Inconsistencies

Number Question Response Expected Domain
A.1 Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program? if yes, does it include: Si Yes A. Risk Management
A.1.1 A risk assessment, conducted within the last 12 months? Si Yes A. Risk Management
A.1.2 Risk Governance? Si Yes A. Risk Management
A.1.3 Range of assets to include: people, processes, data and technology? Si Yes A. Risk Management
A.1.4 Range of threats to include: malicious, natural, accidental, cyber, business changes (transaction volume)? Si Yes A. Risk Management
A.1.5 Risk scoping? Si Yes A. Risk Management
A.1.6 Risk context? Si Yes A. Risk Management
A.1.7 Risk training plan? Si Yes A. Risk Management
A.1.8 Risk evaluation criteria? Si Yes A. Risk Management
A.1.9 Risk scenarios? If yes: Si Yes A. Risk Management
A.1.9.1 Have scenarios been created for a variety of events with a range of possible threats that could impact the range of assets? Si Yes A. Risk Management
A.1.9.2 Do the scenarios include threat types impacting all assets resulting in business impact? Si Yes A. Risk Management
A.1.10 Ownership, action plan, response plan, management update? Si Yes A. Risk Management
A.2 Are controls identified for each risk classified as: preventive, detective, corrective, predictive (technical or administrative controls)? Si Yes A. Risk Management
B.1 Is there an information security policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? If yes, does the policy contain: Si Yes B. Security Policy
B.1.1 Risk assessment? Si Yes B. Security Policy
B.1.2 Risk management? Si Yes B. Security Policy
B.1.3 Security awareness training/education? Si Yes B. Security Policy
B.1.4 Business continuity? Si Yes B. Security Policy
B.1.5 Consequences for non-compliance with corporate policies? Si Yes B. Security Policy
B.1.6 Responsibilities for information security management? Si Yes B. Security Policy
B.1.7 Acceptable use? Si Yes B. Security Policy
B.1.8 Access control? Si Yes B. Security Policy
B.1.9 Application security? Si Yes B. Security Policy
B.1.10 Change control? Si Yes B. Security Policy
B.1.11 Clean desk? Si Yes B. Security Policy
B.1.12 Computer and communication systems access and use? Si Yes B. Security Policy
B.1.13 Data handling? Si Yes B. Security Policy
B.1.14 Desktop computing? Si Yes B. Security Policy
B.1.15 Disaster recovery? Si Yes B. Security Policy
B.1.16 Email? Si Yes B. Security Policy
B.1.17 Constituent accountability? Si Yes B. Security Policy
B.1.18 Encryption? Si Yes B. Security Policy
B.1.19 Exception process? Si Yes B. Security Policy
B.1.20 Information classification? Si Yes B. Security Policy
B.1.21 Internet/Intranet access and use? Si Yes B. Security Policy
B.1.22 Mobile computing? Si Yes B. Security Policy
B.1.23 Network security? Si Yes B. Security Policy
B.1.24 Operating system security? Si Yes B. Security Policy
B.1.25 Personnel security and termination? Si Yes B. Security Policy
B.1.26 Physical access? Si Yes B. Security Policy
B.1.27 Policy maintenance? Si Yes B. Security Policy
B.1.28 Remote access? Si Yes B. Security Policy
B.1.29 Security incident and privacy event management? Si Yes B. Security Policy
B.1.30 Secure disposal? Si Yes B. Security Policy
B.1.31 Social media, social networking? Si Yes B. Security Policy
B.1.32 Vulnerability management? Si Yes B. Security Policy
B.1.33 Terms of Use for Mobile Devices? Si Yes B. Security Policy
B.1.34 Have the policies been reviewed in the last 12 months? If yes, did the review include: Si Yes B. Security Policy
B.1.34.1 Feedback from interested parties? Si Yes B. Security Policy
B.1.34.2 Results of independent reviews? Si Yes B. Security Policy
B.1.34.3 Policy compliance? Si Yes B. Security Policy
B.1.34.4 Changes that could affect the approach to managing information security? Si Yes B. Security Policy
B.1.34.5 Reported information security incidents? Si Yes B. Security Policy
B.1.34.6 Recommendations provided by relevant authorities? Si Yes B. Security Policy
B.1.34.7 Records management? Si Yes B. Security Policy
B.1.35 Is there a process to approve exceptions to the policy? Si Yes B. Security Policy
B.1.35.1 Does security own the approval process? Si Yes B. Security Policy
B.1.36 Is the information security policy communicated? If yes, is it communicated to: Si Yes B. Security Policy
B.1.36.1 Full time constituents? Si Yes B. Security Policy
B.1.36.2 Part time constituents? Si Yes B. Security Policy
B.1.36.3 Contractors? Si Yes B. Security Policy
B.2 Is there a vendor management program? Si Yes B. Security Policy
B.2.1 Does the vendor management program include an individual or group responsible for capturing, maintaining and tracking subcontractor information security issues? If yes, is there: Si Yes B. Security Policy
