info_sec_workprogram

8/7/2019 Info_sec_workprogram

1/51

Information Security Booklet July 2006

FFIEC IT Examination Handbook P ag e 1

INFORMATION SECURITY WORKPROGRAM

EXAMINATION OBJECTIVE: Assess the quantity of risk and the effectiveness of theinstitutions risk management processes as they relate to the security measures instituted to en-sure confidentiality, integrity, and availability of information and to instill accountability for ac-tions taken on the institutions systems. The objectives and procedures are divided into Tier 1and Tier II:

y Tier I assesses an institutions process for identifying and managing risksy Tier II provides additional verification where risk warrants it.

Tier I and Tier II are intended to be a tool set examiners will use when selecting examination procedures for their particular examination. Examiners should use these procedures as necessaryto support examination objectives.

T IER I P ROCEDURES

Objective 1: Determine the appropriate scope for the examination.

Work PaperReference Comment

1. Review past reports for out-standing issues or previous

problems. Consider Regulatory reports of ex-

amination Internal and external auditreports

Independent security tests Regulatory, audit, and se-curity reports from service

providers

2. Review managements re-sponse to issues raised sincethe last examination. Consid-er

Adequacy and timing of corrective action

Resolution of root causesrather than just specific is-sues

Existence of any outstand-


2/51




ing issues

3. Interview management andreview examination informa-tion to identify changes to thetechnology infrastructure or new products and services thatmight increase the institutionsrisk from information securityissues. Consider

P roducts or services deli-vered to either internal or external users

Network topology includ-ing changes to configura-tion or components

Hardware and software list-ings

Loss or addition of key per-sonnel

Technology service provid-ers and software vendor listings

Changes to internal busi-ness processes

Key management changes Internal reorganizations

4. Determine the existence of newthreats and vulnerabilities to theinstitutions information securi-ty. Consider

Changes in technology employed by the institution Threats identified by insti-tution staff

Known threats identified byinformation sharing andanalysis organizations andother non-profit and com-mercial organizations.

Vulnerabilities raised in se-


3/51




curity testing reports

Q UANTITY OF R ISK

Objective 2: Determine the complexity of the institutions information security environment.

1. Review the degree of relianceon service providers for infor-mation processing and technol-ogy support including securitymanagement. Review evidencethat service providers of infor-

mation processing and technol-ogy participate in an appropri-ate industry Information Shar-ing and Analysis Center (ISAC).

2. Identify unique products andservices and any required third-

party access requirements.

3. Determine the extent of net-work connectivity internally

and externally, and the bounda-ries and functions of securitydomains.

4. Identify the systems that haverecently undergone significantchange, such as new hardware,software, configurations, andconnectivity. Correlate thechanged systems with the busi-ness processes they support, theextent of customer data availa-

ble to those processes, and therole of those processes in fundstransfers.

5. Evaluate managements abilityto control security risks giventhe frequency of changes to the


4/51




computing environment.

6. Evaluate security maintenancerequirements and extent of his-torical security issues with in-stalled hardware/software.

7. Identify whether external stan-dards are used as a basis for thesecurity program, and the ex-tent to which management tai-lors the standards to the finan-cial institutions specific cir-cumstances.

8. Determine the size and qualityof the institutions securitystaff. Consider

Appropriate security train-ing and certification

Adequacy of staffing levelsand impact of any turnover

Extent of background in-vestigations

Available time to performsecurity responsibilities

Q UALITY OF R ISK MANAGEMENT

Objective 3: Determine the adequacy of the risk assessment process.

1. Review the risk assessment todetermine whether the institu-tion has characterized its sys-tem properly and assessed the

risks to information assets.Consider whether the institu-tion has:

Identified and ranked in-formation assets (e.g., data,systems, physical locations)according to a rigorous and


5/51




consistent methodologythat considers the risks tocustomer non-public infor-mation as well as the risksto the institution,

Identified all reasonably fo-reseeable threats to the fi-nancial institution assets,

Analyzed its technical andorganizational vulnerabili-ties, and

Considered the potential ef-fect of a security breach on

customers as well as the in-stitution.

2. Determine whether the risk assessment provides adequatesupport for the security strate-gy, controls, and monitoringthat the financial institution hasimplemented.

3. Evaluate the risk assessment process for the effectiveness of

the following key practices: Multidisciplinary andknowledge-based approach

Systematic and centrallycontrolled

Integrated process Accountable activities Documented Knowledge enhancing Regularly updated

4. Identify whether the institutioneffectively updates the risk as-sessment prior to making sys-tem changes, implementingnew products or services, or confronting new external condi-tions that would affect the risk


6/51




analysis. Identify whether, inthe absence of the above fac-tors, the risk assessment is re-viewed at least once a year.

Objective 4: Evaluate the adequacy of security policies and standards relative to the risk to theinstitution.

1. Review security policies andstandards to ensure that theysufficiently address the follow-ing areas when considering the

risks identified by the institu-tion. If policy validation is ne-cessary, consider performingTier II procedures.

Authentication and Autho-rization

- Acceptable-use policythat dictates the appropri-ate use of the institutionstechnology includinghardware, software, net-

works, and telecommuni-cations.- Administration of access

rights at enrollment,when duties change, andat employee separation.

