多宝游戏下载

Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it鈥檚 official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you鈥檙e on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

FIL-118-02 Attachment B

Division of Supervision and Consumer Protection

Information Technology

IT-MERIT PROCEDURES

SEPTEMBER 2002

 

Management

Strategic Management
1. Describe how management integrates technology strategic planning into the overall Corporate Business Plan.

Examiner Evaluation of the Bank鈥檚 Response:

 

 

Technology Changes
2. Describe new technology implemented since the last exam or in the past two years, whichever is the shortest time period. Describe planned or anticipated technology changes in the next year.

Examiner Evaluation of the Bank鈥檚 Response

 

 

Risk Assessments

3. Explain management鈥檚 process for identifying, risk ranking, and mitigating IT risks within the organization.

  • Who is responsible for this process?
  • What is the mechanism for reporting these risks to the Board?
  • What is management鈥檚 process for determining the confidentiality of electronic and paper-based information?
  • How is the information protected?

Examiner Evaluation of the Bank鈥檚 Response: 

 

 

Board Reporting

4. Detail what reports and other communications are provided to the Board for its evaluation of IT risks within the organization.

  • What is the frequency of this communication?
Examiner Evaluation of the Bank鈥檚 Response
Network Diagram
5. Provide the bank鈥檚 network topology/schematic diagram.

Examiner Evaluation of the Bank鈥檚 Response

 

 

Vendor Management

6. Describe management鈥檚 vendor management process and ongoing due diligence program.

  • Provide a list of the bank鈥檚 key IT vendors and consultants.
  • Are all of these vendors covered by a current contract?
  • How has management evaluated the vendors鈥 procedures for conducting employee background checks?

Examiner Evaluation of the Bank鈥檚 Response: 

 

 

Information Security

Information Security Program

7. Has the Board or its designated committee approved a written Information Security Program?

Do the polices addressing the Information Security Program cover the following:

  • Roles and responsibilities (central security coordination, segregation of duties, incident response, skill continuity)?
  • Personnel security (background checks, acceptable use training email/Internet)?
  • Audit (scope, internal/external auditor qualifications, system log reviews, audit trails)?
  • Vendor management?
  • Access controls (mainframe/network logical controls, password parameters, authentication, etc.)?
  • Configuration management (security patches, software upgrades, parameter changes)?
  • Contingency planning (business continuity, backups, disaster recovery)?
  • Virus protection?
  • Telecommunications (firewalls, modems, intrusion detection, encryption)?
  • Restricted access (terminal/data center access)?
  • Safety (fire prevention/detection, housekeeping)?
  • Inventory management (theft detection, media disposal, hardware, software, source documents, output)?

Who is responsible for maintaining the Information Security Program?

Examiner Evaluation of the Bank鈥檚 Response

 

 

Roles and Responsibilities
8. Who are the information security officer and the system administrator? Provide detail on their experience, training and certifications, and other duties within the organization.

Examiner Evaluation of the Bank鈥檚 Response

 

 

Access Controls
9. Describe the process for determining and reviewing user access levels?
Examiner Evaluation of the Bank鈥檚 Response: 

10. Provide details on the following password control features utilized by the bank鈥檚 applications and operating systems:

  • Password length.
  • Change interval.
  • Password composition rule.
  • Password history.
  • Lockout rule.

Examiner Evaluation of the Bank鈥檚 Response

 

 

Disaster Recovery
11. Describe the bank鈥檚 disaster recovery testing process. Include the scope, results, and date of the bank鈥檚 most recent disaster recovery test.

Examiner Evaluation of the Bank鈥檚 Response:

 

 

12. Describe the bank鈥檚 backup procedures.

  • What is backed up?
  • What is the rotation schedule?
  • Where are backup media stored?
  • How soon after backup media are created are the media taken off-site?

Examiner Evaluation of the Bank鈥檚 Response:

 

 

Physical Security
13. How are critical technology resources physically secured (mainframe, servers, telecommunications equipment, wiring closet)?
Examiner Evaluation of the Bank鈥檚 Response:


 

Audit

 

Audit Scope
14. How does management establish the scope and frequency of IT audits?

Examiner Evaluation of the Bank鈥檚 Response:


 

Audit Methods

15. What validation methods (internal and/or external audits, security assessment, penetration study) does management use to determine compliance with written and approved corporate policies?

  • Provide date, scope and frequency of the validation methods described above.
  • Provide detail on management鈥檚 process for addressing audit findings/corrective actions.
  • Is this process documented?

Examiner Evaluation of the Bank鈥檚 Response:


 

Audit Trails

16. Which of the following activity logs/exception reports are reviewed and who performs the review?

  • New loans.
  • File maintenance.
  • Dormant.
  • Parameter changes.
  • Kiting.
  • Employee accounts.
  • Audit logs.
  • Backup logs.
  • System reports.
  • Firewall logs.
  • Intrusion Detection System (IDS) logs.

Examiner Evaluation of the Bank鈥檚 Response:

 

 

Last Updated: March 24, 2024