info_sec_workprogram
TRANSCRIPT
-
8/7/2019 Info_sec_workprogram
1/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 1
INFORMATION SECURITY WORKPROGRAM
EXAMINATION OBJECTIVE: Assess the quantity of risk and the effectiveness of theinstitutions risk management processes as they relate to the security measures instituted to en-sure confidentiality, integrity, and availability of information and to instill accountability for ac-tions taken on the institutions systems. The objectives and procedures are divided into Tier 1and Tier II:
y Tier I assesses an institutions process for identifying and managing risksy Tier II provides additional verification where risk warrants it.
Tier I and Tier II are intended to be a tool set examiners will use when selecting examination procedures for their particular examination. Examiners should use these procedures as necessaryto support examination objectives.
T IER I P ROCEDURES
Objective 1: Determine the appropriate scope for the examination.
Work PaperReference Comment
1. Review past reports for out-standing issues or previous
problems. Consider Regulatory reports of ex-
amination Internal and external auditreports
Independent security tests Regulatory, audit, and se-curity reports from service
providers
2. Review managements re-sponse to issues raised sincethe last examination. Consid-er
Adequacy and timing of corrective action
Resolution of root causesrather than just specific is-sues
Existence of any outstand-
-
8/7/2019 Info_sec_workprogram
2/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 2
Work PaperReference Comment
ing issues
3. Interview management andreview examination informa-tion to identify changes to thetechnology infrastructure or new products and services thatmight increase the institutionsrisk from information securityissues. Consider
P roducts or services deli-vered to either internal or external users
Network topology includ-ing changes to configura-tion or components
Hardware and software list-ings
Loss or addition of key per-sonnel
Technology service provid-ers and software vendor listings
Changes to internal busi-ness processes
Key management changes Internal reorganizations
4. Determine the existence of newthreats and vulnerabilities to theinstitutions information securi-ty. Consider
Changes in technology em- ployed by the institution Threats identified by insti-tution staff
Known threats identified byinformation sharing andanalysis organizations andother non-profit and com-mercial organizations.
Vulnerabilities raised in se-
-
8/7/2019 Info_sec_workprogram
3/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 3
Work PaperReference Comment
curity testing reports
Q UANTITY OF R ISK
Objective 2: Determine the complexity of the institutions information security environment.
1. Review the degree of relianceon service providers for infor-mation processing and technol-ogy support including securitymanagement. Review evidencethat service providers of infor-
mation processing and technol-ogy participate in an appropri-ate industry Information Shar-ing and Analysis Center (ISAC).
2. Identify unique products andservices and any required third-
party access requirements.
3. Determine the extent of net-work connectivity internally
and externally, and the bounda-ries and functions of securitydomains.
4. Identify the systems that haverecently undergone significantchange, such as new hardware,software, configurations, andconnectivity. Correlate thechanged systems with the busi-ness processes they support, theextent of customer data availa-
ble to those processes, and therole of those processes in fundstransfers.
5. Evaluate managements abilityto control security risks giventhe frequency of changes to the
-
8/7/2019 Info_sec_workprogram
4/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 4
Work PaperReference Comment
computing environment.
6. Evaluate security maintenancerequirements and extent of his-torical security issues with in-stalled hardware/software.
7. Identify whether external stan-dards are used as a basis for thesecurity program, and the ex-tent to which management tai-lors the standards to the finan-cial institutions specific cir-cumstances.
8. Determine the size and qualityof the institutions securitystaff. Consider
Appropriate security train-ing and certification
Adequacy of staffing levelsand impact of any turnover
Extent of background in-vestigations
Available time to performsecurity responsibilities
Q UALITY OF R ISK MANAGEMENT
Objective 3: Determine the adequacy of the risk assessment process.
1. Review the risk assessment todetermine whether the institu-tion has characterized its sys-tem properly and assessed the
risks to information assets.Consider whether the institu-tion has:
Identified and ranked in-formation assets (e.g., data,systems, physical locations)according to a rigorous and
-
8/7/2019 Info_sec_workprogram
5/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 5
Work PaperReference Comment
consistent methodologythat considers the risks tocustomer non-public infor-mation as well as the risksto the institution,
Identified all reasonably fo-reseeable threats to the fi-nancial institution assets,
Analyzed its technical andorganizational vulnerabili-ties, and
Considered the potential ef-fect of a security breach on
customers as well as the in-stitution.
2. Determine whether the risk assessment provides adequatesupport for the security strate-gy, controls, and monitoringthat the financial institution hasimplemented.
3. Evaluate the risk assessment process for the effectiveness of
the following key practices: Multidisciplinary andknowledge-based approach
Systematic and centrallycontrolled
Integrated process Accountable activities Documented Knowledge enhancing Regularly updated
4. Identify whether the institutioneffectively updates the risk as-sessment prior to making sys-tem changes, implementingnew products or services, or confronting new external condi-tions that would affect the risk
-
8/7/2019 Info_sec_workprogram
6/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 6
Work PaperReference Comment
analysis. Identify whether, inthe absence of the above fac-tors, the risk assessment is re-viewed at least once a year.
Objective 4: Evaluate the adequacy of security policies and standards relative to the risk to theinstitution.
1. Review security policies andstandards to ensure that theysufficiently address the follow-ing areas when considering the
risks identified by the institu-tion. If policy validation is ne-cessary, consider performingTier II procedures.
Authentication and Autho-rization
- Acceptable-use policythat dictates the appropri-ate use of the institutionstechnology includinghardware, software, net-
works, and telecommuni-cations.- Administration of access
rights at enrollment,when duties change, andat employee separation.
