Information Technology Request List
Total Page:16
File Type:pdf, Size:1020Kb
INFORMATION TECHNOLOGY REQUEST LIST
Institution: Examination Date:
Please include all requested information offsite or via FDICconnect, if possible. Please mark items with an X in the “onsite” column below if they are not able to be provided offsite. Items marked as “onsite” should be retained in your offices for examiner review during the onsite portion of the examination. If any items do not pertain to your institution, please type NA in the “onsite” column below.
For documents that are too long for convenient copying, please provide originals for examiner review at the institution. Clearly identify all items that should be returned to bank personnel.
IT AUDIT / INDEPENDENT REVIEW PROGRAM Item # Onsite Item Description 31.01 All IT-related internal and external audit reports and reviews completed since the previous examination, including reviews of the Information Security Program and Identity Theft Program. Include engagement letters for outsourced audits and reviews. 31.02 Most recent IT audit risk assessment and corresponding IT audit plan. 31.03 Most recent vulnerability assessment and penetration test. 31.04 Audit and regulatory findings/exceptions tracking reports and audit committee minutes, if not already provided as part of the risk management request package. 31.05 Organization chart of audit department. 31.06 Résumé or brief biographical worksheet of IT auditor(s) stating training, education, and experience. 31.07 IT auditor’s job description and/or a listing of all duties (audit and other) performed.
IT MANAGEMENT AND IDENTITY THEFT RED FLAGS Item # Onsite Item Description 32.01 List of all committees or groups (Board, management, department, and other) that are responsible for IT-related discussions, including information security and cybersecurity. For each committee (group), provide the primary function, member names and titles, and frequency of meetings. 32.02 Minutes of any IT-related committee(s) meetings since the previous examination. 32.03 All IT-related policies. Include the most recent approval date. 32.04 Information Security Program. 32.05 Most recent annual information security report to the Board as required by the Interagency Guidelines Establishing Information Security Standards. 32.06 IT risk assessments (and related Board reports) completed since the previous examination. Examples include information security, DR/BCP, vendor management, Internet banking/enhanced authentication, cybersecurity, and new products and delivery channels. Include the date of last update and approval date for each risk assessment provided. 32.07 All information security training material since the previous examination, including employee attendance records. Indicate date(s) training was provided. 32.08 Summary of IT-related insurance policies.
State 1 08/2017 INFORMATION TECHNOLOGY REQUEST LIST
32.09 Due diligence and system security reviews for critical service providers, including any periodic analysis of the financial condition and control environment. 32.10 Organization charts for the IT and information security departments. 32.11 IT strategic plan and budget. 32.12 Contracts/agreements with new or renewed vendors since the previous examination. 32.13 Management succession plans for the IT department. 32.14 Biographical data/résumé and job descriptions for key IT personnel hired/promoted since the previous examination. 32.15 A listing of any new products and/or services that are being implemented or have been implemented since the previous examination. 32.16 List of technologies used to identify red flags, and include a description of what the technology does. 32.17 Documentation of staff training for identity theft red flags.
IT DEVELOPMENT AND ACQUISITION Item # Onsite Item Description 33.01 List of current and completed projects since the previous examination. 33.02 Due diligence reviews for any new critical vendors added since the previous examination. 33.03 Project and change management guidelines, if not already provided within the IT- related policies requested under Management. 33.04 Description of custom software used. 33.05 Description of the in-house programmers’ responsibilities for maintaining each application and/or operating system. 33.06 List of current in-house programming projects, together with hours budgeted versus hours used to date. 33.07 List of in-house programming projects completed since the previous examination, if not already included with the list of projects requested above. 33.08 Summary of in-house program development, testing, and migration methodology.
IT OPERATIONS Item # Onsite Item Description 34.01 The attached Products and Services Template. 34.02 Network topologies, diagrams, or schematics depicting physical and logical operating environment(s), including network devices, firewall, IDS/IPS, and connectivity to hosts, branches, and recovery sites. Do not include IP addresses. 34.03 A list of reports (e.g., file maintenance, parameter change, exception events) used by management to monitor IT operations. 34.04 Documentation related to patch management (e.g., status reports, aging reports). 34.05 Virtualization contracts or service level agreements and ongoing monitoring materials. 34.06 Sample of reports used to track and resolve reported network or terminal problems. 34.07 Samples of capacity management monitoring reports utilized to monitor CPU, disk, and other hardware performance limits.
State 2 08/2017 INFORMATION TECHNOLOGY REQUEST LIST
INFORMATION SECURITY Item # Onsite Item Description 35.01 The review process (including frequency) for individuals’ system access rights and privileges for each critical software application and the network. 35.02 Samples of reports used to review individuals’ system access rights. 35.03 Reports used to monitor security violations, such as failed access attempts. 35.04 Methodologies (e.g., logical and physical controls) to protect sensitive customer data. 35.05 Methodologies (e.g., passwords, tokens, certificates) used to authenticate customer and employee access. 35.06 Password parameter controls, such as length, alpha/numeric, repeat use, frequency of change, similar use, and repeating characters, for critical platforms. 35.07 Monitoring procedures used to detect attacks and/or intrusions, including cyber attacks. 35.08 Procedures for virus/malware detection, including the process for keeping software and signatures current. 35.09 Wireless Network configuration standards used and most recent review of wireless configurations. 35.10 List of devices owned by personnel that access bank information systems. Include employee name and a description of which systems can be accessed with each device. 35.11 List of institution-issued mobile devices. Include employee name and a description of how these devices are used. 35.12 Most recent virus signature update report. 35.13 Security controls and monitoring practices for remote access. 35.14 List of users with remote access rights, including third parties.
DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING Item # Onsite Item Description 36.01 Disaster recovery plans, business continuity plans, business resiliency plans, emergency preparedness plans (if separate), including a list of modifications or changes since the previous examination. 36.02 Business impact analyses and risk/threat assessments. 36.03 Reports of all disaster recovery and business continuity tests since the previous examination, including date, scope, results, and action plans. Also provide a copy of any reports to the Board. 36.04 The agreement with the backup processing site, if applicable. 36.05 For applications serviced by others, contract(s) for disaster recovery services offered by that servicer. If no contract(s) exist, provide a description of other arrangements that have been made. 36.06 A list of critical items maintained off-site for disaster recovery purposes.
E-BANKING / ELECTRONIC FUNDS TRANSFERS Item # Onsite Item Description 37.01 List of customers for which the bank originates ACH transactions; include exposure
State 3 08/2017 INFORMATION TECHNOLOGY REQUEST LIST
limits, a sample agreement, and most recent credit review. Review procedures and reports used to monitor ACH activity. 37.02 Wire Transfer contingency plans, a list of wire transfer system users with access rights and established limits, logical security controls, wire transfer logs, and management monitoring reports showing type and volume of activity. 37.03 List of recurring wire transfer customers. Include established limits for each customer, a sample customer agreement, and most recent customer review. 37.04 Fedline procedures for token management, the Fedline Event Tracker Report for the last year, a copy of the Subscribers and Roles Report, a screen print of the verification rules settings (tools and preferences, processing options, and verifications tab), and a screen print of the Applications Audit log entries. 37.05 Sample of remote deposit capture customer agreements; agreements with third-party providers of hardware, software, or outsourced services; and customer lists with exposure limits. 37.06 Sample of e-banking customer agreements, type and volume of e-banking transactions conducted, fraud or anomalous e-banking activity reports, and customer education materials on safe e-banking. 37.07 Percentage of mobile banking customers enrolled, type and volume of transactions conducted by delivery channel, fraud or anomalous activity reports, and customer education materials on safe mobile banking.
State 4 08/2017