- Appropriate authentica-tion mechanisms includ-ing token-based systems,digital certificates, or

biometric controls and re-lated enrollment and

maintenance processes aswell as database security.

Network Access- Security domains- P erimeter protections in-

cluding firewalls, mali-


7/51




cious code prevention,outbound filtering, andsecurity monitoring.

- Appropriate applicationaccess controls

- Remote access controlsincluding wireless, V P N,modems, and Internet-

based

Host Systems- Secure configuration

(hardening)

- Operating system access- Application access andconfiguration

- Malicious code preven-tion

- Logging- Monitoring and updating

User Equipment- Secure configuration

(hardening)- Operating system access- Application access and

configuration- Malicious code preven-

tion- Logging- Monitoring and updating

P hysical controls over access to hardware, soft-ware, storage media, paper records, and facilities

Encryption controls Malicious code prevention Software development andacquisition, including

processes that evaluate thesecurity features and soft-


8/51




ware trustworthiness of code being developed or acquired, as well as changecontrol and configurationmanagement.

P ersonnel security Media handling proceduresand restrictions, including

procedures for securing,transmitting and disposingof paper and electronic in-formation

Service provider oversight

Business continuity Insurance

2. Evaluate the policies againstthe following key actions: Implementing through or-dinary means, such as sys-tem administration proce-dures and acceptable-use

policies; Enforcing with securitytools and sanctions;

Delineating the areas of re-sponsibility for users, ad-ministrators, and managers;

Communicating in a clear,understandable manner toall concerned;

Obtaining employee certifi-cation that they have readand understood the policy;

P roviding flexibility to ad-dress changes in the envi-

ronment; and Conducting annually a re-view and approval by the

board of directors.


9/51




Objective 5: Evaluate the security-related controls embedded in vendor management.

1. Evaluate the sufficiency of security-related due diligencein service provider researchand selection.

2. Evaluate the adequacy of contractual assurances re-garding security responsibili-ties, controls, and reporting.

3. Evaluate the appropriatenessof nondisclosure agreementsregarding the institutionssystems and data.

4. Determine that the scope,completeness, frequency, andtimeliness of third-party au-dits and tests of the service

providers security are supported by the financial insti-tutions risk assessment.

5. Evaluate the adequacy of incident response policies andcontractual notification re-quirements in light of the risk of the outsourced activity.

Objective 6: Determine the adequacy of security monitoring.

1. Obtain an understanding of

the institutions monitoring plans and activities, including both activity monitoring andcondition monitoring.

2. Identify the organizationalunit and personnel responsi-


10/51




ble for performing the func-tions of a security responsecenter.

3. Evaluate the adequacy of information used by the secu-rity response center. Informa-tion should include externalinformation on threats andvulnerabilities (ISAC andother reports) and internal in-formation related to controlsand activities.

4. Obtain and evaluate the poli-cies governing security re-sponse center functions, in-cluding monitoring, classifi-cation, escalation, and report-ing.

5. Evaluate the institutionsmonitoring plans for appro-

priateness given the risks of the institutions environment.

6. Where metrics are used, eva-luate the standards used for measurement, the informationmeasures and repeatability of measured processes, and ap-

propriateness of the mea-surement scope.

7. Ensure that the institutionutilizes sufficient expertise to

perform its monitoring and

testing.

8. For independent tests, eva-luate the degree of indepen-dence between the personstesting security from the per-sons administering security.


11/51




9. Determine the timeliness of

identification of vulnerabili-ties and anomalies, and eva-luate the adequacy and timingof corrective action.

10. Evaluate the institutions policies and program for res- ponding to unauthorizedaccess to customer informa-tion, considering guidance inSupplement A to the Section501(b) GLBA information

security guidelines.

11. If the institution experiencedunauthorized access to sensi-tive customer information,determine that it: Conducted a prompt inves-tigation to determine the li-kelihood the informationaccessed has been or will

be misused; Notified customers whenthe investigation deter-mined misuse of sensitivecustomer information hasoccurred or is reasonably

possible; Delivered notification tocustomers, when warranted,

by means the customer canreasonably be expected toreceive, for example, bytelephone, mail, or elec-tronic mail; and

Appropriately notified its primary federal regulator.

Objective 7: Evaluate the effectiveness of enterprise-wide security administration.


12/51




1. Review board and committee

minutes and reports to deter-mine the level of senior man-agement support of andcommitment to security.

2. Determine whether manage-ment and department headsare adequately trained andsufficiently accountable for the security of their person-nel, information, and sys-tems.

3. Review security guidance andtraining provided to ensureawareness among employeesand contractors, includingannual certification that per-sonnel understand their re-sponsibilities.

4. Determine whether securityresponsibilities are appro-

priately apportioned among

senior management, front-line management, IT staff, in-formation security profes-sionals, and other staff, re-cognizing that some rolesmust be independent fromothers.

5. Determine whether the indi-vidual or department respon-sible for ensuring compliancewith security policies has suf-

ficient position and authoritywithin the organization toimplement the corrective ac-tion.

6. Evaluate the process used tomonitor and enforce policy


13/51




compliance (e.g., grantingand revocation of user rights).