- Appropriate authentica-tion mechanisms includ-ing token-based systems,digital certificates, or
biometric controls and re-lated enrollment and
maintenance processes aswell as database security.
Network Access- Security domains- P erimeter protections in-
cluding firewalls, mali-
-
8/7/2019 Info_sec_workprogram
7/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 7
Work PaperReference Comment
cious code prevention,outbound filtering, andsecurity monitoring.
- Appropriate applicationaccess controls
- Remote access controlsincluding wireless, V P N,modems, and Internet-
based
Host Systems- Secure configuration
(hardening)
- Operating system access- Application access andconfiguration
- Malicious code preven-tion
- Logging- Monitoring and updating
User Equipment- Secure configuration
(hardening)- Operating system access- Application access and
configuration- Malicious code preven-
tion- Logging- Monitoring and updating
P hysical controls over access to hardware, soft-ware, storage media, paper records, and facilities
Encryption controls Malicious code prevention Software development andacquisition, including
processes that evaluate thesecurity features and soft-
-
8/7/2019 Info_sec_workprogram
8/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 8
Work PaperReference Comment
ware trustworthiness of code being developed or acquired, as well as changecontrol and configurationmanagement.
P ersonnel security Media handling proceduresand restrictions, including
procedures for securing,transmitting and disposingof paper and electronic in-formation
Service provider oversight
Business continuity Insurance
2. Evaluate the policies againstthe following key actions: Implementing through or-dinary means, such as sys-tem administration proce-dures and acceptable-use
policies; Enforcing with securitytools and sanctions;
Delineating the areas of re-sponsibility for users, ad-ministrators, and managers;
Communicating in a clear,understandable manner toall concerned;
Obtaining employee certifi-cation that they have readand understood the policy;
P roviding flexibility to ad-dress changes in the envi-
ronment; and Conducting annually a re-view and approval by the
board of directors.
-
8/7/2019 Info_sec_workprogram
9/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 9
Work PaperReference Comment
Objective 5: Evaluate the security-related controls embedded in vendor management.
1. Evaluate the sufficiency of security-related due diligencein service provider researchand selection.
2. Evaluate the adequacy of contractual assurances re-garding security responsibili-ties, controls, and reporting.
3. Evaluate the appropriatenessof nondisclosure agreementsregarding the institutionssystems and data.
4. Determine that the scope,completeness, frequency, andtimeliness of third-party au-dits and tests of the service
providers security are sup- ported by the financial insti-tutions risk assessment.
5. Evaluate the adequacy of incident response policies andcontractual notification re-quirements in light of the risk of the outsourced activity.
Objective 6: Determine the adequacy of security monitoring.
1. Obtain an understanding of
the institutions monitoring plans and activities, including both activity monitoring andcondition monitoring.
2. Identify the organizationalunit and personnel responsi-
-
8/7/2019 Info_sec_workprogram
10/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 10
Work PaperReference Comment
ble for performing the func-tions of a security responsecenter.
3. Evaluate the adequacy of information used by the secu-rity response center. Informa-tion should include externalinformation on threats andvulnerabilities (ISAC andother reports) and internal in-formation related to controlsand activities.
4. Obtain and evaluate the poli-cies governing security re-sponse center functions, in-cluding monitoring, classifi-cation, escalation, and report-ing.
5. Evaluate the institutionsmonitoring plans for appro-
priateness given the risks of the institutions environment.
6. Where metrics are used, eva-luate the standards used for measurement, the informationmeasures and repeatability of measured processes, and ap-
propriateness of the mea-surement scope.
7. Ensure that the institutionutilizes sufficient expertise to
perform its monitoring and
testing.
8. For independent tests, eva-luate the degree of indepen-dence between the personstesting security from the per-sons administering security.
-
8/7/2019 Info_sec_workprogram
11/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 11
Work PaperReference Comment
9. Determine the timeliness of
identification of vulnerabili-ties and anomalies, and eva-luate the adequacy and timingof corrective action.
10. Evaluate the institutions policies and program for res- ponding to unauthorizedaccess to customer informa-tion, considering guidance inSupplement A to the Section501(b) GLBA information
security guidelines.
11. If the institution experiencedunauthorized access to sensi-tive customer information,determine that it: Conducted a prompt inves-tigation to determine the li-kelihood the informationaccessed has been or will
be misused; Notified customers whenthe investigation deter-mined misuse of sensitivecustomer information hasoccurred or is reasonably
possible; Delivered notification tocustomers, when warranted,
by means the customer canreasonably be expected toreceive, for example, bytelephone, mail, or elec-tronic mail; and
Appropriately notified its primary federal regulator.
Objective 7: Evaluate the effectiveness of enterprise-wide security administration.
-
8/7/2019 Info_sec_workprogram
12/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 12
Work PaperReference Comment
1. Review board and committee
minutes and reports to deter-mine the level of senior man-agement support of andcommitment to security.
2. Determine whether manage-ment and department headsare adequately trained andsufficiently accountable for the security of their person-nel, information, and sys-tems.
3. Review security guidance andtraining provided to ensureawareness among employeesand contractors, includingannual certification that per-sonnel understand their re-sponsibilities.
4. Determine whether securityresponsibilities are appro-
priately apportioned among
senior management, front-line management, IT staff, in-formation security profes-sionals, and other staff, re-cognizing that some rolesmust be independent fromothers.
5. Determine whether the indi-vidual or department respon-sible for ensuring compliancewith security policies has suf-
ficient position and authoritywithin the organization toimplement the corrective ac-tion.
6. Evaluate the process used tomonitor and enforce policy
-
8/7/2019 Info_sec_workprogram
13/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 13
Work PaperReference Comment
compliance (e.g., grantingand revocation of user rights).