B.2.1.1 Risk rating of the issue (e.g., H/M/L, 1-5, etc.)? Si Yes B. Security Policy
B.2.1.2 Documented corrective action or remediation plan? Si Yes B. Security Policy
B.2.1.3 Target remediation date? Si Yes B. Security Policy
B.2.1.4 On-going communication with subcontractor to discuss status of remediation? Si Yes B. Security Policy
B.2.1.5 Escalation procedure if the remediation date is not met? Si Yes B. Security Policy
B.2.1.6 Sign-off when remediation is fully implemented? Si Yes B. Security Policy
B.2.1.7 Reporting on remediation? If yes, does it include: Si Yes B. Security Policy
B.2.1.7.1 Identification of stakeholders? Si Yes B. Security Policy
B.2.1.7.2 Reporting frequency? Si Yes B. Security Policy
C.1 Is there a respondent information security function responsible for security initiatives? If yes, does it include: Si Yes C. Organizational Security
C.1.1 Creation, review and approve of information security policies? Si Yes C. Organizational Security
C.1.2 Review the effectiveness of information security policy implementation? Si Yes C. Organizational Security
C.1.3 Manage assignment of specific roles and responsibilities for information security? Si Yes C. Organizational Security
C.1.4 Develop and maintain an overall strategic security plan? Si Yes C. Organizational Security
C.1.5 Consistent implementation of information security across different parts of the respondent's organization? Si Yes C. Organizational Security
C.1.6 Review and monitor information security / privacy incidents or events? Si Yes C. Organizational Security
C.1.7 Monitor significant changes in the exposure of information assets? Si Yes C. Organizational Security
C.1.8 Contacts with information security special interest groups, specialist security forums, or professional associations? Si Yes C. Organizational Security
C.1.9 Identify and document instances of non-compliance with security policies? Si Yes C. Organizational Security
C.1.10 Identify key Information Technology roles? Si Yes C. Organizational Security
C.2 Do external parties have access to Scoped Systems and Data or processing facilities? If yes, is: Si No C. Organizational Security
C.2.1 Access prohibited prior to a risk assessment being conducted? Si Yes C. Organizational Security
C.2.2 A risk assessment performed on third parties? No Yes C. Organizational Security
C.2.3 A controls assessment performed on third parties? Si Yes C. Organizational Security
C.2.4 Agreements in place when customers access Scoped Systems and Data? Si Yes C. Organizational Security
C.2.5 Does management require the use of confidentiality or non-disclosure agreements for all third parties? If yes, do they contain: Si Yes C. Organizational Security
C.2.5.1 Ownership of information, trade secrets and intellectual property? Si Yes C. Organizational Security
C.2.5.2 Permitted use of confidential information, and granting of rights to the signatory to use information? Si Yes C. Organizational Security
C.2.5.3 Process for notification and reporting of unauthorized disclosure or confidential information breaches? Si Yes C. Organizational Security
C.2.5.4 Expected actions to be taken in case of a breach of this agreement? Si Yes C. Organizational Security
C.2.6 Are there contracts with third party service providers who have access to Scoped Systems and Data ? If yes, do they include: Si Yes C. Organizational Security
C.2.6.1 Non-Disclosure Agreement? Si Yes C. Organizational Security
C.2.6.2 Confidentiality Agreement? Si Yes C. Organizational Security
C.2.6.3 Media handling? Si Yes C. Organizational Security
C.2.6.4 Requirement of an awareness program to communicate security standards and expectations? Si Yes C. Organizational Security
C.2.6.5 Responsibilities regarding hardware and software installation and maintenance? Si Yes C. Organizational Security
C.2.6.6 Clear reporting structure and agreed reporting formats? Si Yes C. Organizational Security
C.2.6.7 Clear and specified process of change management? Si Yes C. Organizational Security
C.2.6.8 Notification of change? Si Yes C. Organizational Security
C.2.6.9 Process to address any identified issues? Si Yes C. Organizational Security
C.2.6.10 Access control policy? Si Yes C. Organizational Security
C.2.6.11 Breach notification? Si Yes C. Organizational Security
C.2.6.12 Description of the product or service to be provided? Si Yes C. Organizational Security
C.2.6.13 Description of the information to be made available along with its security classification? Si Yes C. Organizational Security
C.2.6.14 SLAs? Si Yes C. Organizational Security
C.2.6.15 Audit reporting? Si Yes C. Organizational Security
C.2.6.16 Ongoing monitoring? Si Yes C. Organizational Security
C.2.6.17 A process to regularly monitor to ensure compliance with security standards? Si Yes C. Organizational Security