7. Evaluate the adequacy of automated tools to supportsecure configuration man-agement, security monitoring,

policy monitoring, enforce-ment, and reporting.

8. Evaluate management's abili-ty to effectively control the

pace of change to its envi-ronment, including the

process used to gain assur-ance that changes to be madewill not pose undue risk in a

production environment.Consider the definition of se-curity requirements for thechanges, appropriateness of staff training, quality of test-ing, and post-change moni-toring.

9. Evaluate coordination of in-cident response policies andcontractual notification re-quirements.

C ONCLUSIONS

Objective 8: Discuss corrective action and communicate findings.

1. Determine the need to pro-ceed to Tier II procedures for additional validation to sup-

port conclusions related toany of the Tier I objectives.

2. Review your preliminary


14/51




conclusions with the EIC re-garding

Violations of law, rulings,regulations,

Significant issues warrant-ing inclusion as matters re-quiring attention or recom-mendations in the Report of Examination,

P otential impact of your conclusions on compositeor component IT ratings,and

P otential impact of your conclusions on the institu-tions risk assessment.

3. Discuss your findings withmanagement and obtain pro-

posed corrective action for significant deficiencies.

4. Document your conclusionsin a memo to the EIC that

provides report-ready com-

ments for all relevant sectionsof the Report of Examinationand guidance to future ex-aminers.

5. Organize your work papers toensure clear support for sig-nificant findings by examina-tion objective.


15/51



T IER II O BJECTIVES AND P ROCEDURES

The Tier II examination procedures for information security provide additional verification pro-

cedures to evaluate the effectiveness of, and identify potential root causes for weaknesses in, afinancial institutions security program. These procedures are designed to assist in achieving ex-amination objectives and may be used in their entirety or selectively, depending upon the scopeof the examination and the need for additional verification. For instance, if additional verifica-tion is necessary for firewall practices, the examiner may find it necessary to select some of the

procedures from the authentication, network security, host security, and physical security areasto create a customized examination procedure. Examiners should coordinate this coverage withother examiners to avoid duplication of effort while including the security issues found in other workprograms.

The procedures provided below should not be construed as requirements for control implementa-

tion. The selection of controls and control implementation should be guided by the risks facingthe institution's information system. Thus, the controls necessary for any single institution or any given area of a given institution may differ from the specifics that can be inferred from thefollowing procedures.

A. AUTHENTICATION AND ACCESS C ONTROLS

A ccess Rights A dministration


1. Evaluate the adequacy of policies and procedures for authentication and accesscontrols to manage effective-ly the risks to the financialinstitution.

Evaluate the processes thatmanagement uses to defineaccess rights and privileges(e.g., software and/or hardware systems access)

and determine if they are based upon business needrequirements.

Review processes that as-sign rights and privilegesand ensure that they takeinto account and provide


16/51




for adequate segregation of duties.

Determine whether accessrights are the minimum ne-cessary for business pur-

poses. If greater accessrights are permitted, deter-mine why the condition ex-ists and identify any miti-gating issues or compensat-ing controls.

Ensure that access to oper-ating systems is based oneither a need-to-use or anevent-by-event basis.

2. Determine whether the user registration and enrollment

process Uniquely identifies the us-er,

Verifies the need to use thesystem according to appro-

priate policy, Enforces a unique user ID, Assigns and records the proper security attributes(e.g., authorization),

Enforces the assignment or selection of an authentica-tor that agrees with the se-curity policy,

Securely distributes anyinitial shared secret authen-ticator or token, and

Obtains acknowledgement

from the user of acceptanceof the terms of use.

3. Determine whether employees levels of onlineaccess (blocked, read-only,update, override, etc.) match


17/51




current job responsibilities.

4. Determine that administrator or root privilege access is ap-

propriately monitored, whereappropriate. Management may choose tofurther categorize types of administrator/root access

based upon a risk assess-ment. Categorizing thistype of access can be usedto identify and monitor

higher-risk administrator and root access requeststhat should be promptly re-

ported.

5. Evaluate the effectivenessand timeliness with whichchanges in access control pri-vileges are implemented andthe effectiveness of support-ing policies and procedures. Review procedures and

controls in place and de-termine whether accesscontrol privileges are

promptly eliminated whenthey are no longer needed.Include former employeesand temporary access for remote access and contractworkers in the review.

Assess the procedures andcontrols in place to change,when appropriate, access

control privileges (e.g.,changes in job responsibili-ty and promotion).

Determine whether accessrights expire after a prede-termined period of inactivi-


18/51




ty. Review and assess the ef-fectiveness of a formal re-view process to periodical-ly review the access r ightsto assure all access rightsare proper. Determinewhether necessary changesmade as a result of that re-view.

6. Determine that, where appropriate and feasible, programsdo not run with greater accessto other resources than neces-sary. P rograms to consider include application programs,network administration pro-grams (e.g., Domain NameSystem), and other programs.

7. Compare the access controlrules establishment and as-signment processes to theaccess control policy for con-sistency.

8. Determine whether users areaware of the authorized usesof the system.

Do internal users receive acopy of the authorized-use

policy, appropriate training,and signify understandingand agreement before usagerights are granted?