7. Evaluate the adequacy of automated tools to supportsecure configuration man-agement, security monitoring,
policy monitoring, enforce-ment, and reporting.
8. Evaluate management's abili-ty to effectively control the
pace of change to its envi-ronment, including the
process used to gain assur-ance that changes to be madewill not pose undue risk in a
production environment.Consider the definition of se-curity requirements for thechanges, appropriateness of staff training, quality of test-ing, and post-change moni-toring.
9. Evaluate coordination of in-cident response policies andcontractual notification re-quirements.
C ONCLUSIONS
Objective 8: Discuss corrective action and communicate findings.
1. Determine the need to pro-ceed to Tier II procedures for additional validation to sup-
port conclusions related toany of the Tier I objectives.
2. Review your preliminary
-
8/7/2019 Info_sec_workprogram
14/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 14
Work PaperReference Comment
conclusions with the EIC re-garding
Violations of law, rulings,regulations,
Significant issues warrant-ing inclusion as matters re-quiring attention or recom-mendations in the Report of Examination,
P otential impact of your conclusions on compositeor component IT ratings,and
P otential impact of your conclusions on the institu-tions risk assessment.
3. Discuss your findings withmanagement and obtain pro-
posed corrective action for significant deficiencies.
4. Document your conclusionsin a memo to the EIC that
provides report-ready com-
ments for all relevant sectionsof the Report of Examinationand guidance to future ex-aminers.
5. Organize your work papers toensure clear support for sig-nificant findings by examina-tion objective.
-
8/7/2019 Info_sec_workprogram
15/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 15
T IER II O BJECTIVES AND P ROCEDURES
The Tier II examination procedures for information security provide additional verification pro-
cedures to evaluate the effectiveness of, and identify potential root causes for weaknesses in, afinancial institutions security program. These procedures are designed to assist in achieving ex-amination objectives and may be used in their entirety or selectively, depending upon the scopeof the examination and the need for additional verification. For instance, if additional verifica-tion is necessary for firewall practices, the examiner may find it necessary to select some of the
procedures from the authentication, network security, host security, and physical security areasto create a customized examination procedure. Examiners should coordinate this coverage withother examiners to avoid duplication of effort while including the security issues found in other workprograms.
The procedures provided below should not be construed as requirements for control implementa-
tion. The selection of controls and control implementation should be guided by the risks facingthe institution's information system. Thus, the controls necessary for any single institution or any given area of a given institution may differ from the specifics that can be inferred from thefollowing procedures.
A. AUTHENTICATION AND ACCESS C ONTROLS
A ccess Rights A dministration
Work PaperReference Comment
1. Evaluate the adequacy of policies and procedures for authentication and accesscontrols to manage effective-ly the risks to the financialinstitution.
Evaluate the processes thatmanagement uses to defineaccess rights and privileges(e.g., software and/or hardware systems access)
and determine if they are based upon business needrequirements.
Review processes that as-sign rights and privilegesand ensure that they takeinto account and provide
-
8/7/2019 Info_sec_workprogram
16/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 16
Work PaperReference Comment
for adequate segregation of duties.
Determine whether accessrights are the minimum ne-cessary for business pur-
poses. If greater accessrights are permitted, deter-mine why the condition ex-ists and identify any miti-gating issues or compensat-ing controls.
Ensure that access to oper-ating systems is based oneither a need-to-use or anevent-by-event basis.
2. Determine whether the user registration and enrollment
process Uniquely identifies the us-er,
Verifies the need to use thesystem according to appro-
priate policy, Enforces a unique user ID, Assigns and records the proper security attributes(e.g., authorization),
Enforces the assignment or selection of an authentica-tor that agrees with the se-curity policy,
Securely distributes anyinitial shared secret authen-ticator or token, and
Obtains acknowledgement
from the user of acceptanceof the terms of use.
3. Determine whether em- ployees levels of onlineaccess (blocked, read-only,update, override, etc.) match
-
8/7/2019 Info_sec_workprogram
17/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 17
Work PaperReference Comment
current job responsibilities.
4. Determine that administrator or root privilege access is ap-
propriately monitored, whereappropriate. Management may choose tofurther categorize types of administrator/root access
based upon a risk assess-ment. Categorizing thistype of access can be usedto identify and monitor
higher-risk administrator and root access requeststhat should be promptly re-
ported.
5. Evaluate the effectivenessand timeliness with whichchanges in access control pri-vileges are implemented andthe effectiveness of support-ing policies and procedures. Review procedures and
controls in place and de-termine whether accesscontrol privileges are
promptly eliminated whenthey are no longer needed.Include former employeesand temporary access for remote access and contractworkers in the review.
Assess the procedures andcontrols in place to change,when appropriate, access
control privileges (e.g.,changes in job responsibili-ty and promotion).
Determine whether accessrights expire after a prede-termined period of inactivi-
-
8/7/2019 Info_sec_workprogram
18/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 18
Work PaperReference Comment
ty. Review and assess the ef-fectiveness of a formal re-view process to periodical-ly review the access r ightsto assure all access rightsare proper. Determinewhether necessary changesmade as a result of that re-view.
6. Determine that, where appro- priate and feasible, programsdo not run with greater accessto other resources than neces-sary. P rograms to consider include application programs,network administration pro-grams (e.g., Domain NameSystem), and other programs.
7. Compare the access controlrules establishment and as-signment processes to theaccess control policy for con-sistency.
8. Determine whether users areaware of the authorized usesof the system.
Do internal users receive acopy of the authorized-use
policy, appropriate training,and signify understandingand agreement before usagerights are granted?
Is contractor usage appro-
priately detailed and con-trolled through the con-tract?
