Program                                                                                               Page 52 of 191                                                                                                                      SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                               AUP 5.0 Relevance                                ISO 27002:2005 Relevance                       COBIT 4.0 Relevance               PCI 1.1     PCI 1.2   FFIEC           COBIT 4.1 Relevance
                                                                                                                                                                                                                                                                       PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                               IT policy and control                                                   PO6.5, DS5.2, DS5.3,
H.4.1.2        Has the policy been published?                                                  N/A                                 5.1.1        Information Security Policy Document   PO6.1   environment                       N/A         N/A       N/A             ME2.1
                                                                                                                                                                                                                                                                       PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                               IT policy and control                                                   PO6.5, DS5.2, DS5.3,
H.4.1.3        Has it been communicated to appropriate constituents?                           N/A                                 5.1.1        Information Security Policy Document   PO6.1   environment                       N/A         N/A       N/A             ME2.1

                                                                                                                                                                                                                                                                       PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                       PO6.3, PO9.4, DS5.2,
                                                                                                                                                Review Of The Information Security             Technological direction                                                 DS5.3, ME2.2, ME2.5,
H.4.1.4        Is there an owner to maintain and review the policy?                            N/A                                 5.1.2        Policy                                 PO3.1   planning                          N/A         N/A       N/A             ME2.7, ME4.7
               Are two active network connections allowed at the same time and are they
H.4.2          routable? (e.g., bridged internet connections)?                                 N/A                                 N/A                                                 N/A                                       N/A         N/A       N/A             N/A
H.4.3          What type of hardware can users use for remote access into the network:         N/A                                 N/A                                                 N/A                                             8.3         8.3 N/A             N/A
                                                                                                                                                Mobile Computing And                           Enterprise IT risk and internal                                         PO6.2, DS5.2, DS5.3,
H.4.3.1        Laptop?                                                                         N/A                                 11.7.1       Communications                         PO6.2   control framework                 N/A         N/A       N/A             DS5.7
                                                                                                                                                Mobile Computing And                           Enterprise IT risk and internal                                         PO6.2, DS5.2, DS5.3,
H.4.3.2        Desktop?                                                                        N/A                                 11.7.1       Communications                         PO6.2   control framework                 N/A         N/A       N/A             DS5.7
                                                                                                                                                Mobile Computing And                           Enterprise IT risk and internal                                         PO6.2, DS5.2, DS5.3,
H.4.3.3        PDA?                                                                            N/A                                 11.7.1       Communications                         PO6.2   control framework                 N/A         N/A       N/A             DS5.7
                                                                                                                                                Mobile Computing And                           Enterprise IT risk and internal                                         PO6.2, DS5.2, DS5.3,
H.4.3.4        Blackberry?                                                                     N/A                                 11.7.1       Communications                         PO6.2   control framework                 N/A         N/A       N/A             DS5.7
H.4.4          Is there a process to ensure that connecting systems have the following:        N/A                                 N/A                                                 N/A                                       N/A         N/A       N/A             N/A
                                                                                                                                                Mobile Computing And                           Enterprise IT risk and internal                                         PO6.2, DS5.2, DS5.3,
H.4.4.1        Current patch levels?                                                           N/A                                 11.7.1       Communications                         PO6.2   control framework                 N/A         N/A       N/A             DS5.7
                                                                                                                                                Mobile Computing And                           Enterprise IT risk and internal                                         PO6.2, DS5.2, DS5.3,
H.4.4.2        Anti-virus software?                                                            N/A                                 11.7.1       Communications                         PO6.2   control framework                 N/A         N/A       N/A             DS5.7
                                                                                                                                                Mobile Computing And                           Enterprise IT risk and internal                                         PO6.2, DS5.2, DS5.3,
H.4.4.3        Current virus signature files?                                                  N/A                                 11.7.1       Communications                         PO6.2   control framework                 N/A         N/A       N/A             DS5.7
H.4.4.4        Personal firewall?                                                              N/A                                 N/A                                                 N/A                                       N/A         N/A       N/A             N/A
H.4.4.5        Supported operating system?                                                     N/A                                 N/A                                                 N/A                                       N/A         N/A       N/A             N/A
                                                                                                                                                Mobile Computing And                           Enterprise IT risk and internal                                         PO6.2, DS5.2, DS5.3,