Is contractor usage appro-

priately detailed and con-trolled through the con-tract?

Do customers and Web sitevisitors either explicitlyagree to usage terms or are

provided a disclosure, as


19/51




appropriate?

A uthentication

1. Determine whether the finan-cial institution has removedor reset default profiles and

passwords from new systemsand equipment.

2. Determine whether access tosystem administrator level is

adequately controlled andmonitored.

3. Evaluate whether the authen-tication method selected andimplemented is appropriatelysupported by a risk assess-ment.

4. Evaluate the effectiveness of password and shared-secretadministration for employees

and customers consideringthe complexity of the processing environment andtype of information accessed.Consider Confidentiality of pass-words and shared secrets(whether only known to theemployee/customer);

Maintenance of confiden-tiality through reset proce-dures;

The frequency of requiredchanges (for applications,the user should make anychanges from the initial

password issued on enroll-ment without any other us-


20/51




ers intervention); P assword composition interms of length and type of characters (new or changed

passwords should result ina password whose strengthand reuse agrees with thesecurity policy);

The strength of shared se-cret authentication mechan-isms;

Restrictions on duplicateshared secrets among users

(no restrictions should ex-ist); and The extent of authorizedaccess (e.g., privilegedaccess, single sign-on sys-tems).

5. Determine whether all au-thenticators (e.g., passwords,shared secrets) are protectedwhile in storage and duringtransmission to prevent dis-

closure. Identify processes and areaswhere authentication in-formation may be availablein clear text and evaluatethe effectiveness of com-

pensating risk managementcontrols.

Identify the encryptionused and whether one-wayhashes are employed to se-cure the clear text from an-yone, authorized or unau-thorized, who accesses theauthenticator storage area.

6. Determine whether pass-words are stored on any ma-chine that is directly or easily


21/51




accessible from outside theinstitution, and if passwordsare stored in programs onmachines which query cus-tomer information databases.Evaluate the appropriatenessof such storage and the asso-ciated protective mechan-isms.

7. Determine whether unautho-rized attempts to access au-thentication mechanisms(e.g., password storage loca-tion) are appropriately inves-tigated. Attacks on shared-secret mechanisms, for in-stance, could involve mul-tiple log-in attempts using thesame username and multiple

passwords or multiple user-names and the same pass-word.

8. Determine whether authenti-cation error feedback (i.e.,reporting failure to success-fully log-in) during the au-thentication process provides

prospective attackers cluesthat may allow them to honetheir attack. If so, obtain andevaluate a justification for such feedback.

9. Determine whether adequatecontrols exist to protectagainst replay attacks and hi-

jacking.

10. Determine whether token- based authentication mechan-isms adequately protectagainst token tampering, pro-


22/51




vide for the unique identifica-tion of the token holder, andemploy an adequate number of authentication factors.

11. Determine whether P KI- based authentication mechan-isms

Securely issue and updatekeys,

Securely unlock the secretkey,

P rovide for expiration of

keys at an appropriate time period, Ensure the certificate is va-lid before acceptance,

Update the list of revokedcertificates at an appropri-ate frequency,

Employ appropriate meas-ures to protect private androot keys, and

Appropriately log use of the root key.

12. Determine that biometricsystems Have an adequately strongand reliable enrollment

process, Adequately protect againstthe presentation of forgedcredentials (e.g. addressreplay attacks), and

Are appropriately tuned for false accepts/false rejects.

13. Determine whether appropri-ate device and session au-thentication takes place, par-ticularly for remote and wire-


23/51




less machines.

14. Review authenticator reis-suance and reset procedures.Determine whether controlsadequately mitigate risksfrom

Social engineering, Errors in the identificationof the user, and

Inability to re-issue on alarge scale in the event of amass compromise.

B. N ETWORK S ECURITY

1. Evaluate the adequacy andaccuracy of the network ar-chitecture. Obtain a schematic over-view of the financial insti-tutions network architec-ture.

Review procedures for maintaining current infor-mation, including inventoryreporting of how newhardware are added and oldhardware is removed.

Review audit and securityreports that assess the accu-racy of network architec-ture schematics and identi-fy unreported systems.

2. Evaluate controls that are in place to install new or changeexisting network infrastruc-ture and to prevent unautho-rized connections to the fi-nancial institutions network. Review network architec-


24/51




ture policies and proce-dures to establish new, or change existing, network connections and equipment.

Identify controls used to prevent unauthorized dep-loyment of network con-nections and equipment.

Review the effectivenessand timeliness of controlsused to prevent and reportunauthorized network con-nections and equipment.

3. Evaluate controls over themanagement of remoteequipment.

4. Determine whether effective procedures and practices arein place to secure network services, utilities, and diag-nostic ports, consistent withthe overall risk assessment.

5. Determine whether externalservers are appropriately iso-lated through placement indemilitarized zones (DMZs),with supporting servers onDMZs separate from externalnetworks, public servers, andinternal networks.

6. Determine whether appropri-ate segregation exists be-tween the responsibility for

networks and the responsibility for computer opera-tions.