Do customers and Web sitevisitors either explicitlyagree to usage terms or are
provided a disclosure, as
-
8/7/2019 Info_sec_workprogram
19/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 19
Work PaperReference Comment
appropriate?
A uthentication
1. Determine whether the finan-cial institution has removedor reset default profiles and
passwords from new systemsand equipment.
2. Determine whether access tosystem administrator level is
adequately controlled andmonitored.
3. Evaluate whether the authen-tication method selected andimplemented is appropriatelysupported by a risk assess-ment.
4. Evaluate the effectiveness of password and shared-secretadministration for employees
and customers consideringthe complexity of the processing environment andtype of information accessed.Consider Confidentiality of pass-words and shared secrets(whether only known to theemployee/customer);
Maintenance of confiden-tiality through reset proce-dures;
The frequency of requiredchanges (for applications,the user should make anychanges from the initial
password issued on enroll-ment without any other us-
-
8/7/2019 Info_sec_workprogram
20/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 20
Work PaperReference Comment
ers intervention); P assword composition interms of length and type of characters (new or changed
passwords should result ina password whose strengthand reuse agrees with thesecurity policy);
The strength of shared se-cret authentication mechan-isms;
Restrictions on duplicateshared secrets among users
(no restrictions should ex-ist); and The extent of authorizedaccess (e.g., privilegedaccess, single sign-on sys-tems).
5. Determine whether all au-thenticators (e.g., passwords,shared secrets) are protectedwhile in storage and duringtransmission to prevent dis-
closure. Identify processes and areaswhere authentication in-formation may be availablein clear text and evaluatethe effectiveness of com-
pensating risk managementcontrols.
Identify the encryptionused and whether one-wayhashes are employed to se-cure the clear text from an-yone, authorized or unau-thorized, who accesses theauthenticator storage area.
6. Determine whether pass-words are stored on any ma-chine that is directly or easily
-
8/7/2019 Info_sec_workprogram
21/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 21
Work PaperReference Comment
accessible from outside theinstitution, and if passwordsare stored in programs onmachines which query cus-tomer information databases.Evaluate the appropriatenessof such storage and the asso-ciated protective mechan-isms.
7. Determine whether unautho-rized attempts to access au-thentication mechanisms(e.g., password storage loca-tion) are appropriately inves-tigated. Attacks on shared-secret mechanisms, for in-stance, could involve mul-tiple log-in attempts using thesame username and multiple
passwords or multiple user-names and the same pass-word.
8. Determine whether authenti-cation error feedback (i.e.,reporting failure to success-fully log-in) during the au-thentication process provides
prospective attackers cluesthat may allow them to honetheir attack. If so, obtain andevaluate a justification for such feedback.
9. Determine whether adequatecontrols exist to protectagainst replay attacks and hi-
jacking.
10. Determine whether token- based authentication mechan-isms adequately protectagainst token tampering, pro-
-
8/7/2019 Info_sec_workprogram
22/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 22
Work PaperReference Comment
vide for the unique identifica-tion of the token holder, andemploy an adequate number of authentication factors.
11. Determine whether P KI- based authentication mechan-isms
Securely issue and updatekeys,
Securely unlock the secretkey,
P rovide for expiration of
keys at an appropriate time period, Ensure the certificate is va-lid before acceptance,
Update the list of revokedcertificates at an appropri-ate frequency,
Employ appropriate meas-ures to protect private androot keys, and
Appropriately log use of the root key.
12. Determine that biometricsystems Have an adequately strongand reliable enrollment
process, Adequately protect againstthe presentation of forgedcredentials (e.g. addressreplay attacks), and
Are appropriately tuned for false accepts/false rejects.
13. Determine whether appropri-ate device and session au-thentication takes place, par-ticularly for remote and wire-
-
8/7/2019 Info_sec_workprogram
23/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 23
Work PaperReference Comment
less machines.
14. Review authenticator reis-suance and reset procedures.Determine whether controlsadequately mitigate risksfrom
Social engineering, Errors in the identificationof the user, and
Inability to re-issue on alarge scale in the event of amass compromise.
B. N ETWORK S ECURITY
1. Evaluate the adequacy andaccuracy of the network ar-chitecture. Obtain a schematic over-view of the financial insti-tutions network architec-ture.
Review procedures for maintaining current infor-mation, including inventoryreporting of how newhardware are added and oldhardware is removed.
Review audit and securityreports that assess the accu-racy of network architec-ture schematics and identi-fy unreported systems.
2. Evaluate controls that are in place to install new or changeexisting network infrastruc-ture and to prevent unautho-rized connections to the fi-nancial institutions network. Review network architec-
-
8/7/2019 Info_sec_workprogram
24/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 24
Work PaperReference Comment
ture policies and proce-dures to establish new, or change existing, network connections and equipment.
Identify controls used to prevent unauthorized dep-loyment of network con-nections and equipment.
Review the effectivenessand timeliness of controlsused to prevent and reportunauthorized network con-nections and equipment.
3. Evaluate controls over themanagement of remoteequipment.
4. Determine whether effective procedures and practices arein place to secure network services, utilities, and diag-nostic ports, consistent withthe overall risk assessment.
5. Determine whether externalservers are appropriately iso-lated through placement indemilitarized zones (DMZs),with supporting servers onDMZs separate from externalnetworks, public servers, andinternal networks.
6. Determine whether appropri-ate segregation exists be-tween the responsibility for
networks and the responsi- bility for computer opera-tions.
7. Determine whether network users are authenticated, andthat the type and nature of the
-
8/7/2019 Info_sec_workprogram
25/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 25
Work PaperReference Comment
authentication (user and ma-chine) is supported by therisk assessment. Accessshould only be providedwhere specific authorizationoccurs.
