Contributed 6/9/99 by Deborah Ray (debray@ebicom.net)

INFORMATION SYSTEMS AUDIT
AUDIT PROGRAM

IT Audit Checklist for Physical Security of Computer Room

Our objectives are to ensure:

* Management has taken appropriate and timely action to address  the deficiencies noted in prior audit and examination reports.

* Senior management develops and implements long- and short-range plans that fulfill the bank's mission and goals.

* Senior management has appointed a planning or steering committee to oversee the information services function and its activities.

* Segregate of duties is adequate.

* Management assumes full responsibility for formulating, developing, documenting, promulgating, and controlling policies, and that procedures are in place to determine that policies and procedures are being followed.

* The bank is in compliance with external requirements (regulations, laws, etc.).

* That a written plan has been developed and maintained for restoring critical information services in the event of a major failure.

* The adequacy and effectiveness of the IS disaster recovery/contingency plan is reviewed, tested, and maintained on a regular basis.

* Senior management has defined and implemented IS standards and adopted a system development life cycle methodology governing the process of developing, acquiring, implementing, and maintaining computerized information systems and related technology.

* Management of the IS function schedules routine and periodic hardware maintenance to reduce the frequency and impact of performance failures.


* Problems and incidents are resolved, and the cause investigated to prevent any recurrence.


* Management has implemented a proper strategy for backup and restoration.

* Backup procedures include the proper storage of the data files and software.

* Management assesses regularly the need for uninterruptible power supply batteries and generators for to secure against power failures and fluctuations.

* Appropriate physical security and access control measures have been established.

* System security is adequate to safeguard information against unauthorized use, disclosure or modification, damage or loss.

* Adequate preventative and detective control measures have been established regarding computer viruses.

* For each relationship with a third-party service provider, a formal contract is defined and agreed upon.


PRELIMINARY PROCEDURES

Obtain a current list of the personnel who work in the data processing department, including their duties.

Obtain or prepare a schedule of major DP equipment.  (Include manufacturer 
and model.)  If equipment is leased, indicate name of lessor and terms of lease.

Obtain or prepare a list of all automated applications.  Include the name of the vendor, software package, and version.  In addition, identify the operating system in use.

PRIOR AUDIT AND EXAMINATION REPORTS

Review the previous audit report and note items to be followed up during the current audit.  Determine if management has taken appropriate and timely action to address the deficiencies noted in the audit report. 

Review any examination reports received since the last audit.  Determine if management has taken appropriate and timely action to address any deficiencies noted. 

INTERNAL CONTROL QUESTIONNAIRE

Complete the Internal Control Questionnaire to get a general overview of controls in the area.

MANAGEMENT

Planning

Obtain a list of board, information systems ("IS") steering, or relevant management committees that meet regularly to review IS related matters.  Indicate the title of each member and determine if IS, user community, and audit are well represented.  (FFIEC-9)

Determine if committees review, approve, and report to the board on:
* Short and long term information systems plans
* IS operating standards, including computer security and data security standards and procedures
* Resource allocation (major hardware/software acquisition and project priorities)
* Status of major projects
* IS budgets and current operating cost
* Correction actions on significant examination and audit deficiencies  (FFIEC-9) 
* Operating results of the EDP function in the period prior to the meeting (may be statistical report) (B)
* User comments and complaints (B)

Review the strategic plans for IS activities.  Document significant changes recently made or planned that affect the bank's organizational structure, hardware/software configuration, and overall data processing goals.

Policies, Standards, and Procedures

Determine if IS management has adequate standards and procedures for governing:
* Systems development and support functions
* Computer operations
* Telecommunications network operations
* Computer and information security
* Contingency planning/disaster recovery  (FFIEC-9)  L-3

Determine whether the board of directors has reviewed and approved the bank's IS policies.  (B-1)

Determine if standards and procedures address:
Adequate segregation of duties
Limiting access to sensitive IS resources (magnetic media, documentation, and computer equipment)
Ensuring authorization of all activities within the IS area.  (FFIEC-9)

Verify the bank's compliance with these policies and procedures.  (P)
Financial Analysis

If the bank receives significant outside DP support:

Obtain the name and location of the servicers.