C.2.6.18 Onsite review? Si Yes C. Organizational Security
C.2.6.19 Right to audit? Si Yes C. Organizational Security
C.2.6.20 Right to inspect? Si Yes C. Organizational Security
C.2.6.21 Problem reporting and escalation procedures? Si Yes C. Organizational Security
C.2.6.23 Indemnification/liability? Si Yes C. Organizational Security
C.2.6.24 Privacy requirements? Si Yes C. Organizational Security
C.2.6.26 Choice of venue? Si Yes C. Organizational Security
C.2.6.27 Data ownership? Si Yes C. Organizational Security
C.2.6.28 Ownership of intellectual property? Si Yes C. Organizational Security
C.2.6.29 Involvement of the third party with subcontractors? Si Yes C. Organizational Security
C.2.6.30 Security controls these subcontractors need to implement? Si Yes C. Organizational Security
C.2.6.31 Termination/exit clause? Si Yes C. Organizational Security
C.2.6.32 Contingency plan in case either party wishes to terminate the relationship before the end of the agreements? Si Yes C. Organizational Security
C.2.6.33 Renegotiation of agreements if the security requirements of the respondent change? Si Yes C. Organizational Security
C.2.6.34 Current documentation of asset lists, licenses, agreements or rights relating to them? Si Yes C. Organizational Security
D.1 Is there an asset management program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Si Yes D. Asset Management
D.1.1 Is there an inventory system for hardware and software assets? If yes, does it include: Si Yes D. Asset Management
D.1.1.1 Asset control tag? Si Yes D. Asset Management
D.1.1.2 Operating system? Si Yes D. Asset Management
D.1.1.3 Physical location? Si Yes D. Asset Management
D.1.1.4 Serial number? Si Yes D. Asset Management
D.1.1.5 Business function supported? Si Yes D. Asset Management
D.1.1.6 Environment (dev, test, etc.)? Si Yes D. Asset Management
D.1.1.7 IP address? Si Yes D. Asset Management
D.1.2 Is there a detailed description of software licenses (number of seats, concurrent users, etc.) ? Si Yes D. Asset Management
D.1.3 Is ownership assigned for information and assets? If yes, is the owner responsible to: Si Yes D. Asset Management
D.1.3.1 Appropriately classify information and assets? Si Yes D. Asset Management
D.1.3.2 Review and approve access to those information and assets? Si Yes D. Asset Management
D.1.3.3 Establish, document and implement rules for the acceptable use of information and assets? Si Yes D. Asset Management
D.2 Are information and assets classified? Si Yes D. Asset Management
D.2.1 Is there an information asset classification policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Si Yes D. Asset Management
D.2.2 Is there a procedure for handling of information and assets? If yes, does it include: Si Yes D. Asset Management
D.2.2.1 Data ownership? Si Yes D. Asset Management
D.2.2.2 Data access controls including authorization? Si Yes D. Asset Management
D.2.2.3 Data labeling? Si Yes D. Asset Management
D.2.2.4 Data on removable media? Si Yes D. Asset Management
D.2.2.5 Data in transit? Si Yes D. Asset Management
D.2.2.6 Data encryption? Si Yes D. Asset Management
D.2.2.7 Data in storage? Si Yes D. Asset Management
D.2.2.8 Data reclassification? Si Yes D. Asset Management
D.2.2.9 Data retention? Si Yes D. Asset Management
D.2.2.10 Data destruction? Si Yes D. Asset Management
D.2.2.11 Data disposal? Si Yes D. Asset Management
D.2.2.12 Reviewed at least annually? Si Yes D. Asset Management
D.2.2.13 Data handling based on classification? Si Yes D. Asset Management
D.2.2.14 Physical media destruction? Si Yes D. Asset Management
D.2.2.15 Reuse of physical media (tapes, disk drives, etc.)? Si Yes D. Asset Management
E.1 Are security roles and responsibilities of constituents defined and documented in accordance with the respondent?s information security policy? Si Yes E. Human Resource Security
E.2 Is a background screening performed prior to allowing constituent access to Scoped Systems and Data? If yes, does it include: Si Yes E. Human Resource Security
E.2.1 Criminal? Si Yes E. Human Resource Security
E.2.3 Academic? Si Yes E. Human Resource Security
E.2.4 Reference? Si Yes E. Human Resource Security
E.2.5 Resume or curriculum vitae? Si Yes E. Human Resource Security
E.2.6 Drug Screening? Si Yes E. Human Resource Security
E.3 Are periodic background checks conducted? If yes, do they include the following individuals: Si Yes E. Human Resource Security
E.3.1 Senior Management? Si Yes E. Human Resource Security
E.3.2 Subcontractors? Si Yes E. Human Resource Security
E.3.3 All other employees? Si Yes E. Human Resource Security
E.4 Are new hires required to sign any agreements upon hire? If yes, does it include: Si Yes E. Human Resource Security