8. Determine that, where appro- priate, authenticated usersand devices are limited intheir ability to access systemresources and to initiatetransactions.
9. Evaluate the appropriatenessof technical controls mediat-ing access between securitydomains. Consider
Firewall topology and ar-chitecture;
Type(s) of firewall(s) beingutilized;
P hysical placement of fire-wall components;
Monitoring of firewall traf-fic;
Firewall updating; Responsibility for monitor-ing and updating firewall
policy; P lacement and monitoringof network monitoring and
protection devices, includ-ing intrusion detection sys-tem (IDS) and intrusion
prevention system (I P S)
functionality; and Contingency planning
10. Determine whether firewalland routing controls are in
place and updated as needswarrant.
-
8/7/2019 Info_sec_workprogram
26/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 26
Work PaperReference Comment
Identify personnel respon-sible for defining and set-ting firewall rulesets androuting controls.
Review procedures for up-dating and changing rule-sets and routing controls.
Confirm that the ruleset is based on the premise thatall traffic that is not ex-
pressly allowed is denied,and that the firewalls ca-
pabilities for identifyingand blocking traffic are ef-fectively utilized.
Confirm that network map- ping through the firewall isdisabled.
Confirm that network ad-dress translation (NAT) andsplit DNS are used to hideinternal names and ad-dresses from external users.
Confirm that maliciouscode is effectively filtered.
Confirm that firewalls are backed up to external me-dia, and not to servers on
protected networks. Determine that firewallsand routers are subject toappropriate and functioninghost controls.
Determine that firewallsand routers are securelyadministered.
Confirm that routing tablesare regularly reviewed for appropriateness on a sche-dule commensurate withrisk.
11. Determine whether network-
-
8/7/2019 Info_sec_workprogram
27/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 27
Work PaperReference Comment
based IDSs are properlycoordinated with firewalls(see Security Monitoring
procedures).
12. Determine whether logs of security-related events andlog analysis activities are suf-ficient to affix accountabilityfor network activities, as wellas support intrusion forensicsand IDS. Additionally, de-termine that adequate clock synchronization takes place.
13. Determine whether logs of security-related events areappropriately secured againstunauthorized access, change,and deletion for an adequatetime period, and that report-ing to those logs is adequate-ly protected.
14. Determine whether appropri-ate filtering occurs for spoofed addresses, both with-in the network and at externalconnections, covering net-work ingress and egress.
15. Determine whether appropri-ate controls exist over theconfidentiality and integrityof data transmitted over thenetwork (e.g. encryption, par-ity checks, message authenti-cation).
16. Determine whether appropri-ate notification is made of re-quirements for authorizeduse, through banners or other means.
-
8/7/2019 Info_sec_workprogram
28/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 28
Work PaperReference Comment
17. Determine whether remote
access devices and network access points for remoteequipment are appropriatelycontrolled. Remote access is disabled by default, and enabled on-ly by management authori-zation.
Management authorizationis required for each user who accesses sensitivecomponents or data remote-
ly. Authentication is of appro- priate strength (e.g., two-factor for sensitive compo-nents).
Modems are authorized,configured, and managed toappropriately mitigaterisks.
Appropriate logging andmonitoring takes place.
Remote access devices areappropriately secured andcontrolled by the institu-tion.
18. Determine whether an appro- priate archive of boot disks,distribution media, and secu-rity patches exists.
19. Evaluate the appropriatenessof techniques that detect and
prevent the spread of mali-cious code across the net-work.
C. H OS T S ECURITY
-
8/7/2019 Info_sec_workprogram
29/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 29
Work PaperReference Comment
1. Determine whether hosts are
hardened through the removalof unnecessary software andservices, consistent with theneeds identified in the risk assessment, that configura-tion takes advantage of avail-able object, device, and fileaccess controls, and that ne-cessary software updates areapplied.
2. Determine whether the confi-
guration minimizes the func-tionality of programs, scripts,and plug-ins to what is neces-sary and justifiable.
3. Determine whether adequate processes exist to apply hostsecurity updates, such as
patches and anti-virus signa-tures, and that such updatingtakes place.
4. Determine whether new hostsare prepared according to do-cumented procedures for se-cure configuration or replica-tion, and that vulnerabilitytesting takes place prior todeployment.
5. Determine whether remotelyconfigurable hosts are confi-gured for secure remote ad-ministration.
6. Determine whether an appro- priate process exists to au-thorize access to host systemsand that authentication andauthorization controls on thehost appropriately limit
-
8/7/2019 Info_sec_workprogram
30/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 30
Work PaperReference Comment
access to and control theaccess of authorized individ-uals.
7. Determine whether access toutilities on the host are ap-
propriately restricted andmonitored.
8. Determine whether the host- based IDSs identified as ne-cessary in the risk assessmentare properly installed andconfigured, that alerts go toappropriate individuals usingan out-of-band communica-tions mechanism, and thatalerts are followed up.(Coordinate with the proce-dures listed in SecurityMonitoring.)
9. Determine whether logs aresufficient to affix accounta-
bility for host activities andto support intrusion forensicsand IDS and are appropriate-ly secured for a sufficienttime period.
10. Determine whether vulnera- bility testing takes place after each configuration change.
11. Determine whether appropri-ate notification is made of au-thorized use, through banners
or other means.
12. Determine whether authorita-tive copies of host configura-tion and public server contentare maintained off line.
-
8/7/2019 Info_sec_workprogram
31/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 31
Work PaperReference Comment
13. Determine whether an appro-
priate archive of boot disks,distribution media, and secu-rity patches exists.
14. Determine whether adequate policies and procedure go-vern the destruction of sensi-tive data on machines that aretaken out of service.