Determine that the services are covered by a formal written service agreement.  (FFIEC-9) 

Determine if the bank has reviewed the current financial condition of the servicers.  (FFIEC-9  & Banking Circular 187) 

Based on the information available, determine if any servicer raises concern, because of financial weakness or inadequate operational controls.  If such concern exists:

Determine if conditions have been satisfactorily resolved.
Determine what action has been taken to correct the conditions.
Determine if management has identified or secured alternative sources of IS support if conditions are not corrected.  (FFIEC-9) 

Insurance

Review the adequacy of insurance coverage (if applicable) for:
Employee fidelity (blanket-bond)
IS equipment and facilities
Media reconstruction
EFTS activities
Loss resulting from business interruptions
Errors and omissions
Extra expenses, including backup site expenses
Items in transit (including cash letters B-4)
Other probable risk  (FFIEC-9)

Read board minutes to determine whether the board of directors has reviewed and approved the bank's requirements for EDP-related insurance coverage.  (B-4) 

Determine that an EDP rider is included in the bank's general property insurance. (B-4) 
If the bank processes work for others, verify that an EDP errors-and-omission policy or rider is in effect. (B-4) 

If the insurance policy requires that specific equipment be listed for coverage, determine that the listing currently supplied to the carrier is accurate.  Check all big cost items in the fixed asset listing and sample lesser cost items. (B-4) 

Verify that coverage is current and that premiums have been paid. (B-4) 

Examine the business-interruption coverage limits.  Determine whether the bank has made calculations of the probable actual cost of interruption during various disasters and identified the amount of interruption cost it will have to bear after insurance coverage. (B-4) 

CONTINGENCY PLANNING

IS Contingency Planning

Determine if the data center has a properly documented contingency plan.  Verify that the IS contingency plan properly supports and reasonably reflects the goals and priorities found in the corporate contingency plan.  (FFIEC-10) 

Review the written IS contingency plan to determine if it:
* Clearly identifies the management individuals who have authority to declare a disaster.
* Clearly defines responsibilities for designated teams or staff members.
* Explains actions to be taken in specific emergency situations.
* Allows for remote storage of emergency procedures manuals.
* Defines the conditions under which the backup site would be used.
* Has procedures in place for notifying the backup site.
* Has procedures for notifying employees.
* Establishes processing priorities to be followed.
* Provides for reserve supplies.   (FFIEC-10) 

Determine if all critical resources are covered by the plan, including data communications networks, ATMs, etc.     (FFIEC-10) 

Determine if a copy of the IS contingency plan is stored off-site.   (FFIEC-10) 

Hardware Backup

Describe arrangements for alternative processing capability in the event the data center or any portion of the work environment becomes disabled, and document that the arrangements are in writing.  (FFIEC-10) 

Determine that there is a designated back-up computer hardware system, and that it is a practical site for back-up operations until current equipment can be repaired or a new computer can be installed.  (B-15) 

Determine if the backup site:
* Has the ability to process the required volume.
* Provides sufficient processing time for the anticipated workload based on emergency priorities.
* Allows the bank to use the facility until it achieves a full recovery 
from the disaster and resumption of activity at the bank's own facilities.    (FFIEC-10) 

Determine how customers would be accommodated if simultaneous disaster conditions were to occur to several customers of the backup facility provider.   (FFIEC-10) 
Determine whether the bank is kept informed of any changes at the recovery site (e.g., hardware or software upgrades or modifications) that might require adjustments to the bank's software or to the recovery plan.   (FFIEC-10)  

Determine if the plan provides physical security at the recovery site.   (FFIEC-10)  

Determine what agreements, commitments, or projections have been made with and by hardware vendors regarding the period of time required to replace hardware.  Determine that a vendor has been identified and at least speculative contacts have been made with that vendor.  (B-15)  