E.4.1 Acceptable Use? Si Yes E. Human Resource Security
E.4.2 Code of Conduct / Ethics? Si Yes E. Human Resource Security
E.4.3 Non-Disclosure Agreement? Si Yes E. Human Resource Security
E.4.4 Confidentiality Agreement? Si Yes E. Human Resource Security
E.4.5 Terms of Use for Mobile Devices? Si Yes E. Human Resource Security
E.4.6 Are constituents required to sign annual acknowledgements? If yes, do they include: Si Yes E. Human Resource Security
E.4.6.1 Acceptable Use? Si Yes E. Human Resource Security
E.4.6.2 Code of Conduct / Ethics? Si Yes E. Human Resource Security
E.4.6.3 Non-Disclosure Agreement? Si Yes E. Human Resource Security
E.4.6.4 Confidentiality Agreement? Si Yes E. Human Resource Security
E.5 Is there a security awareness training program? If yes, does it include: Si Yes E. Human Resource Security
E.5.1 Security policies, procedures and processes? Si Yes E. Human Resource Security
E.5.2 Scored test to evaluate successful completion? Si Yes E. Human Resource Security
E.5.3 New Hire and annual participation? Si Yes E. Human Resource Security
E.5.4 Training commensurate with levels of responsibilities and access? Si Yes E. Human Resource Security
E.5.5 Additional training for those responsible for information security? Si Yes E. Human Resource Security
E.5.6 Mobile Device security awareness? Si Yes E. Human Resource Security
E.6 Do information security personnel have professional security certifications? Si Yes E. Human Resource Security
E.7 Is there a disciplinary process for non-compliance with information security policies? Si Yes E. Human Resource Security
E.8 Is there a constituent termination or change of status process? Si Yes E. Human Resource Security
E.8.1 Is there a documented termination or change of status policy or process that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Si Yes E. Human Resource Security
E.8.2 Does HR notify security / access administration of constituent termination for access rights removal? If yes, is notification provided: Si Yes E. Human Resource Security
E.8.2.1 On the actual date? Si Yes E. Human Resource Security
E.8.2.2 Two to seven days after termination? No Yes E. Human Resource Security
E.8.2.3 Greater than seven days after termination? No Yes E. Human Resource Security
E.8.3 Does HR notify security / access administration of a constituent change of status for access rights removal? If yes, is notification provided: Si Yes E. Human Resource Security
E.8.3.1 On the actual date of the change of status? Si Yes E. Human Resource Security
E.8.3.2 Two to seven days after the change of status? No Yes E. Human Resource Security
E.8.3.3 Greater than seven days after the change of status? No Yes E. Human Resource Security
E.8.4.1 Termination? Si Yes E. Human Resource Security
E.9 Is there a succession and redundancy planning for key management and support personnel? If yes, does it include: Si Yes E. Human Resource Security
E.9.1 Senior Management? Si Yes E. Human Resource Security
E.9.2 Key support, operations and development areas? Si Yes E. Human Resource Security
F.1 Is there a physical security program? Si Yes F. Physical and Environmental
F.1.1 Is there a documented physical security policy approved by management, communicated to constituents and an owner assigned to maintain and review the policy? Si Yes F. Physical and Environmental
F.1.2 Are reasonable physical security and environmental controls present in the building/data center that contains Scoped Systems and Data? If yes, does it include: Si Yes F. Physical and Environmental
F.1.2.1 Signage to identify the operations of the facility (data center)? Si No F. Physical and Environmental
F.1.2.2 Other tenants using the building? Si No F. Physical and Environmental
F.1.2.3 Access restricted and logs kept of all access? Si Yes F. Physical and Environmental
F.1.2.4 Electronic system (key card, token, fob, biometric reader etc.) to control access? Si Yes F. Physical and Environmental
F.1.2.5 Cipher locks (electronic or mechanical) to control access within or to the facility? If yes, is there a process to: Si Yes F. Physical and Environmental
F.1.2.5.1 Change the code(s) at least every 90 days? Si Yes F. Physical and Environmental
F.1.2.5.2 Change the code(s) when an authorized individual is terminated or transferred to another role? Si Yes F. Physical and Environmental
F.1.2.6 Security guards that provide onsite security services? Si Yes F. Physical and Environmental
F.1.2.7 Perimeter physical barrier (such as fence or walls)? Si Yes F. Physical and Environmental
F.1.2.8 Entry and exit doors alarmed (forced entry, propped open) and/or monitored by security guards? Si Yes F. Physical and Environmental
F.1.2.9 A mechanism to prevent tailgating / piggybacking? Si Yes F. Physical and Environmental