D. U SE R E Q UIPMENT S ECURITY (E .G . WORKSTATION , LAPTOP , HANDHELD )
1. Determine whether new user equipment is prepared ac-cording to documented pro-cedures for secure configura-tion or replication and thatvulnerability testing takes
place prior to deployment.
2. Determine whether user equipment is configured ei-ther for secure remote admin-
istration or for no remote ad-ministration.
3. Determine whether adequateinspection for, and removalof, unauthorized hardwareand software takes place.
4. Determine whether adequate policies and procedures existto address the loss of equip-ment, including laptops and
other mobile devices. Such plans should encompass the potential loss of customer da-ta and authentication devices.
5. Determine whether adequate policies and procedures go-
-
8/7/2019 Info_sec_workprogram
32/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 32
Work PaperReference Comment
vern the destruction of sensi-tive data on machines that aretaken out of service and thatthose policies and proceduresare consistently followed byappropriately trained person-nel.
6. Determine whether appropri-ate user equipment is deacti-vated after a period of inac-tivity through screen saver
passwords, server time-outs, powering down, or other means.
7. Determine whether systemsare appropriately protectedagainst malicious softwaresuch as Trojan horses, virus-es, and worms.
E. P HYSICAL S ECURITY
1. Determine whether physicalsecurity for information tech-nology assets is coordinatedwith other security functions.
2. Determine whether sensitivedata in both electronic and
paper form is adequately con-trolled physically throughcreation, processing, storage,maintenance, and disposal.
3. Determine whether Authorization for physicalaccess to critical or sensi-tive information-processingfacilities is granted accord-ing to an appropriate
-
8/7/2019 Info_sec_workprogram
33/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 33
Work PaperReference Comment
process; Authorizations are enforce-able by appropriate preven-tive, detective, and correc-tive controls; and
Authorizations can be re-voked in a practical andtimely manner.
4. Determine whether informa-tion processing and commu-nications devices and trans-missions are appropriately
protected against physical at-tacks perpetrated by individ-uals or groups, as well asagainst environmental dam-age and improper mainten-ance. Consider the use of ha-lon gas, computer encasing,smoke alarms, raised floor-ing, heat sensors, notificationsensors, and other protectiveand detective devices.
F. P ERSONNEL S ECURITY
1. Determine whether the insti-tution performs appropriate
background checks on its personnel during the hiring process and thereafter, ac-cording to the employees au-thority over the institutionssystems and information.
2. Determine whether the insti-tution includes in its termsand conditions of employ-ment the employees respon-sibilities for information se-curity.
-
8/7/2019 Info_sec_workprogram
34/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 34
Work PaperReference Comment
3. Determine whether the insti-
tution requires personnel withauthority to access customer information and confidentialinstitution information to signand abide by confidentialityagreements.
4. Determine whether the insti-tution provides to its em-
ployees appropriate securitytraining covering the institu-tions policies and proce-
dures, on an appropriate fre-quency and that institutionemployees certify periodical-ly as to their understandingand awareness of the policyand procedures.
5. Determine whether em- ployees have an available andreliable mechanism to
promptly report security inci-dents, weaknesses, and soft-
ware malfunctions.
6. Determine whether an appro- priate disciplinary process for security violations exists andis functioning.
G. A PPLICATION S ECURITY
1. Determine whether softwarestorage, including program
source, object libraries, andload modules, are appro- priately secured against unau-thorized access.
2. Determine whether user inputis validated appropriately
-
8/7/2019 Info_sec_workprogram
35/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 35
Work PaperReference Comment
(e.g. character set, length,etc).
3. Determine whether appropri-ate message authenticationtakes place.
4. Determine whether access tosensitive information and
processes require appropriateauthentication and verifica-tion of authorized use beforeaccess is granted.
5. Determine whether re-establishment of any sessionafter interruption requiresnormal user identification,authentication, and authoriza-tion.
6. Determine whether appropri-ate warning banners are dis-
played when applications areaccessed.
7. Determine whether appropri-ate logs are maintained andavailable to support incidentdetection and response ef-forts.
H. S OFTWARE DEVELOPMENT AND AC Q UISITION
1. Inquire about how securitycontrol requirements are de-
termined for software,whether internally developedor acquired from a vendor.
2. Determine whether manage-ment explicitly follows a rec-ognized security standard de-
-
8/7/2019 Info_sec_workprogram
36/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 36
Work PaperReference Comment
velopment process, or ad-heres to widely recognizedindustry standards.
3. Determine whether the groupor individual establishing se-curity control requirementshas appropriate credentials,
background, and/or training.
4. Evaluate whether the soft-ware acquired incorporatesappropriate security controls,audit trails, and activity logsand that appropriate andtimely audit trail and log re-views and alerts can take
place.
5. Evaluate whether the soft-ware contains appropriate au-thentication and encryption.
6. Evaluate the adequacy of thechange control process.
7. Evaluate the appropriatenessof software libraries and their access controls.
8. Inquire about the methodused to test the newly devel-oped or acquired software for vulnerabilities. For manual source code re-views, inquire about stan-dards used, the capabilitiesof the reviewers, and theresults of the reviews.
If source code reviews arenot performed, inquireabout alternate actions tak-en to test the software for
-
8/7/2019 Info_sec_workprogram
37/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 37
Work PaperReference Comment
covert channels, backdoors,and other security issues.
Whether or not source codereviews are performed, eva-luate the institutions asser-tions regarding the trust-worthiness of the applica-tion and the appropriate-ness of the network andhost level controls mitigat-ing application-level risk.