Program or Software Recovery

Determine if:
* Duplicates of the operating system are available both on- and off-site.
* Duplicates of the production programs are available both on- and off-site (including both source and object versions).
* All programming and system software changes are included in the backup.
* Backup media stored off-site can be retrieved quickly at any time.    (FFIEC-10) 

Verify the IS contingency plan provides for logical security procedures at the recovery site.  (FFIEC-10) 

Data Recovery

Determine if all master files and transaction files are backed up adequately to facilitate recovery should a disaster occur.   (FFIEC-10) 

Testing

Determine if the IS contingency plan is tested at least annually.   (FFIEC-10) 

Determine if all critical applications and services are tested.   (FFIEC-10) 

Determine if the tests include:
* Setting goals in advance.
* Realistic conditions and activity volumes.
* Use of actual backup system and data files from off-site storage.
* Participation and review by internal audit.
* A post-test analysis report and review process that includes a comparison of test results to the original goals.
* Development of a corrective action plan for all problems encountered.   (FFIEC-10) 

Determine if the last test included the following:
* The ability to load and run application software.
* The availability of input devices (number and type) which are compatible with the Bank's current operation.
* The ability of the Bank to conduct as much of its operation in its standard mode as possible.
* The availability of work space at the backup site or the ability 
to establish telecommunications links to the back up site to support ongoing operations.
* The availability of output devices and methods in parallel with current operations.
* The availability of processing time on the backup computer to ensure that critical operations can be processed in the time frame allowed.  (B-16) 

Determine if several user departments have been involved in testing at the same time to uncover potential conflicts.   (FFIEC-10)  

SYSTEMS DEVELOPMENT AND PROGRAMMING

Project Management and Control

Determine whether there is a written plan for future changes to current hardware, software, or the addition of new applications. 

Obtain a copy of the plan and note major items.  (B-28)

Standards

Determine whether the following written policies, procedures, and standards are adequate:
* Application systems development
* Application program development
* Operating system maintenance
* Program change control
* Testing
* Program and system documentation
* Implementation  (FFIEC-12) 

Application Systems Development

Obtain or prepare a list of all automated applications currently in use or under development.  Indicate if the applications were purchased or developed in-house.

Determine whether:
* All required documentation is present and sufficiently detailed to evidence complete compliance with established standards.
* The structure of the System Development Life Cycle (SDLC) planning includes all appropriate phases and whether they were completed as prescribed by the plan.
* The audit trails, exception reports, and system security designs are adequate.
* User manuals, terminal operating guides, and computer operator instructions are adequate.
* The board, senior management, applicable committees, computer operations, user departments, and audit were involved in all phases of the development process.
* The project was successful in meeting the objectives established in the system's definition phase.   (FFIEC-12)  

For purchased software:

Determine whether new releases are tested before installation.

Evaluate recordkeeping techniques used to ensure that current releases, updates, and problems with purchased systems are properly tracked.

Determine if the bank is using the most recent release.   (B-11)

Application Program Development

Review selected documentation for at least one in-house developed program.  Trace the program's development from the initial request through the post implementation review process.  Determine:
* If all required documentation is present and sufficiently detailed to evidence full compliance with established programming standards.
* The applicability and adequacy of involvement by senior management committees, computer operations, users, and audit.
* Whether the program meets the objectives of the original request, based on test results and user feedback.     (FFIEC-12)  
For MIS initiated program requests, determine:
* Whether standard program request procedures were followed.
* If a user department was affected, whether there was appropriate consultation between users and the IS department.
* Whether appropriate documentation and training was provided to users and computer operators. (FFIEC-12)  

Accounting

Ensure the bank is expensing, as incurred, the cost of internally developed computer software developed for the bank's own use.  This also includes the modification and implementation costs of purchased software.  (Banking Circular 203)  

Operating System Maintenance

Request a printout of the bank's program library.  Determine if any utilities or compilers are maintained on the computer.  Also, determine whether such programs are in the bank, but not on the computer.  Determine who uses such software and the extent of the review that is exercised over the use of the software.