F.1.2.10 External lighting? Si Yes F. Physical and Environmental
F.1.2.11 Lighting on all doors? Si Yes F. Physical and Environmental
F.1.2.12 Exterior doors with external hinge pins? N/A Yes F. Physical and Environmental
F.1.2.13 Windows with contact or break alarms on all windows? Si Yes F. Physical and Environmental
F.1.2.14 CCTV with video stored at least 90 days? No Yes F. Physical and Environmental
F.1.2.15 Fluid or water sensor? Si Yes F. Physical and Environmental
F.1.2.16 Air conditioning and humidity controls? Si Yes F. Physical and Environmental
F.1.2.17 Heat detection? Si Yes F. Physical and Environmental
F.1.2.18 Smoke detection? Si Yes F. Physical and Environmental
F.1.2.19 Fire suppression? Si Yes F. Physical and Environmental
F.1.2.20 Multiple power feeds? Si Yes F. Physical and Environmental
F.1.2.21 Multiple communication feeds? Si Yes F. Physical and Environmental
F.1.2.22 Physical access control procedures? If yes, is there: Si Yes F. Physical and Environmental
F.1.2.22.1 Segregation of duties for issuing and approving access to the facility (keys, badge, etc.)? Si Yes F. Physical and Environmental
F.1.2.22.2 Access reviews at least every six months? Si Yes F. Physical and Environmental
F.1.2.22.3 Collection of access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require access? Si Yes F. Physical and Environmental
F.1.2.22.4 A process to report lost or stolen access cards / keys? Si Yes F. Physical and Environmental
F.1.3 Are visitors permitted in the facility? If yes, are they required to: Si Yes F. Physical and Environmental
F.1.3.1 Sign in and out? Si Yes F. Physical and Environmental
F.1.3.2 Provide a government issued ID? Si Yes F. Physical and Environmental
F.1.3.3 Be escorted through secure areas? Si Yes F. Physical and Environmental
F.1.3.4 Wear badge distinguishing them from employees? Si Yes F. Physical and Environmental
F.1.3.5 Are visitor logs maintained for at least 90 days? Si Yes F. Physical and Environmental
F.1.4 Is there a loading dock at the facility? If yes, is there: Si Yes F. Physical and Environmental
F.1.4.1 Any other tenants using the loading dock? No Yes F. Physical and Environmental
F.1.4.2 A security guards at each point of entry? Si Yes F. Physical and Environmental
F.1.4.3 Smoke detector? Si Yes F. Physical and Environmental
F.1.4.4 Fire alarm? Si Yes F. Physical and Environmental
F.1.4.5 Fire suppression? Si Yes F. Physical and Environmental
F.1.4.6 CCTV and the video stored for at least 90 days? No Yes F. Physical and Environmental
F.1.4.7 Restricted access and logs kept of all access? Si Yes F. Physical and Environmental
F.1.5 Is there a battery/UPS room? If yes, does it contain: Si Yes F. Physical and Environmental
F.1.5.1 Hydrogen sensors? No Yes F. Physical and Environmental
F.1.5.2 Monitored fire alarm? Si Yes F. Physical and Environmental
F.1.5.3 Fire suppression system? Si Yes F. Physical and Environmental
F.1.5.4 CCTV and the video stored for at least 90 days? No Yes F. Physical and Environmental
F.1.5.5 Restricted access and logs kept of all access? Si Yes F. Physical and Environmental
F.1.5.6 Does UPS support N+1? Si Yes F. Physical and Environmental
F.1.6 Is there a generator or generator area? If yes, is there: Si Yes F. Physical and Environmental
F.1.6.1 A fuel supply readily available to ensure uninterrupted service? Si Yes F. Physical and Environmental
F.1.6.2 Adequate capacity to supply power for at least 48 hours? Si Yes F. Physical and Environmental
F.1.6.3 Restricted access and logs kept of all access? Si Yes F. Physical and Environmental
F.1.6.4 CCTV and the video stored for at least 90 days? No Yes F. Physical and Environmental
F.1.7 Is there a mailroom that handles Scoped Data? If yes, is access: Si Yes F. Physical and Environmental
F.1.7.1 Restricted access and logs kept of all access? Si Yes F. Physical and Environmental
F.1.7.2 CCTV and the video stored for at least 90 days? No Yes F. Physical and Environmental
F.1.8 Is there a media library to store Scoped Data? If yes, is access: Si Yes F. Physical and Environmental
F.1.8.1 Restricted and logs kept of all access? Si Yes F. Physical and Environmental
F.1.8.2 CCTV and the video stored for at least 90 days? No Yes F. Physical and Environmental
F.1.9 Is there a separate room for telecom equipment? If yes, is access: Si Yes F. Physical and Environmental
F.1.9.1 Monitored with CCTV and the video stored for 90 days? No Yes F. Physical and Environmental
F.1.9.2 Restricted and logs kept of all access? Si Yes F. Physical and Environmental
F.2.1 Fluid or water sensor? Si Yes F. Physical and Environmental
F.2.2 Air conditioning? Si Yes F. Physical and Environmental
F.2.3 Heat detection? Si Yes F. Physical and Environmental