7. Determine whether network users are authenticated, andthat the type and nature of the


25/51




authentication (user and ma-chine) is supported by therisk assessment. Accessshould only be providedwhere specific authorizationoccurs.

8. Determine that, where appropriate, authenticated usersand devices are limited intheir ability to access systemresources and to initiatetransactions.

9. Evaluate the appropriatenessof technical controls mediat-ing access between securitydomains. Consider

Firewall topology and ar-chitecture;

Type(s) of firewall(s) beingutilized;

P hysical placement of fire-wall components;

Monitoring of firewall traf-fic;

Firewall updating; Responsibility for monitor-ing and updating firewall

policy; P lacement and monitoringof network monitoring and

protection devices, includ-ing intrusion detection sys-tem (IDS) and intrusion

prevention system (I P S)

functionality; and Contingency planning

10. Determine whether firewalland routing controls are in

place and updated as needswarrant.


26/51




Identify personnel respon-sible for defining and set-ting firewall rulesets androuting controls.

Review procedures for up-dating and changing rule-sets and routing controls.

Confirm that the ruleset is based on the premise thatall traffic that is not ex-

pressly allowed is denied,and that the firewalls ca-

pabilities for identifyingand blocking traffic are ef-fectively utilized.

Confirm that network map- ping through the firewall isdisabled.

Confirm that network ad-dress translation (NAT) andsplit DNS are used to hideinternal names and ad-dresses from external users.

Confirm that maliciouscode is effectively filtered.

Confirm that firewalls are backed up to external me-dia, and not to servers on

protected networks. Determine that firewallsand routers are subject toappropriate and functioninghost controls.

Determine that firewallsand routers are securelyadministered.

Confirm that routing tablesare regularly reviewed for appropriateness on a sche-dule commensurate withrisk.

11. Determine whether network-


27/51




based IDSs are properlycoordinated with firewalls(see Security Monitoring

procedures).

12. Determine whether logs of security-related events andlog analysis activities are suf-ficient to affix accountabilityfor network activities, as wellas support intrusion forensicsand IDS. Additionally, de-termine that adequate clock synchronization takes place.

13. Determine whether logs of security-related events areappropriately secured againstunauthorized access, change,and deletion for an adequatetime period, and that report-ing to those logs is adequate-ly protected.

14. Determine whether appropri-ate filtering occurs for spoofed addresses, both with-in the network and at externalconnections, covering net-work ingress and egress.

15. Determine whether appropri-ate controls exist over theconfidentiality and integrityof data transmitted over thenetwork (e.g. encryption, par-ity checks, message authenti-cation).

16. Determine whether appropri-ate notification is made of re-quirements for authorizeduse, through banners or other means.


28/51




17. Determine whether remote

access devices and network access points for remoteequipment are appropriatelycontrolled. Remote access is disabled by default, and enabled on-ly by management authori-zation.

Management authorizationis required for each user who accesses sensitivecomponents or data remote-

ly. Authentication is of appropriate strength (e.g., two-factor for sensitive compo-nents).

Modems are authorized,configured, and managed toappropriately mitigaterisks.

Appropriate logging andmonitoring takes place.

Remote access devices areappropriately secured andcontrolled by the institu-tion.

18. Determine whether an appropriate archive of boot disks,distribution media, and secu-rity patches exists.

19. Evaluate the appropriatenessof techniques that detect and

prevent the spread of mali-cious code across the net-work.

C. H OS T S ECURITY


29/51




1. Determine whether hosts are

hardened through the removalof unnecessary software andservices, consistent with theneeds identified in the risk assessment, that configura-tion takes advantage of avail-able object, device, and fileaccess controls, and that ne-cessary software updates areapplied.

2. Determine whether the confi-

guration minimizes the func-tionality of programs, scripts,and plug-ins to what is neces-sary and justifiable.

3. Determine whether adequate processes exist to apply hostsecurity updates, such as

patches and anti-virus signa-tures, and that such updatingtakes place.

4. Determine whether new hostsare prepared according to do-cumented procedures for se-cure configuration or replica-tion, and that vulnerabilitytesting takes place prior todeployment.

5. Determine whether remotelyconfigurable hosts are confi-gured for secure remote ad-ministration.

6. Determine whether an appropriate process exists to au-thorize access to host systemsand that authentication andauthorization controls on thehost appropriately limit


30/51




access to and control theaccess of authorized individ-uals.

7. Determine whether access toutilities on the host are ap-

propriately restricted andmonitored.

8. Determine whether the host- based IDSs identified as ne-cessary in the risk assessmentare properly installed andconfigured, that alerts go toappropriate individuals usingan out-of-band communica-tions mechanism, and thatalerts are followed up.(Coordinate with the proce-dures listed in SecurityMonitoring.)

9. Determine whether logs aresufficient to affix accounta-

bility for host activities andto support intrusion forensicsand IDS and are appropriate-ly secured for a sufficienttime period.

10. Determine whether vulnerability testing takes place after each configuration change.

11. Determine whether appropri-ate notification is made of au-thorized use, through banners

or other means.

12. Determine whether authorita-tive copies of host configura-tion and public server contentare maintained off line.


31/51




13. Determine whether an appro-

priate archive of boot disks,distribution media, and secu-rity patches exists.