Obtain and review the operating system installation plan, the system generation report, the system log, and other system related activity reports.  (Review changes made to the operating system and supporting system software to determine compliance with standards, including adequate internal controls.)  Determine if:

All functional system options are consistent with the approved installation plan.
The overall supervision by management over system programmer activities is adequate.
Controls over the following are adequate:
* New system installation
* Implementation of new releases
* In-house enhancements or tailoring
* Emergency fixes and other temporary modifications
* Documentation of changes
* System testing
* Management or supervisory approvals.

Controls over data altering utilities, user exits, privileged instructions, and libraries are adequate.

System logs and reports record adequately system programmer activity.

Vendor technicians and outside consultants are subject to the same policies and controls as in-house staff.      (FFIEC-12)  

Program Maintenance

Review program changes for selected applications to determine compliance with standards and the adequacy of internal control.  Determine:

If the program change control procedures provide adequate guidelines to control the function.

If change standards and procedures are adhered to.

If documentation is complete.

The adequacy of involvement of users, audit, and IS management in the request and approval processes.   (FFIEC-12)  

For emergency program fixes and other temporary changes, determine if:

Prescribed procedures are followed.

Documentation is sufficiently detailed to explain the nature of the emergency change, the immediate action taken to address the problem, and subsequent actions to permanently correct the problem.

Emergency changes are incorporated into the next production version of the program. (FFIEC-12) 

Testing

Determine whether standards require that:

The approach includes testing for illogical conditions, out of sequence data, and excess volume.

The scope included all functions, programs, and interface systems.

All test discrepancies are adequately documented and resolved.

Users participate in the actual testing phase

All test plans and results are documented and retained.   (FFIEC-12)  

Documentation

For an application, determine if:

Overall systems and program documentation adheres to standards.

Documentation is complete and current.   (FFIEC-12)  

Implementation

Review documentation generated from the implementation process and determine if:

Controls ensure complete integrity of programs between the test and the production environments.

Adequate supervisory review and approval precedes all implementation of program products.

System level implementations are subject to the same controls as application level activity.  (FFIEC-12)  

Security Controls

Obtain copies of the security access and control files for the operating system, major third-party systems products, and interactive programming facilities.  Also, obtain a list of data altering utilities, user exits, user interface programs, and privileged commands.  Using these documents, determine:

Whether the data security administration function is independent of systems and programming or if sufficient compensating controls preclude absolute control over major aspects of the function by one person.

If all programmers have unique user IDs and passwords.

If auto sign-ons are prohibited.

If management has identified and documented all privileged or sensitive programs and library products and if access is on an absolute need basis only.

If strict controls govern their use, development, and implementation. 
These controls should include supervisor approval, activity logging, and review procedures.

If details of all in-house and vendor exits, and programs designed to run in supervisor state or otherwise capable of by-passing security are provided to the system security administrator and the audit department.

If system access and levels of authority are consistent with the job functions.

If all changes to the system security software are approved by the system security administrator or advised thereof, and if details of the changes are provided to the audit department.

If interactive programming and security software provides an adequate audit trail to identify the programmer, the programs or utilities used, the files or programs accessed, and the nature of the access (change, delete, view, etc.).

The adequacy of segregation of duties for application programming, systems programming, computer operation, and system security functions.

If management periodically reviews the user authorization file for accounts with unnecessary privileges and whether the review is documented.

If physical or logical separation between the production and test environments are maintained.

The adequacy of controls over dial-up access.   (FFIEC-12) 

Backup and Recovery

Review disaster recovery plans, emergency procedures, and other relevant documentation to determine if:

There are persons with sufficient training and experience to provide backup for the major systems and programming functions.

Operations has a list of persons to notify if an application requires immediate maintenance.

Sufficient backup is maintained to ensure continued production should problems be encountered during the maintenance process. (FFIEC-12)  

Vendor Software/Support

Obtain and review copies of all vendor and consultant contracts and agreements, available financial statements, escrow agreements, and applicable written standards.  