H.4.4.6        Anti-spyware software?                                                          N/A                                 11.7.1       Communications                         PO6.2   control framework                 N/A         N/A       N/A             DS5.7
H.4.4.7        Supported software?                                                             N/A                                 N/A                                                 N/A                                       N/A         N/A       N/A             N/A
H.4.4.8        Supported hardware?                                                             N/A                                 N/A                                                 N/A                                       N/A         N/A       N/A             N/A
                                                                                                                                                Policy on the use of cryptographic
H.4.4.9        Encrypted communications?                                                       N/A                                 12.3.1.c     controls                               N/A                                       N/A         N/A       IS.2.B.15       PO6, AI2, DS5
                                                                                               H.8 Two-Factor Authentication for                Mobile Computing And                           Enterprise IT risk and internal                         IS.2.A.13       PO6.2, DS5.2, DS5.3,
H.4.5          Is multi-factor authentication required for remote access?                      Remote Access                       11.7.1       Communications                         PO6.2   control framework                 N/A         N/A       IS.2.B.17.3     DS5.7
               Are two active network connections allowed at the same time and are they
H.4.6          routable? (e.g., bridged internet connections)?                                 N/A                                 N/A                                                 N/A                                       N/A         N/A       N/A             N/A
                                                                                                                                                                                                                                                                       PO3.4, PO6.2, DS5.2,
H.5            Is there a teleworking policy?                                                  N/A                                 11.7.2       Teleworking                            PO3.4   Technology standards              N/A         N/A       N/A             DS5.3, DS5.7
                                                                                                                                                                                                                                                                       PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                               IT policy and control                                                   PO6.5, DS5.2, DS5.3,
H.5.1          Has it been approved by management?                                             N/A                                 5.1.1        Information Security Policy Document   PO6.1   environment                       N/A         N/A       N/A             ME2.1
                                                                                                                                                                                                                                                                       PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                               IT policy and control                                                   PO6.5, DS5.2, DS5.3,
H.5.1.1        Has the policy been published?                                                  N/A                                 5.1.1        Information Security Policy Document   PO6.1   environment                       N/A         N/A       N/A             ME2.1
                                                                                                                                                                                                                                                                       PO6.1, PO6.2, PO6.3,
                                                                                                                                                                                               IT policy and control                                                   PO6.5, DS5.2, DS5.3,
H.5.1.2        Has it been communicated to appropriate constituents?                           N/A                                 5.1.1        Information Security Policy Document   PO6.1   environment                       N/A         N/A       N/A             ME2.1

                                                                                                                                                                                                                                                                       PO3.1, PO5.3, PO5.4,
                                                                                                                                                                                                                                                                       PO6.3, PO9.4, DS5.2,
                                                                                                                                                Review Of The Information Security             Technological direction                                                 DS5.3, ME2.2, ME2.5,
H.5.1.3        Is there an owner to maintain and review the policy?                            N/A                                 5.1.2        Policy                                 PO3.1   planning                          N/A         N/A       N/A             ME2.7, ME4.7
H.5.2          Does the policy address the following:                                          N/A                                 N/A                                                 N/A                                       N/A         N/A       N/A             N/A
                                                                                                                                                                                                                                                                       PO3.4, PO6.2, DS5.2,
H.5.2.1        Equipment security?                                                             N/A                                 11.7.2       Teleworking                            PO3.4   Technology standards              N/A         N/A       N/A             DS5.3, DS5.7
                                                                                                                                                                                                                                                                       PO3.4, PO6.2, DS5.2,
H.5.2.2        Protection of data?                                                             N/A                                 11.7.2       Teleworking                            PO3.4   Technology standards              N/A         N/A       N/A             DS5.3, DS5.7
                                                                                                                                                                                                                                                                       PO3.4, PO6.2, DS5.2,
H.5.3          Is the teleworking policy consistent with the organization's security policy?   N/A                                 11.7.2       Teleworking                            PO3.4   Technology standards              N/A         N/A       N/A             DS5.3, DS5.7




The Shared Assessments Program                                                                                                           Page 53 of 191                                                                                                        SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                        AUP 5.0 Relevance                ISO 27002:2005 Relevance                      COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance

               I. Information Systems Acquisition Development & Maintenance