14. Determine whether adequate policies and procedure go-vern the destruction of sensi-tive data on machines that aretaken out of service.

D. U SE R E Q UIPMENT S ECURITY (E .G . WORKSTATION , LAPTOP , HANDHELD )

1. Determine whether new user equipment is prepared ac-cording to documented pro-cedures for secure configura-tion or replication and thatvulnerability testing takes

place prior to deployment.

2. Determine whether user equipment is configured ei-ther for secure remote admin-

istration or for no remote ad-ministration.

3. Determine whether adequateinspection for, and removalof, unauthorized hardwareand software takes place.

4. Determine whether adequate policies and procedures existto address the loss of equip-ment, including laptops and

other mobile devices. Such plans should encompass the potential loss of customer da-ta and authentication devices.

5. Determine whether adequate policies and procedures go-


32/51




vern the destruction of sensi-tive data on machines that aretaken out of service and thatthose policies and proceduresare consistently followed byappropriately trained person-nel.

6. Determine whether appropri-ate user equipment is deacti-vated after a period of inac-tivity through screen saver

passwords, server time-outs, powering down, or other means.

7. Determine whether systemsare appropriately protectedagainst malicious softwaresuch as Trojan horses, virus-es, and worms.

E. P HYSICAL S ECURITY

1. Determine whether physicalsecurity for information tech-nology assets is coordinatedwith other security functions.

2. Determine whether sensitivedata in both electronic and

paper form is adequately con-trolled physically throughcreation, processing, storage,maintenance, and disposal.

3. Determine whether Authorization for physicalaccess to critical or sensi-tive information-processingfacilities is granted accord-ing to an appropriate


33/51




process; Authorizations are enforce-able by appropriate preven-tive, detective, and correc-tive controls; and

Authorizations can be re-voked in a practical andtimely manner.

4. Determine whether informa-tion processing and commu-nications devices and trans-missions are appropriately

protected against physical at-tacks perpetrated by individ-uals or groups, as well asagainst environmental dam-age and improper mainten-ance. Consider the use of ha-lon gas, computer encasing,smoke alarms, raised floor-ing, heat sensors, notificationsensors, and other protectiveand detective devices.

F. P ERSONNEL S ECURITY

1. Determine whether the insti-tution performs appropriate

background checks on its personnel during the hiring process and thereafter, ac-cording to the employees au-thority over the institutionssystems and information.

2. Determine whether the insti-tution includes in its termsand conditions of employ-ment the employees respon-sibilities for information se-curity.


34/51




3. Determine whether the insti-

tution requires personnel withauthority to access customer information and confidentialinstitution information to signand abide by confidentialityagreements.

4. Determine whether the insti-tution provides to its em-

ployees appropriate securitytraining covering the institu-tions policies and proce-

dures, on an appropriate fre-quency and that institutionemployees certify periodical-ly as to their understandingand awareness of the policyand procedures.

5. Determine whether employees have an available andreliable mechanism to

promptly report security inci-dents, weaknesses, and soft-

ware malfunctions.

6. Determine whether an appropriate disciplinary process for security violations exists andis functioning.

G. A PPLICATION S ECURITY

1. Determine whether softwarestorage, including program

source, object libraries, andload modules, are appropriately secured against unau-thorized access.

2. Determine whether user inputis validated appropriately


35/51




(e.g. character set, length,etc).

3. Determine whether appropri-ate message authenticationtakes place.

4. Determine whether access tosensitive information and

processes require appropriateauthentication and verifica-tion of authorized use beforeaccess is granted.

5. Determine whether re-establishment of any sessionafter interruption requiresnormal user identification,authentication, and authoriza-tion.

6. Determine whether appropri-ate warning banners are dis-

played when applications areaccessed.

7. Determine whether appropri-ate logs are maintained andavailable to support incidentdetection and response ef-forts.

H. S OFTWARE DEVELOPMENT AND AC Q UISITION

1. Inquire about how securitycontrol requirements are de-

termined for software,whether internally developedor acquired from a vendor.

2. Determine whether manage-ment explicitly follows a rec-ognized security standard de-


36/51




velopment process, or ad-heres to widely recognizedindustry standards.

3. Determine whether the groupor individual establishing se-curity control requirementshas appropriate credentials,

background, and/or training.

4. Evaluate whether the soft-ware acquired incorporatesappropriate security controls,audit trails, and activity logsand that appropriate andtimely audit trail and log re-views and alerts can take

place.

5. Evaluate whether the soft-ware contains appropriate au-thentication and encryption.

6. Evaluate the adequacy of thechange control process.

7. Evaluate the appropriatenessof software libraries and their access controls.

8. Inquire about the methodused to test the newly devel-oped or acquired software for vulnerabilities. For manual source code re-views, inquire about stan-dards used, the capabilitiesof the reviewers, and theresults of the reviews.

If source code reviews arenot performed, inquireabout alternate actions tak-en to test the software for


37/51




covert channels, backdoors,and other security issues.

Whether or not source codereviews are performed, eva-luate the institutions asser-tions regarding the trust-worthiness of the applica-tion and the appropriate-ness of the network andhost level controls mitigat-ing application-level risk.