Ensure software purchase and selection standards require:
* Clear definition of user requirements
* Clear definition of system requirements (equipment, interface, etc.)
* Cost/benefit analysis.
* Software support (in-house or vendor provided)
* Financial condition of vendor.
* Escrow agreements.
* User documentation and training. (FFIEC-12)  

Ensure the financial strength and technical expertise of the vendor give assurances that it is capable of providing adequate maintenance support to satisfy the current and future needs of bank customers. (FFIEC-12)  

Ascertain if the vendor supplies source code or maintains a third-party escrow for the benefit of the serviced bank.  If documentation and source code are held under Escrow Agreement, the agreement should include the following provisions:
* Definition of acceptable software maintenance
* Conditions whereupon the bank can obtain the source programs and documentation
* The media in which the source programs will be released
* Arrangements for auditing the escrow arrangement
* An assurance, which includes a provision for periodic testing, that the most current versions of source programs and documentation will be held by the escrow agent.  (Obtain a third-party letter regarding this assurance.  (B-16)
* The escrowed version will include any custom software prepared for the Bank.  (B-15) (FFIEC-12)  
If contract programmers are employed:
Determine if written contracts are in effect.
Ensure insurance coverage is adequate.
Ensure they are subject to the same policies and procedures as in-house staff. (FFIEC-12)  
OPERATIONS

Management Reporting and Planning

Determine whether performance is reported to management regularly. 
Obtain a copy of the most recent reports.  They should include:
Response times
Throughput
Proportion of downtime
Frequency and maximum duration of outages
Proportion, types, and causes of job failures
Computer system peak and average utilization and trends.  (FFIEC-13)  
Physical Environment

Ascertain if the computer room has an adequate and safe fire-suppression system with associated detectors (heat, smoke, water) and whether other necessary environmental controls are in use.  (FFIEC-13)  

Ensure fire-suppression equipment would effectively extinguish fires without harm to equipment and documents in the computer room.  (B-18)

Determine that the computer is protected by an Uninterruptible Power 
Source (UPS) to ensure smooth transition of operations in the event of power failure.  (B-18)  

Determine if sensitive forms, negotiable items (checks, stock certificates, etc.) and signature plates are adequately controlled.  (FFIEC-13)  

Negotiable forms should be maintained under dual control and a log of each type form should be maintained.  The log should provide for identification of the form numbers and identification of the persons placing forms into or withdrawing from the supply.  (B-35)
Negotiable forms should be pre-numbered.  (B-36)

Wasted/spoiled negotiable forms should be marked "void" and delivered to an authorized individual who will mark inventory records for the forms supply and who will further delivery them to the files of paid/voided checks in the department that maintains such records.  (B-36)

Equipment Maintenance

Review the equipment malfunctions log for patterns of recurring malfunction or repair that have resulted in frequent disruption of operations and/or excessive cost.  (FFIEC-13)
Determine the existence of a program of regular preventive maintenance. (FFIEC-13)  
Examine maintenance logs maintained at the bank by the hardware vendor(s).  Examine the contract(s) for maintenance to determine that maintenance is being performed as called for in the contract(s).  (B-31)  

Operational Procedures

Obtain a current list of the personnel who work in the DP facility, including their duties in DP and outside DP.  Review the operators' duties and determine whether they are prevented from:
Originating entries for processing.
Correcting data exceptions, unposted, or rejected items.
Preparing any general ledger and/or subsidiary ledger entries.
Performing any balancing functions (reconcilements) other than run to run control.
Running test programs against live or backup files.
Executing programs from the test library during production runs.
Controlling report generation and distribution. (FFIEC-13)  

Review the console log.  Determine whether it is reviewed by supervisory personnel and retained for a reasonable length of time in safe storage to provide an audit trail. (FFIEC-13)  

Review the job scheduling function and assess its adequacy. (FFIEC-13)  

Review the problem reporting/resolution tracking system and determine whether:
Problems are appropriately logged and prioritized.
Corrective measures are implemented in a timely manner.
Management reporting procedures are adequate.      (FFIEC-13)  

Determine that all applications place internal (or electronic) labels on tape and disk files, and that all applications check for a proper date on input files.  (B-34)  