F.2.4 Smoke detection? Si Yes F. Physical and Environmental
F.2.5 Vibration alarm / sensor? Si Yes F. Physical and Environmental
F.2.6 Monitored fire alarm? Si Yes F. Physical and Environmental
F.2.7 Fire suppression (e.g., dry, chemical, wet pipe)? Si Yes F. Physical and Environmental
F.2.8 Multiple power feeds? Si Yes F. Physical and Environmental
F.2.9 Multiple communication feeds? Si Yes F. Physical and Environmental
F.2.10 Are there generator(s)? Si Yes F. Physical and Environmental
F.2.11 Is access to the data center restricted and logs kept of all access? Si Yes F. Physical and Environmental
F.2.11.1 Badge readers at points of entry? Si Yes F. Physical and Environmental
F.2.11.2 Locked doors requiring a key or PIN at points of entry? N/A Yes F. Physical and Environmental
F.2.11.3 Access request procedures? Si Yes F. Physical and Environmental
F.2.11.3.1 Segregation of duties for issuing and approving access? Si Yes F. Physical and Environmental
F.2.11.3.2 Access reviews conducted at least every six months? Si Yes F. Physical and Environmental
F.2.11.4 Is there a mechanism to thwart tailgating / piggybacking into the data center? Si Yes F. Physical and Environmental
F.2.12 Are there security guards at points of entry? Si Yes F. Physical and Environmental
F.2.12.1 Do the security guards monitor security systems and alarms? Si Yes F. Physical and Environmental
F.2.13 Are visitors permitted in the data center? Si Yes F. Physical and Environmental
F.2.13.1 Are they required to sign in and out of the data center? Si Yes F. Physical and Environmental
F.2.13.2 Are they escorted within the data center? Si Yes F. Physical and Environmental
F.2.14 Are all entry and exit points to the data center alarmed? Si Yes F. Physical and Environmental
F.2.14.1 Are there alarm motion sensors monitoring the data center? Si Yes F. Physical and Environmental
F.2.15 Is access to the Data center monitored with CCTV and the video stored for at least 90 days? No Yes F. Physical and Environmental
F.2.16 Walls extending from true floor to true ceiling? Si Yes F. Physical and Environmental
F.2.17 Windows or glass walls along the perimeter? No Yes F. Physical and Environmental
F.2.18 Do the Scoped Systems and Data reside in a caged environment within a data center? If yes, is there a: Si Yes F. Physical and Environmental
F.2.18.1 Lock requiring a key or PIN used at points of entry? Si Yes F. Physical and Environmental
F.2.18.2 Process for requesting access? Si Yes F. Physical and Environmental
F.2.18.2.1 Segregation of duties for granting and storage of access devices (badges, keys, etc.)? Si Yes F. Physical and Environmental
F.2.18.3 List maintained of personnel with cards / keys to the caged environment? Si Yes F. Physical and Environmental
F.2.18.4 Process to report lost access cards / keys? Si Yes F. Physical and Environmental
F.2.18.5 Process to review access to the cage at least every six months? Si Yes F. Physical and Environmental
F.2.18.6 Process to collect access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer requires access? Si Yes F. Physical and Environmental
F.2.18.7 Are visitors permitted in the caged environment? If yes, are they: Si Yes F. Physical and Environmental
F.2.18.7.1 Required to sign in and out? Si Yes F. Physical and Environmental
F.2.18.7.2 Escorted? Si Yes F. Physical and Environmental
F.2.18.8 Monitored with CCTV and the video stored for at least 90 days? No Yes F. Physical and Environmental
F.2.19 Do the Scoped Systems and Data reside in a locked cabinet? If yes, is there: Si Yes F. Physical and Environmental
F.2.19.1 Shared cabinets? No Yes F. Physical and Environmental
F.2.19.2 Restricted access and logs kept of all access? Si Yes F. Physical and Environmental
F.2.19.3 Access request procedures? Si Yes F. Physical and Environmental
F.2.19.4 Segregation of duties for issuing, approving access and storing devices (badges, keys, etc.)? Si Yes F. Physical and Environmental
F.2.19.5 A list of personnel with cards / keys to the cabinet? Si Yes F. Physical and Environmental
F.2.19.6 A process to report lost access cards / keys? No Yes F. Physical and Environmental
F.2.19.7 Collection access equipment (badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer requires access? No Yes F. Physical and Environmental
F.2.19.8 Cabinets monitored with CCTV and the video stored for at least 90 days? Si Yes F. Physical and Environmental
F.2.20 Is there a policy on using locking screensavers on unattended system displays or locks on consoles within the data center? Si Yes F. Physical and Environmental
F.2.21 Is there a procedure for equipment removal from the data center? Si Yes F. Physical and Environmental
F.2.22.1 UPS system? Si Yes F. Physical and Environmental
F.2.22.2 Security system? Si Yes F. Physical and Environmental