9. Evaluate the process used toascertain software trustwor-thiness. Include in the evalu-ation managements consid-eration of the:

Development process- Establishment of security

requirements- Establishment of accep-

tance criterion- Use of secure coding

standards- Compliance with security

requirements- Background checks on

employees- Code development and

testing processes- Signed non-disclosure

agreements- Restrictions on developer

access to productionsource code

- P hysical security over

developer work areas

Source code review- Automated reviews- Manual reviews


38/51




Vendor or developer histo-ry and reputation- Vulnerability history- Timeliness, thoroughness,

and candidness of the re-sponse to security issues

- Quality and functionalityof security patches

10. Evaluate the appropriatenessof managements response toassessments of softwaretrustworthiness:

Host and network controlevaluation

Additional host and net-work controls

I. B USINESS C ONTINUITY S ECURITY

1. Determine whether adequate physical security and accesscontrols exist over data back-ups and program librariesthroughout their life cycle,including when they arecreated, transmitted/taken tostorage, stored, retrieved andloaded, and destroyed. Review the risk assessmentto identify key control

points in a data sets lifecycle.

Verify controls are in placeconsistent with the level of

risk presented.2. Determine whether substitute

processing facilities and sys-tems undergo similar testingas production facilities andsystems.


39/51


40/51




fice, this assignment would be a primary job responsibility.)

J. S ERVICE P ROVIDER O VERSIGHT S ECURITY

1. Determine whether contractscontain security requirementsthat at least meet the objec-tives of the 501(b) guidelinesand contain nondisclosurelanguage regarding specificrequirements.

2. Determine whether the insti-tution has assessed the ser-vice providers ability tomeet contractual security re-quirements.

3. Determine whether appropri-ate controls exist over thesubstitution of personnel onthe institutions projects andservices.

4. Determine whether appropri-ate security testing is re-quired and performed on anycode, system, or service deli-vered under the contract.

5. Determine whether appropri-ate reporting of security inci-dents is required under thecontract.

6. Determine whether institutionoversight of third-party pro-vider security controls is ade-quate.

7. Determine whether any third


41/51




party provider access to theinstitutions system is con-trolled according to Authen-tication and Access Controlsand Network Security pro-cedures.

8. Determine whether the con-tract requires secure remotecommunications, as appropri-ate.

9. Determine whether the insti-tution appropriately assessedthe third party providers

procedures for hiring andmonitoring personnel whohave access to the institu-tions systems and data.

10. Determine whether the third party service provider parti-cipates in an appropriate in-dustry ISAC.

K. E NCRYPTION

1. Review the information secu-rity risk assessment and iden-tify those items and areasclassified as requiring en-cryption.

2. Evaluate the appropriatenessof the criteria used to selectthe type of encryption/ cryp-

tographic algorithms. Consider if cryptographicalgorithms are both public-ly known and widely ac-cepted (e.g. RSA, SHA,Triple DES, Blowfish,Twofish, etc.) or banking


42/51




industry standard algo-rithms.

Note the basis for choosingkey sizes (e.g., 40-bit, 128-

bit) and key space. Identify managements un-derstanding of cryptogra-

phy and expectations of how it will be used to pro-tect data.

3. Determine whether crypto-graphic key controls are ade-quate.

Identify where crypto-graphic keys are stored.

Review security where keysare stored and when theyare used (e.g., in a hard-ware module).

Review cryptographic keydistribution mechanisms tosecure the keys against un-authorized disclosure, theft,and diversion.

Verify that two persons arerequired for a cryptographickey to be used, when ap-

propriate. Review audit and securityreports that review the ade-quacy of cryptographic keycontrols.

4. Determine whether adequate provision is made for differ-ent cryptographic keys for different uses and data.

5. Determine whether crypto-graphic keys expire and arereplaced at appropriate timeintervals.


43/51




6. Determine whether appropri-

ate provisions are made for the recovery of data should akey be unusable.

7. Determine whether crypto-graphic keys are destroyed ina secure manner when theyare no longer required.

L. D AT A S ECURITY

1. Obtain an understanding of the data security strategy.

Identify the financial insti-tutions approach to pro-tecting data (e.g., protect alldata similarly, protect data

based upon risk of loss). Obtain and review the risk assessment covering finan-cial institution data. De-termine whether the risk as-sessment classifies datasensitivity in a reasonablemanner and consistent withthe financial institutionsstrategic and business ob-

jectives. Consider whether policiesand procedures address the

protections for data that issent outside the institution.

Identify processes to pe-riodically review data sen-sitivity and update corres-

ponding risk assessments.

2. Verify that data is protectedconsistent with the financialinstitutions risk assessment.

Identify controls used to


44/51




protect data and determineif the data is protectedthroughout its life cycle(i.e., creation, storage,maintenance, transmission,and disposal) in a manner consistent with the risk as-sessment.

Consider data security con-trols in effect at key stagessuch as data crea-tion/acquisition, storage,transmission, maintenance,and destruction.

Review audit and securityreview reports that sum-marize if data is protectedconsistent with the risk as-sessment.

3. Determine whether individualand group access to data is

based on business needs.