Determine log-on procedures.  (The system should ask for today's date and the date of the last processing session.)     (B-34)  

Determine that each tape and/or disk files has an external label which has been completed according to pre-determined standards.  (B-34)  

Determine whether computer output is protected from unauthorized access, (i.e., by placement in locked bins assigned to specific individuals or departments).   (FFIEC-13)  
If optical disk storage of reports is used, determine that the following steps are taken:
A review function ensures that all files are downloaded to the optical disk.
A backup copy of each disk is maintained, as well as the working 
copy, and the backup copy is protected in the same fashion as backups of other media.  (B-17)  

Emergency Procedures

Determine if the posted emergency procedures address:
Instructions for shutting off utilities.
Instructions for powering down equipment.
Instructions for activating/deactivating fire suppression equipment.
Personnel evacuation.
Security valuable assets. (FFIEC-13)  

Determine if emergency procedures are conspicuously posted throughout the organization. (FFIEC-13)  

Access whether employees are familiar with their duties and responsibilities in an emergency situation and whether an adequate employee training program has been implemented. (FFIEC-13)   

Backup

Review procedures for the creation and rotation of backup media (disks or tapes).  Determine whether backup procedures provide for the ability to adequately recover:
* Operating systems
* Application programs
* Master files
* Transaction files
* System utilities
* Any other programs that are necessary to restore operations at the recovery site. (FFIEC-13)  

Verify that the computer's disk storage is backed up daily.   (B-14) 

Determine if backup media (disks or tapes) is rotated off-site in a timely manner. (FFIEC-13)  

Determine if the off-site storage facility is:

Sufficiently remote from the processing facility.
Adequately controlled for access and environment.
Accessible within a reasonable time frame, if backups are needed. (FFIEC-13)  

Verify that controls exist to ensure that all backup files have been returned to the bank from their off-site storage locations.  (B-14)  

Verify that back-up data files are checked for readability on a planned basis.  (B-14)  

Tape Library

Determine whether a tape management system is in place. (FFIEC-13)

Identify what prevents unauthorized removal, introduction, or substitution of tapes. (FFIEC-13)  

Identify what prevents the mounting and use of the wrong tape. (FFIEC-13)  

Identify what prevents the inadvertent use of an active tape as a scratch tape. (FFIEC-13)  

Verify that the tape library (used for on-site storage) is a sufficient distance from the computer room and adequately protected to ensure that if a disaster befell the computer room, the tape library would service, and vice versa.  (B-14) 

Determine whether:
The tape library is environmentally controlled.
Tapes, including backups, are tested periodically for defects. (FFIEC-13)  

Determine if the data center can produce a report showing all tapes on hand and:
How frequently the inventory is updated.
Whether off-site tapes are accounted for.
If the inventory includes:
* Volume name/number
* Location
* Names of all files on the volume
* Creation and expiration dates of the contents.   (FFIEC-13)  

Traceability

Determine that trace number and/or other identification are carried through the system with each transaction so as to ensure the ability to identify the author of a transaction or file maintenance input.  (B-33)  

Determine the ability to trace on-line transactions from any stage of processing back to origin or forward to completion.  (Note:  This implies that there should be some identification characteristic appended to the transaction at the time of capture which is shown at all stages of processing.)  (B-33)  

If record are deleted from the computer file because of errors or for other reasons (e.g., restarts after processing has started), determine that the deletion process is supervised by an officer and signed-off by that individual.  (B-33)  

SECURITY - PHYSICAL & DATA

Security Administration and Accountability

Determine if an overall security administrator has been appointed.  (FFIEC-14)  

Determine that the system security officer is prohibited from routine operating duties in the computer facility.  (This person should not have system operating duties and should be sufficiently independent from the computer operation to ensure that he/she cannot create, delete, or suppress passwords in order to cover improper activities.)  (B-9)  

Security Plan

Review the data security plan and/or policy.  Determine if the security procedures cover:

Physical protection of the DP facility.
Designation and duties of the security officer(s).
Authorized data and program access levels.
Requirements for password composition and change procedures.
Requirements for access via terminals, modems, or computer system interconnection.
Monitoring and follow-up of security violations. (FFIEC-14)  