9. Evaluate the process used toascertain software trustwor-thiness. Include in the evalu-ation managements consid-eration of the:
Development process- Establishment of security
requirements- Establishment of accep-
tance criterion- Use of secure coding
standards- Compliance with security
requirements- Background checks on
employees- Code development and
testing processes- Signed non-disclosure
agreements- Restrictions on developer
access to productionsource code
- P hysical security over
developer work areas
Source code review- Automated reviews- Manual reviews
-
8/7/2019 Info_sec_workprogram
38/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 38
Work PaperReference Comment
Vendor or developer histo-ry and reputation- Vulnerability history- Timeliness, thoroughness,
and candidness of the re-sponse to security issues
- Quality and functionalityof security patches
10. Evaluate the appropriatenessof managements response toassessments of softwaretrustworthiness:
Host and network controlevaluation
Additional host and net-work controls
I. B USINESS C ONTINUITY S ECURITY
1. Determine whether adequate physical security and accesscontrols exist over data back-ups and program librariesthroughout their life cycle,including when they arecreated, transmitted/taken tostorage, stored, retrieved andloaded, and destroyed. Review the risk assessmentto identify key control
points in a data sets lifecycle.
Verify controls are in placeconsistent with the level of
risk presented.2. Determine whether substitute
processing facilities and sys-tems undergo similar testingas production facilities andsystems.
-
8/7/2019 Info_sec_workprogram
39/51
-
8/7/2019 Info_sec_workprogram
40/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 40
Work PaperReference Comment
fice, this assignment would be a primary job responsi- bility.)
J. S ERVICE P ROVIDER O VERSIGHT S ECURITY
1. Determine whether contractscontain security requirementsthat at least meet the objec-tives of the 501(b) guidelinesand contain nondisclosurelanguage regarding specificrequirements.
2. Determine whether the insti-tution has assessed the ser-vice providers ability tomeet contractual security re-quirements.
3. Determine whether appropri-ate controls exist over thesubstitution of personnel onthe institutions projects andservices.
4. Determine whether appropri-ate security testing is re-quired and performed on anycode, system, or service deli-vered under the contract.
5. Determine whether appropri-ate reporting of security inci-dents is required under thecontract.
6. Determine whether institutionoversight of third-party pro-vider security controls is ade-quate.
7. Determine whether any third
-
8/7/2019 Info_sec_workprogram
41/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 41
Work PaperReference Comment
party provider access to theinstitutions system is con-trolled according to Authen-tication and Access Controlsand Network Security pro-cedures.
8. Determine whether the con-tract requires secure remotecommunications, as appropri-ate.
9. Determine whether the insti-tution appropriately assessedthe third party providers
procedures for hiring andmonitoring personnel whohave access to the institu-tions systems and data.
10. Determine whether the third party service provider parti-cipates in an appropriate in-dustry ISAC.
K. E NCRYPTION
1. Review the information secu-rity risk assessment and iden-tify those items and areasclassified as requiring en-cryption.
2. Evaluate the appropriatenessof the criteria used to selectthe type of encryption/ cryp-
tographic algorithms. Consider if cryptographicalgorithms are both public-ly known and widely ac-cepted (e.g. RSA, SHA,Triple DES, Blowfish,Twofish, etc.) or banking
-
8/7/2019 Info_sec_workprogram
42/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 42
Work PaperReference Comment
industry standard algo-rithms.
Note the basis for choosingkey sizes (e.g., 40-bit, 128-
bit) and key space. Identify managements un-derstanding of cryptogra-
phy and expectations of how it will be used to pro-tect data.
3. Determine whether crypto-graphic key controls are ade-quate.
Identify where crypto-graphic keys are stored.
Review security where keysare stored and when theyare used (e.g., in a hard-ware module).
Review cryptographic keydistribution mechanisms tosecure the keys against un-authorized disclosure, theft,and diversion.
Verify that two persons arerequired for a cryptographickey to be used, when ap-
propriate. Review audit and securityreports that review the ade-quacy of cryptographic keycontrols.
4. Determine whether adequate provision is made for differ-ent cryptographic keys for different uses and data.
5. Determine whether crypto-graphic keys expire and arereplaced at appropriate timeintervals.
-
8/7/2019 Info_sec_workprogram
43/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 43
Work PaperReference Comment
6. Determine whether appropri-
ate provisions are made for the recovery of data should akey be unusable.
7. Determine whether crypto-graphic keys are destroyed ina secure manner when theyare no longer required.
L. D AT A S ECURITY
1. Obtain an understanding of the data security strategy.
Identify the financial insti-tutions approach to pro-tecting data (e.g., protect alldata similarly, protect data
based upon risk of loss). Obtain and review the risk assessment covering finan-cial institution data. De-termine whether the risk as-sessment classifies datasensitivity in a reasonablemanner and consistent withthe financial institutionsstrategic and business ob-
jectives. Consider whether policiesand procedures address the
protections for data that issent outside the institution.
Identify processes to pe-riodically review data sen-sitivity and update corres-
ponding risk assessments.
2. Verify that data is protectedconsistent with the financialinstitutions risk assessment.
Identify controls used to
-
8/7/2019 Info_sec_workprogram
44/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 44
Work PaperReference Comment
protect data and determineif the data is protectedthroughout its life cycle(i.e., creation, storage,maintenance, transmission,and disposal) in a manner consistent with the risk as-sessment.
Consider data security con-trols in effect at key stagessuch as data crea-tion/acquisition, storage,transmission, maintenance,and destruction.
Review audit and securityreview reports that sum-marize if data is protectedconsistent with the risk as-sessment.
3. Determine whether individualand group access to data is
based on business needs.
4. Determine whether, whereappropriate, the system se-curely links the receipt of in-formation with the originator of the information and other identifying information, suchas date, time, address, andother relevant factors.