               Are business information systems used for processing, storing or transmitting                                             Security Requirements Analysis And
I.1            Target Data?                                                                             N/A                 12.1.1       Specification                         AI1.2   Risk analysis report              N/A       N/A       N/A                AI1.2, AI2.4, AI3.2
                                                                                                                                         Security Requirements Analysis And
I.1.1          Are security requirements documented?                                                    N/A                 12.1.1       Specification                         AI1.2   Risk analysis report              12.1      12.1      N/A                AI1.2, AI2.4, AI3.2
               Does the use or installation of open source software (e.g., Linux, Apache, etc.)                                          Security Requirements Analysis And
I.1.2          undergo an information security review and approval process?                             N/A                 12.1.1       Specification                         AI1.2   Risk analysis report              N/A       N/A       N/A                AI1.2, AI2.4, AI3.2
                                                                                                                                         Security In Development And Support                                                                                    AI2.4, AI7.4, AI7.6,
I.2            Is application development performed?                                                    N/A                 12.5         Processes                             N/A                                       N/A       N/A       N/A                DS11.3, DS11.6
I.2.1          Are applications independently evaluated or certified by the following:                  N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.1.1        Third-party testing lab?                                                                 N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.1.2        BITS Certification?                                                                      N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.1.3        Internal audit?                                                                          N/A                 N/A                                                N/A                                       N/A       N/A       RPS.2.C.2.9        N/A
I.2.1.4        Information security?                                                                    N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.1.5        CMM?                                                                                     N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.1.6        ISO?                                                                                     N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.1.7        Other (Please explain in the "Additional Information" column)?                           N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                                                             IS.2.A.9
I.2.2          Does the application development process explicitly guard against the following:         N/A                 N/A                                                N/A                                       N/A       N/A       D&A.1.5.1.9        N/A
                                                                                                                                                                                       Application control and
I.2.2.1        Invalidated input?                                                                       N/A                 12.2.1.a     Input Data Validation                 AI2.3   auditability                      N/A       N/A       N/A                AI2.3
I.2.2.2        Broken access control?                                                                   N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.2.3        Broken authentication?                                                                   N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.2.4        Replay attacks?                                                                          N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.2.5        Cross site scripting?                                                                    N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                       Application control and
I.2.2.6        Buffer overflow?                                                                         N/A                 12.2.2.d     Control Of Internal Processing        AI2.3   auditability                      N/A       N/A       N/A                AI2.3
                                                                                                                                                                                       Application control and
I.2.2.7        Injection flaws (e.g., SQL injection)?                                                   N/A                 12.2.2.a     Control Of Internal Processing        AI2.3   auditability                      N/A       N/A       N/A                AI2.3
                                                                                                                                                                                       Application control and
I.2.2.8        Improper error handling?                                                                 N/A                 12.2.2.c     Control Of Internal Processing        AI2.3   auditability                      N/A       N/A       N/A                AI2.3
                                                                                                                                                                                       Application control and
I.2.2.9        Data under-run / overrun?                                                                N/A                 12.2.1       Input Data Validation                 AI2.3   auditability                      N/A       N/A       N/A                AI2.3
                                                                                                                                                                                       Enterprise IT risk and internal
I.2.2.10       Insecure storage?                                                                        N/A                 10.7.3       Information Handling Procedures       PO6.2   control framework                 N/A       N/A       N/A                PO6.2, DS11.6
I.2.2.11       Application denial of service?                                                           N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.2.12       Insecure configuration management?                                                       N/A                 N/A                                                N/A                                       N/A       N/A       IS.2.M.10.4        N/A
                                                                                                                                                                                       Application control and
I.2.2.13       Improper application session termination?                                                N/A                 12.2.2.g     Control Of Internal Processing        AI2.3   auditability                      N/A       N/A       N/A                AI2.3
               Is an application‘s authenticated state maintained for every data transaction for
I.2.3          the duration of that session?                                                            N/A                 11.5.6       Limitation Of Connection Time         DS5.3   Identity management               N/A       N/A       IS.2.G.5           DS5.7
I.2.4          Does the application provide a means for re-authenticating a user?                       N/A                 11.5.6       Limitation Of Connection Time         DS5.3   Identity management               N/A       N/A       N/A                DS5.7
               Do web-facing systems that perform authentication also require session
I.2.5          validation for subsequent requests?                                                      N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