Determine whether procedures are in place to update the security plan and/or policy.  Ensure updates to the policy and procedures are distributed to and reviewed by all appropriate personnel in a timely manner. (FFIEC-14)  

User Education

Determine if an education program has been implemented to promote user awareness about the bank's security policies and procedures and assess the adequacy of the training program and materials. (FFIEC-14)  

Determine whether employees certify periodically as to their understanding and awareness of the information security program. (FFIEC-14)  

Physical Security

Assess the building's security program and describe the equipment and/or other measures the data facility uses to provide protection. (FFIEC-14)  

Determine that the computer room is equipped with locks to limit access, and that access devices are properly assigned and accounted for.  (Access devices may be keys, magnetic cards, or combinations.)  (B-7)  

If keys or magnetic cards are used, verify that they are accounted for by an inventory control and recovered if the assigned individual leaves the bank's employment or moves to a job that does not warrant access to the computer facility.  (B-7)  

If combination locks are used, verify that they are changed on a regular basis to ensure that the usefulness of a combination known to a former employee would be short-lived.  (B-7)  

Determine the basis on which individuals are given keys, cards, or combinations to the computer room.  Access should be on a need-to-enter basis only.  (For example, the bank's president does not have a need to enter, but the computer operator does.  Need is not a function of rank, but of job responsibilities.)  (B-7)  

Through observation, determine that doors to the computer room are kept locked at all times.  (B-7)  

Determine that a log of access to the computer room is maintained. 
The log should contain at least the signatures of individuals who are not regularly on duty in the computer room.  (B-8)  

Determine that when anyone who is not regularly assigned to the computer room enters the secure area, that individual has to sign an entry log.  (B-8)  

Verify that a list of persons authorized to be in the computer room is posted in plain sight, and that individuals not on the list are required to be accompanied by individuals who are so authorized. 
 (No one should be allowed in the computer room, including check-processing areas, without authorization or sponsorship and without the presence of an official who is authorized to grant access to the computer room.  (B-8)  

Determine that service technicians are identified by official documents from their employers until they are well known and recognized by the staff of the computer room.  (B-8)  

Hardware and Software Inventory

Determine if an inventory system is used to record hardware purchase, distribution, and disposal.  Assess its adequacy. (FFIEC-14)  

Determine if all software (whether purchased or developed in-house) is accounted for through an inventory system.  Assess its adequacy. (FFIEC-14)  

Data and Program Security

Determine how the security system operates, and:
How access levels are granted.
Whether all access is restricted unless specifically authorized.
If the password file is controlled (e.g., encryption).
How security violations are detected and reported.
Who maintains the system and whether there is proper segregation of duties.
If reports of security file maintenance are reviewed by an individual without maintenance duties. (FFIEC-14)  

Determine that password security is in effect on all applications.  (B-9)  

Describe and assess the adequacy of controls over:
Operating system commands, programs, and utilities.
Application system source and object programs and utilities.
Development and test programs.
On-line functions, transactions, and data. (FFIEC-14)  
Identify whether levels of access are approved and periodically 
reviewed by management.  Determine that access levels are commensurate 
with job assignments, including whether:
Data entry is separate from file maintenance.
File maintenance is performed at a supervisory level or received documented supervisory review.
Individual users are restricted to application files and functions 
relative to their job responsibility.   (FFIEC-14)  

Assess whether passwords, user IDs, and encryption key procedures are adequately controlled for:
The assignment of passwords
Changing passwords and IDs on a regular and frequent basis
Suppressing passwords and IDs on the video screen and all printed output. (FFIEC-14)  

Determine the degree of emphasis the bank places on password confidentiality and the effectiveness of the means used to convey that emphasis (caution placed in bank policies and/or procedures, in employee handbooks, included in training sessions, etc.).  (B-9)  

Determine that passwords are removed as soon as an individual's employment is terminated to ensure that a terminated employee cannot gain access to the computer files through an outside terminal.  (B-9)  