F.2.22.3 Generator? Si Yes F. Physical and Environmental
F.2.22.4 Batteries? Si Yes F. Physical and Environmental
F.2.22.5 Monitored fire alarm? Si Yes F. Physical and Environmental
F.2.22.6 Fire suppression systems? Si Yes F. Physical and Environmental
F.2.22.7 HVAC? Si Yes F. Physical and Environmental
F.2.23.1 UPS system - annually? Si Yes F. Physical and Environmental
F.2.23.2 Security alarm system - annually? Si Yes F. Physical and Environmental
F.2.23.3 Fire alarms - annually? Si Yes F. Physical and Environmental
F.2.23.4 Fire suppression system - annually? Si Yes F. Physical and Environmental
F.2.23.5 Generators - monthly? No Yes F. Physical and Environmental
F.2.23.6 Generators full load tested - monthly? No Yes F. Physical and Environmental
G.1 Are management approved operating procedures utilized? If yes, are they: Si Yes G. Communications and Ops Mgmt
G.2 Is there an operational change management/change control policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the polic Si Yes G. Communications and Ops Mgmt
G.4 Is there an anti-virus/malware policy or program (workstations, servers, mobile devices) that has been approved by management, communicated to appropriate constituents and an owner to maintain and re Si Yes G. Communications and Ops Mgmt
G.5 Are system backups of Scoped Systems and Data performed? Si Yes G. Communications and Ops Mgmt
G.6 Are firewalls in use for both internal and external network connections? Si Yes G. Communications and Ops Mgmt
G.7 Are vulnerability assessments, scans or penetration tests on internal or external network connections performed at least annually? If yes, are they: No Yes G. Communications and Ops Mgmt
G.8 Are there external network connections (Internet, extranet, etc.)? If yes, is there: Si Yes G. Communications and Ops Mgmt
G.9 Is wireless networking technology used? Is yes, is there: Si No G. Communications and Ops Mgmt
G.10 Is there a removable media policy or program (CDs, DVDs, tapes, disk drives) that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the po No Yes G. Communications and Ops Mgmt
G.11 Is Scoped Data sent or received electronically or via physical media? If yes, is there: No Yes G. Communications and Ops Mgmt
G.18 Are Web services provided? If yes, are: Si Yes G. Communications and Ops Mgmt
G.18.2 Is Windows IIS for these Web services used? If yes, is: Si Yes G. Communications and Ops Mgmt
G.18.2.1 Anonymous access to FTP disabled? Si Yes G. Communications and Ops Mgmt
G.18.2.2 Membership to the IIS Administrators group restricted to those with web administration roles and responsibilities? Si Yes G. Communications and Ops Mgmt
G.18.2.3 Dedicated virtual directory structure used for each website? Si Yes G. Communications and Ops Mgmt
G.18.2.4 Unused services turned off on IIS servers? Si Yes G. Communications and Ops Mgmt
G.18.2.5 Services running on standard ports? Si Yes G. Communications and Ops Mgmt
G.18.2.6 Logging configured to support incident investigation? N/A Yes G. Communications and Ops Mgmt
G.18.2.7 Sample applications and scripts removed? Si Yes G. Communications and Ops Mgmt
G.18.2.8 Least privilege used when setting IIS content permissions? N/A Yes G. Communications and Ops Mgmt
G.18.2.9 Content folder on the same drive as the operating system? Si No G. Communications and Ops Mgmt
G.18.3 Is Apache used for these Web services? If yes, is: No Yes G. Communications and Ops Mgmt
G.19 Are desktop computers used to transmit, process or store Scoped Systems and Data. If yes, is: Si Yes G. Communications and Ops Mgmt
G.19.1 Segregation of duties for granting access and approving access? Si Yes G. Communications and Ops Mgmt
G.19.2 Segregation of duties for approving and implementing access requests? Si Yes G. Communications and Ops Mgmt
G.19.4 User of a system also responsible for reviewing its security audit logs? Si No G. Communications and Ops Mgmt
G.19.5 Segregation of duties to prevent the user of a system from modifying or deleting its security audit logs? Si Yes G. Communications and Ops Mgmt
G.19.6 Standard operating environment required? N/A Yes G. Communications and Ops Mgmt
G.19.7 Content filtering proxy used prior to accessing the Internet? N/A Yes G. Communications and Ops Mgmt
G.19.8 Security approval required prior to implementing non-standard operating equipment? N/A Yes G. Communications and Ops Mgmt
G.19.9 Security approval required prior to implementing freeware or shareware applications? Si Yes G. Communications and Ops Mgmt
G.19.11 Installation of software on company-owned equipment (workstations, mobile devices) restricted to administrators? Si Yes G. Communications and Ops Mgmt
G.19.12 Users permitted to execute mobile code? Si No G. Communications and Ops Mgmt