M. S ECURITY MONITORING
1. Identify the monitoring per-
formed to identify non-compliance with institutionsecurity policies and potentialintrusions. Review the schematic of the information technologysystems for common secu-
-
8/7/2019 Info_sec_workprogram
45/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 45
Work PaperReference Comment
rity monitoring devices. Review security proceduresfor report monitoring toidentify unauthorized or unusual activities.
Review managements self-assessment and independenttesting activities and plans.
2. Determine whether users areappropriately notified regard-ing security monitoring.
3. Determine whether the activi-ty monitoring sensors identi-fied as necessary in the risk assessment process are prop-erly installed and configuredat appropriate locations.
4. Determine whether an appro- priate firewall ruleset androuting controls are in placeand updated as needs warrant.
Identify personnel respon-
sible for defining and set-ting firewall rulesets androuting controls.
Review procedures for up-dating and changing rule-sets and routing controls.
Determine that appropriatefiltering occurs for spoofedaddresses, both within thenetwork and at externalconnections, covering net-work entry and exit.
5. Determine whether logs of security-related events aresufficient to support securityincident detection and re-sponse activities, and that
-
8/7/2019 Info_sec_workprogram
46/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 46
Work PaperReference Comment
logs of application, host, andnetwork activity can be readi-ly correlated.
6. Determine whether logs of security-related events areappropriately secured againstunauthorized access, change,and deletion for an adequatetime period, and that report-ing to those logs is adequate-ly protected.
7. Determine whether logs areappropriately centralized andnormalized, and that controlsare in place and functioningto prevent time gaps in log-ging.
8. Determine whether an appro- priate process exists to au-thorize employee access tosecurity monitoring and eventmanagement systems and thatauthentication and authoriza-tion controls appropriatelylimit access to and control theaccess of authorized individ-uals.
9. Determine whether appropri-ate detection capabilities ex-ist related to
Network related anomalies,including- Blocked outbound traffic- Unusual communications,
including communicatinghosts, times of day, pro-tocols, and other header-related anomalies
- Unusual or malicious
-
8/7/2019 Info_sec_workprogram
47/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 47
Work PaperReference Comment
packet payloads Host-related anomalies, in-cluding- System resource usage
and anomalies- User related anomalies- Operating and tool confi-
guration anomalies- File and data integrity
problems- Anti-virus, anti-spyware,
and other malware identi-fication alerts
- Unauthorized access- P rivileged access
10. Evaluate the institutionsself-assessment plan and ac-tivities, including P olicies and proceduresconformance
Service provider oversight Vulnerability scanning Configuration verification Information storage Risk assessment and moni-toring plan review
Test reviews
11. Evaluate the use of metrics tomeasure
Security policy implemen-tation
Security service deliveryeffectiveness and efficiency
Security event impact on business processes
12. Evaluate independent tests,including penetration tests,audits, and assessments.
-
8/7/2019 Info_sec_workprogram
48/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 48
Work PaperReference Comment
Consider:
P
ersonnel Scope Controls over data integri-ty, confidentiality, andavailability
Confidentiality of test plansand data
Frequency
13. Determine that the functionsof a security response center are appropriately governed byimplemented policies ad-dressing
Monitoring Classification Escalation Reporting Intrusion declaration
14. Determine whether an intru-sion response team Contains appropriate mem- bership; Is available at all times; Has appropriate training toinvestigate and report find-ings;
Has access to back-up dataand systems, an inventoryof all approved hardwareand software, and moni-tored access to systems (asappropriate);
Has appropriate authorityand timely access to deci-sion makers for actions thatrequire higher approvals;and
Have procedures for sub-mitting appropriate inci-
-
8/7/2019 Info_sec_workprogram
49/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 49
Work PaperReference Comment
dents to the industry ISAC .
15. Evaluate the appropriatenessof the security policy in ad-dressing the review of com-
promised systems. Consider Documentation of the roles,responsibilities and authori-ty of employees and con-tractors, and
Conditions for the examina-tion and analysis of data,systems, and networks.
16. Determine whether the in-formation disclosure policyindicates what information isshared with others, in whatcircumstances, and identifiesthe individual(s) who havethe authority to initiate dis-closure beyond the stated pol-icy.
17. Determine whether the in-
formation disclosure policyaddresses the appropriateregulatory reporting require-ments.
18. Determine whether the secu-rity policy provides for a
provable chain of custody for the preservation of potentialevidence through such me-chanisms as a detailed actionand decision log indicating
who made each entry.
19. Determine whether the policyrequires all compromised sys-tems to be restored beforereactivation, through either rebuilding with verified good
-
8/7/2019 Info_sec_workprogram
50/51
Information Security Booklet July 2006
FFIEC IT Examination Handbook P ag e 50
Work PaperReference Comment
media or verification of soft-ware cryptographic check-sums.
20. Determine whether all partic-ipants in security monitoringand intrusion response aretrained adequately in the de-tection and response policies,their roles, and the proce-dures they should take to im-
plement the policies.
21. Determine whether response policies and training appro- priately address unauthorizeddisclosures of customer in-formation, including
Identifying the customer in-formation and customerseffected;
P rotecting those customersthrough monitoring, clos-ing, or freezing accounts;
Notifying customers when
warranted; and Appropriately notifying its primary federal regulator
22. Determine whether an effec-tive process exists to respondin an appropriate and timelymanner to newly discoveredvulnerabilities. Consider
Assignment of responsibili-ty
P rioritization of work to be performed Appropriate funding Monitoring, and Follow-up activities
-
8/7/2019 Info_sec_workprogram
51/51
Information Security Booklet July 2006
Examiner Date
Reviewers Initials