Determine that passwords are changed regularly (at least quarterly for individuals who can change data files or make transactions, or semi-annually for individuals with inquiry-only privileges).  (B-10)  

Verify whether management advices employees that passwords should not be developed in such a way that they can be easily reconstructed (i.e., children's birthdays, social security number, anniversaries, etc., are avoided).  (B-10)  

Telecommunications Security and Access Controls

Describe the types of telecommunications systems used and assess their security features. (FFIEC-14)  

Determine whether physical access to system terminals is appropriately controlled by terminal locks and/or a physically secure location. (FFIEC-14)  L-3

Determine if logical access to system terminals is controlled appropriately by:
User identification.
Automatic call-back procedures.
Automatic time-out or log-off.
Time of day control locks.
Terminal identification and authentication checks.
Access exception reporting.
Security logs.
Encryption algorithms.
Automatic log-on ID suspension when the number of attempts at accessing the system have reached a specified limit. (FFIEC-14)  

If the bank's equipment has modems attached, determine the following:
The bank requires, at a minimum, that the security system used for hard-wired terminals be in place.  (B-12)  
The number of failed password attempts before disconnect is reduced 
to a minimal level (for example, no more than five).  (B-12)  
Measures exist to identify hackers and their attempts to gain access to the system (e.g., immediate notice of failed password attempts).  (B-12)  
Tests have been performed to ensure that the system will disclose an attempt at unauthorized entry and that designated actions will prevent the attempt.  (B-12)  
Passwords are changed frequently.  (B-12)  
Whenever possible, dial-back procedures are used so that terminal sessions are controlled by the bank and the modem is turned off after sessions.  (B-12)  
Assess whether dial-up phone numbers are changed periodically. (FFIEC-14)  

Determine whether reports are generated that record:
Unusual activity.
Unsuccessful attempts to gain access to the teleprocessing system or applications.
Teleprocessing network problems/statistics.  (FFIEC-14)  

Determine whether exception reports are reviewed regularly by management or data security personnel for follow-up action. (FFIEC-14)  

Transmission Controls

Determine if controls are in place to protect the confidentiality and accuracy of transmitted data (e.g., parity checks, message authentication, encryption, etc.). (FFIEC-14)  

Computer Viruses

Identify and describe the measures management has taken to prevent corruption of data or software and to correct problems caused by computer viruses.  Identify the frequency with which virus identification programs are run and updated. (FFIEC-14)  

IS SERVICING

Provider

Obtain a list of services performed by the data processing center.
Determine if services performed are in compliance with all applicable regulations, such as the Bank Service Corporation Act and Sections 23A and 23B of the Federal Reserve Act.  (See chapter 24, Laws and Regulations, in 1996 FFIEC IS Exam Handbook, Volume 2.)  

Determine if written contracts are in effect for all customers.  (FFIEC-22) 

Review a copy of the contract(s) used and determine if they are in conformance with FFIEC guidelines. (FFIEC-22) 

Ascertain if services are performed according to the contract terms. (FFIEC-22) 

Receiver

If the bank receives major DP support from one or more outside servicers:
List the name(s) and location(s) of the servicer(s).
Prepare a listing of the services outside vendors provide the bank.
Review a copy of the contract(s) used and determine if they are 
in conformance with FFIEC guidelines. (FFIEC-22) 
Assess the adequacy of the bank's system for monitoring the financial condition of its servicer(s) and whether the system is sufficient to project the continued viability of contracted services.  (FFIEC-22 & Banking Circular 187)  

Ascertain if management has evaluated the adequacy of contingency plans of its servicer(s). (FFIEC-22) 

Ascertain if management has evaluated the adequacy of contingency plans of its servicer(s). (FFIEC-22) 

Rev. October 15, 1997


Primary Sources:

FFIEC IS Examination Handbook, 1996.
The Banking Library, IHS Financial Products ("B")
Policy (P)


INFORMATION SYSTEMS AUDIT
AUDIT OBJECTIVES

Ref.:  ISPGM.DOC