4. Determine whether, whereappropriate, the system se-curely links the receipt of in-formation with the originator of the information and other identifying information, suchas date, time, address, andother relevant factors.

M. S ECURITY MONITORING

1. Identify the monitoring per-

formed to identify non-compliance with institutionsecurity policies and potentialintrusions. Review the schematic of the information technologysystems for common secu-


45/51




rity monitoring devices. Review security proceduresfor report monitoring toidentify unauthorized or unusual activities.

Review managements self-assessment and independenttesting activities and plans.

2. Determine whether users areappropriately notified regard-ing security monitoring.

3. Determine whether the activi-ty monitoring sensors identi-fied as necessary in the risk assessment process are prop-erly installed and configuredat appropriate locations.

4. Determine whether an appropriate firewall ruleset androuting controls are in placeand updated as needs warrant.

Identify personnel respon-

sible for defining and set-ting firewall rulesets androuting controls.

Review procedures for up-dating and changing rule-sets and routing controls.

Determine that appropriatefiltering occurs for spoofedaddresses, both within thenetwork and at externalconnections, covering net-work entry and exit.

5. Determine whether logs of security-related events aresufficient to support securityincident detection and re-sponse activities, and that


46/51




logs of application, host, andnetwork activity can be readi-ly correlated.

6. Determine whether logs of security-related events areappropriately secured againstunauthorized access, change,and deletion for an adequatetime period, and that report-ing to those logs is adequate-ly protected.

7. Determine whether logs areappropriately centralized andnormalized, and that controlsare in place and functioningto prevent time gaps in log-ging.

8. Determine whether an appropriate process exists to au-thorize employee access tosecurity monitoring and eventmanagement systems and thatauthentication and authoriza-tion controls appropriatelylimit access to and control theaccess of authorized individ-uals.

9. Determine whether appropri-ate detection capabilities ex-ist related to

Network related anomalies,including- Blocked outbound traffic- Unusual communications,

including communicatinghosts, times of day, pro-tocols, and other header-related anomalies

- Unusual or malicious


47/51




packet payloads Host-related anomalies, in-cluding- System resource usage

and anomalies- User related anomalies- Operating and tool confi-

guration anomalies- File and data integrity

problems- Anti-virus, anti-spyware,

and other malware identi-fication alerts

- Unauthorized access- P rivileged access

10. Evaluate the institutionsself-assessment plan and ac-tivities, including P olicies and proceduresconformance

Service provider oversight Vulnerability scanning Configuration verification Information storage Risk assessment and moni-toring plan review

Test reviews

11. Evaluate the use of metrics tomeasure

Security policy implemen-tation

Security service deliveryeffectiveness and efficiency

Security event impact on business processes

12. Evaluate independent tests,including penetration tests,audits, and assessments.


48/51




Consider:

P

ersonnel Scope Controls over data integri-ty, confidentiality, andavailability

Confidentiality of test plansand data

Frequency

13. Determine that the functionsof a security response center are appropriately governed byimplemented policies ad-dressing

Monitoring Classification Escalation Reporting Intrusion declaration

14. Determine whether an intru-sion response team Contains appropriate mem- bership; Is available at all times; Has appropriate training toinvestigate and report find-ings;

Has access to back-up dataand systems, an inventoryof all approved hardwareand software, and moni-tored access to systems (asappropriate);

Has appropriate authorityand timely access to deci-sion makers for actions thatrequire higher approvals;and

Have procedures for sub-mitting appropriate inci-


49/51




dents to the industry ISAC .

15. Evaluate the appropriatenessof the security policy in ad-dressing the review of com-

promised systems. Consider Documentation of the roles,responsibilities and authori-ty of employees and con-tractors, and

Conditions for the examina-tion and analysis of data,systems, and networks.

16. Determine whether the in-formation disclosure policyindicates what information isshared with others, in whatcircumstances, and identifiesthe individual(s) who havethe authority to initiate dis-closure beyond the stated pol-icy.

17. Determine whether the in-

formation disclosure policyaddresses the appropriateregulatory reporting require-ments.

18. Determine whether the secu-rity policy provides for a

provable chain of custody for the preservation of potentialevidence through such me-chanisms as a detailed actionand decision log indicating

who made each entry.

19. Determine whether the policyrequires all compromised sys-tems to be restored beforereactivation, through either rebuilding with verified good


50/51




media or verification of soft-ware cryptographic check-sums.

20. Determine whether all partic-ipants in security monitoringand intrusion response aretrained adequately in the de-tection and response policies,their roles, and the proce-dures they should take to im-

plement the policies.

21. Determine whether response policies and training appropriately address unauthorizeddisclosures of customer in-formation, including

Identifying the customer in-formation and customerseffected;

P rotecting those customersthrough monitoring, clos-ing, or freezing accounts;

Notifying customers when

warranted; and Appropriately notifying its primary federal regulator

22. Determine whether an effec-tive process exists to respondin an appropriate and timelymanner to newly discoveredvulnerabilities. Consider

Assignment of responsibili-ty

P rioritization of work to be performed Appropriate funding Monitoring, and Follow-up activities


51/51


Examiner Date

Reviewers Initials

info_sec_workprogram

Documents