               Are authorization checks present for all tiers or points in a multi-tiered application
I.2.6          architecture?                                                                            N/A                 10.9.2.b     On-Line Transactions                  N/A                                       N/A       N/A       N/A                AC3, AC4, AC5, AC6
                                                                                                                                                                                       Application control and
I.2.7          Does application error-handling address the following:                                   N/A                 12.2.2       Control Of Internal Processing        AI2.3   auditability                      N/A       N/A       N/A                AI2.3
I.2.7.1        Incomplete transactions?                                                                 N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.7.2        Hung transactions?                                                                       N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.7.3        Failed operating system calls?                                                           N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.7.4        Failed application calls?                                                                N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.7.5        Failed library calls?                                                                    N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.7.6        PIN or password?                                                                         N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.7.7        Transaction ID?                                                                          N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.7.8        Subject ID?                                                                              N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.7.9        Application ID?                                                                          N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
               Transaction specific elements (e.g., to / from account numbers for funds
I.2.7.10       transfer)?                                                                               N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                       Application control and
I.2.8          In the event of an application audit log failure does the application:                   N/A                 10.10.5      Fault Logging                         AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
I.2.8.1        Generate an alert?                                                                       N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.8.2        Halt processing?                                                                         N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                         Security In Development And Support                                                                 IS.1.4.1.8         AI2.4, AI7.4, AI7.6,
I.2.9          Is there a Software Development Life Cycle (SDLC) process?                               N/A                 12.5         Processes                             N/A                                       N/A       N/A       MGMT.1.6.1.3       DS11.3, DS11.6
                                                                                                                                         Security In Development And Support                                                                                    AI2.4, AI7.4, AI7.6,
I.2.9.1        Is it documented?                                                                        N/A                 12.5         Processes                             N/A                                       N/A       N/A       D&A.1.5.1.1        DS11.3, DS11.6
                                                                                                                                                                                                                                             IS.2.H.2
                                                                                                                                                                                                                                             IS.2.H.8
                                                                                                                                                                                       Major upgrades to existing                            IS.2.H.9.1         AI2.6, AI6.2, AI6.3,
I.2.9.2        Does the development lifecycle process include:                                          N/A                 12.5.1       Change Control Procedures             AI2.6   systems                           N/A       N/A       D&A.1.5.1.4        AI7.2
I.2.9.2.1      Initiation?                                                                              N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.2      Planning?                                                                                N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.3      Design?                                                                                  N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.4      Development?                                                                             N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                                                             D&A.1.9.1.6
I.2.9.2.5      Testing?                                                                                 N/A                 N/A                                                N/A                                       N/A       N/A       D&A.1.13.1.1       N/A
I.2.9.2.6      Implementation?                                                                          N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.7      Evaluation?                                                                              N/A                 N/A                                                N/A                                       N/A       N/A       N/A                N/A



The Shared Assessments Program                                                                                                    Page 54 of 191                                                                                                        SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                                 AUP 5.0 Relevance                                  ISO 27002:2005 Relevance                     COBIT 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC              COBIT 4.1 Relevance
I.2.9.2.8      Maintenance?                                                                      N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.9      Disposal?                                                                         N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
                                                                                                 I.2 Secure Systems Development Life                                                                                                                   D&A.1.9.1.7.1
I.2.9.2.10     Peer code review?                                                                 Cycle (SDLC) code reviews             N/A                                               N/A                                       N/A       N/A       IS.2.H.9.2         N/A
                                                                                                 I.2 Secure Systems Development Life
I.2.9.2.11     Information security code review?                                                 Cycle (SDLC) code reviews             N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.12     System testing?                                                                   N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.13     Integration (end-to-end) testing?                                                 N/A                                   N/A                                               N/A                                       N/A       N/A       D&A.1.9.1.7.3      N/A
I.2.9.2.14     Regression testing?                                                               N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.15     Load testing?                                                                     N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.16     Installation testing?                                                             N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.17     Migration testing?                                                                N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.18     Vulnerability testing?                                                            N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.9.2.19     Acceptance testing?                                                               N/A                                   N/A                                               N/A                                       N/A       N/A       D&A.1.9.1.7.2      N/A
I.2.9.2.20     Other (Please explain in the "Additional Information" column)?                    N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                    Access Control To Program Source             Application security and                                                 AI2.4, AI7.4, AI7.6,
I.2.10         Are there different source code repositories for production and non-production?   N/A                                   12.4.3.a     Code                                 AI2.4   availability                      N/A       N/A       N/A                DS11.3, DS11.6
                                                                                                                                                    Access Control To Program Source             Application security and                                                 AI2.4, AI7.4, AI7.6,
I.2.11         Do support personnel have access to program source libraries?                     N/A                                   12.4.3.c     Code                                 AI2.4   availability                      N/A       N/A       IS.2.G.1           DS11.3, DS11.6
                                                                                                                                                    Access Control To Program Source             Application security and                                                 AI2.4, AI7.4, AI7.6,
I.2.12         Is all access to program source libraries logged?                                 N/A                                   12.4.3.f     Code                                 AI2.4   availability                      N/A       N/A       IS.2.H.7           DS11.3, DS11.6
                                                                                                                                                                                                                                                       IS.1.7.8
               Are change control procedures required for all changes to the production                                                             Access Control To Program Source             Application security and                              D&A.1.5.1.10       AI2.4, AI7.4, AI7.6,
I.2.13         environment?                                                                      N/A                                   12.4.3.g     Code                                 AI2.4   availability                      N/A       N/A       D&A.1.6.1.12       DS11.3, DS11.6
                                                                                                                                                                                                                                                                          AI1.2, AI2.4, DS5.7,
I.2.14         Is the sensitivity of an application explicitly identified and documented?        N/A                                   11.6.2.a     Sensitive System Isolation           AI1.2   Risk analysis report              N/A       N/A       N/A                DS5.10, DS5.11
               Is there a process to ensure that application code is digitally signed for the                                                       Policy On The Use Of Cryptographic           Enterprise IT risk and internal
I.2.15         following:                                                                        N/A                                   12.3.1.B     Controls                             PO6.2   control framework                 N/A       N/A       N/A                PO6, AI2, DS5
I.2.15.1       Internally developed applications?                                                N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.15.2       Applications developed for external / client use?                                 N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.15.3       Internal applications developed by a third party?                                 N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.15.4       External / client applications developed by a third party?                        N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                 Application control and
I.2.16         Do applications log the following:                                                N/A                                   10.10.1      Audit Logging                        AI2.3   auditability                      N/A       N/A       IS.2.G.7 IS.2.L.4 AI2.3, DS5.7
                                                                                                                                                                                                 Application control and
I.2.16.1       Access?                                                                           N/A                                   10.10.1.e    Audit Logging                        AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                 Application control and
I.2.16.2       Originator user ID?                                                               N/A                                   10.10.1.a    Audit Logging                        AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                 Application control and
I.2.16.3       Event / transaction time?                                                         N/A                                   10.10.1.b    Audit Logging                        AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                 Application control and
I.2.16.4       Event / transaction status?                                                       N/A                                   10.10.1.b    Audit Logging                        AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                 Application control and
I.2.16.5       Authentication?                                                                   N/A                                   10.10.1.b    Audit Logging                        AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                 Application control and
I.2.16.6       Event / transaction type?                                                         N/A                                   10.10.1.b    Audit Logging                        AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                 Application control and
I.2.16.7       Target Data access?                                                               N/A                                   10.10.1.e    Audit Logging                        AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                 Application control and
I.2.16.8       Target Data transformations?                                                      N/A                                   10.10.1.e    Audit Logging                        AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
                                                                                                                                                                                                 Application control and
I.2.16.9       Target Data delivery?                                                             N/A                                   10.10.1.e    Audit Logging                        AI2.3   auditability                      N/A       N/A       N/A                AI2.3, DS5.7
I.2.17         Are application sessions set to time out:                                         N/A                                   11.5.5       Session Time-Out                     DS5.3   Identity management               N/A       N/A       N/A                DS5.7
I.2.17.1       15 minutes?                                                                       N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.17.2       16 to 30 minutes?                                                                 N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.17.3       31 to 60 minutes?                                                                 N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.17.4       61+ minutes?                                                                      N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.17.5       Never?                                                                            N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.18         Is application development performed by:                                          N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.18.1       Internal developers onshore?                                                      N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.18.2       Internal developers offshore?                                                     N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                 Development and acquisition                                              PO8.3, AI2.7, AI5.2,
I.2.18.3       Third party / outsourced developers onshore?                                      N/A                                   12.5.5       Outsourced Software Development      PO8.3   standards                         N/A       N/A       N/A                DS2.4, PO8
                                                                                                                                                                                                 Development and acquisition                                              PO8.3, AI2.7, AI5.2,
I.2.18.4       Third party / outsourced developers offshore?                                     N/A                                   12.5.5       Outsourced Software Development      PO8.3   standards                         N/A       N/A       N/A                DS2.4, PO8
                                                                                                                                                    Access Control To Program Source             Application security and                                                 AI2.4, AI7.4, AI7.6,
I.2.19         Is there access control to protect the following:                                 N/A                                   12.4.3       Code                                 AI2.4   availability                      N/A       N/A       N/A                DS11.3, DS11.6
                                                                                                                                                    Access Control To Program Source             Application security and                                                 AI2.4, AI7.4, AI7.6,
I.2.19.1       Source code?                                                                      N/A                                   12.4.3       Code                                 AI2.4   availability                      N/A       N/A       N/A                DS11.3, DS11.6
I.2.19.2       Binaries?                                                                         N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
I.2.19.3       Databases?                                                                        N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                                                                                          AI3.3, DS2.4, DS9.1,
I.2.19.4       Test data?                                                                        N/A                                   12.4.2.a     Protection Of System Test Data       AI3.3   Infrastructure maintenance        N/A       N/A       N/A                DS9.2, DS11.6
I.2.20         Are the following components for version management segregated:                   N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                 Protection of security
I.2.20.1       Code?                                                                             N/A                                   12.4.1.b     Control Of Operational Software      DS5.7   technology                        N/A       N/A       N/A                DS5.7, DS9.1
I.2.20.2       Data?                                                                             N/A                                   N/A                                               N/A                                       N/A       N/A       N/A                N/A
                                                                                                                                                                                                 Protection of security
I.2.20.3       environment (e.g., production, test, QA, etc.)?                                   N/A                                   12.4.1       Control Of Operational Software      DS5.7   technology                        N/A       N/A       D&A.1.9.1.6.5      DS5.7, DS9.1




The Shared Assessments Program                                                                                                               Page 55 of 191                                                                                                       SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                               AUP 5.0 Relevance                                  ISO 27002:2005 Relevance                      COBIT 4.0 Relevance          PCI 1.1   PCI 1.2   FFIEC            COBIT 4.1 Relevance
                                                                                                                                                                                                Major upgrades to existing                                        AI2.6, AI6.2, AI6.3,
I.2.21         Do changes to applications or application code go through the following:        N/A                                   12.5.1       Change Control Procedures           AI2.6     systems                      N/A       N/A       N/A              AI7.2
                                                                                                                                                                                                Major upgrades to existing                                        AI2.6, AI6.2, AI6.3,
I.2.21.1       Formal documented risk assessment process?                                      N/A                                   12.5.1.c     Change Control Procedures           AI2.6     systems                      N/A       N/A       N/A              AI7.2
I.2.21.2       Information security review?                                                    N/A                                   N/A                                              N/A                                    N/A       N/A       N/A              N/A
I.2.21.3       Information security approval?                                                  N/A                                   N/A                                              N/A                                    N/A       N/A       N/A              N/A
                                                                                                                                                                                                Major upgrades to existing                                        AI2.6, AI6.2, AI6.3,
I.2.21.4       Application testing?                                                            N/A                                   12.5.1       Change Control Procedures           AI2.6     systems                      N/A       N/A       N/A              AI7.2
                                                                                                                                                                                                                                                                  AI3.3, DS2.4, DS9.1,
I.2.22         Is Target Data ever used in the test, development, or QA environments?          N/A                                   12.4.2