H.1 Are electronic systems used to transmit, process or store Scoped Systems and Data? Si Yes H. Access Control
H.1.1 Is there an access control policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? No Yes H. Access Control
H.1.2 Does access control on applications, operating systems, databases, and network devices ensure users have least privilege? Si Yes H. Access Control
H.2 Are unique user IDs used for access? Si Yes H. Access Control
H.2.1 Can a user ID contain personal information (SSN, access level, admin of the user)? Si No H. Access Control
H.2.2 Is an inactive user ID deleted or disabled within 90 days? Si Yes H. Access Control
H.2.4 Is there a process to grant and approve access to systems transmitting, processing or storing Scoped Systems and Data? Si Yes H. Access Control
H.2.4.1 Does access to electronic systems include a formal request and management approval? Si Yes H. Access Control
H.2.4.2 Are approved requests for granting access logged, archived and maintained? Si Yes H. Access Control
H.2.5.1 Time of day? No Yes H. Access Control
H.2.5.2 Physical location? No Yes H. Access Control
H.2.5.3 Network subnet? No Yes H. Access Control
H.2.13 Upon successful logon, does a message indicate the last time of successful logon? No Yes H. Access Control
H.2.14 Is multi-factor authentication deployed for ?high-risk? environments? N/A Yes H. Access Control
H.2.15 Do all users have a unique user ID when accessing applications? Si Yes H. Access Control
H.2.17 Do inactive workstation lock within 15 minutes? N/A Yes H. Access Control
H.2.18 Do inactive sessions timeout within 15 minutes? Si Yes H. Access Control
H.3 Are passwords required to access systems transmitting, processing or storing Scoped Systems and Data? Si Yes H. Access Control
H.3.1.10 Prohibit users from sharing passwords? Si Yes H. Access Control
H.4 Is remote access permitted? Si No H. Access Control
H.4.4 Is remote desktop technology (Citrix) used to access the network remotely? No Yes H. Access Control
I.1 Are business information systems used to transmit, process or store Scoped Systems and Data? If yes, are: Si Yes I. Info Sys AD&M
I.2 Is application development performed? If yes, does it provide: Si Yes I. Info Sys AD&M
I.2.7 Development, test, and staging environment separate from the production environment? If so how are they separated: Si Yes I. Info Sys AD&M
I.2.7.1 Logically? Si Yes I. Info Sys AD&M
I.2.7.2 Physically? Si Yes I. Info Sys AD&M
I.2.8 Is there a formal Software Development Life Cycle (SDLC) process? If yes, does it include: Si Yes I. Info Sys AD&M
I.2.8.1 Peer code review, integration testing, and acceptance testing? Si Yes I. Info Sys AD&M
I.2.8.2 Separate source code repositories for production and non-production? Si Yes I. Info Sys AD&M
I.2.11 Are change control procedures required for all changes to the production environment? Si Yes I. Info Sys AD&M
I.2.13 Are application sessions set to time out within 15 minutes or less? Si Yes I. Info Sys AD&M
I.2.19.1 Authorization required when production data is copied to the test environment? Si Yes I. Info Sys AD&M
I.2.20.1 Access production environments, including read only access? Si No I. Info Sys AD&M
I.2.20.2 Access systems and applications based on established profiles that define responsibilities or job functions? Si Yes I. Info Sys AD&M
I.2.20.3 Request or obtain access outside an established role (emergency access)? Si Yes I. Info Sys AD&M
I.2.22 Are access control procedures the same for both the test and production environment? Si Yes I. Info Sys AD&M
I.2.24 Is Internet facing software and infrastructure tested prior to implementation? If yes, does the testing include: Si Yes I. Info Sys AD&M
I.2.25 Is there a documented change management / change control process? If yes, does it include: Si Yes I. Info Sys AD&M
I.2.25.1 Testing prior to deployment? Si Yes I. Info Sys AD&M
I.2.25.2 Management approval prior to deployment? Si Yes I. Info Sys AD&M
I.2.25.3 Establishment of restart points? Si Yes I. Info Sys AD&M
I.5 Are systems and applications patched? If yes, does it include: Si Yes I. Info Sys AD&M
I.7 Are vulnerability tests (internal/external) performed on all applications at least annually? If yes, are there: Si Yes I. Info Sys AD&M
I.8 Are encryption tools managed and maintained for Scoped Data? If yes, is there: Si Yes I. Info Sys AD&M
I.8.1 An encryption policy? Si Yes I. Info Sys AD&M
I.8.2 Encryption in storage / at rest? Si Yes I. Info Sys AD&M
I.8.5 Encryption keys encrypted at rest and when transmitted? Si Yes I. Info Sys AD&M
I.8.7 Key/certificate sharing between production and non-production? Si No I. Info Sys AD&M
J.1 Is there an Incident Management program? Si Yes J. Incident Event & Comm Mgmt
J.1.1 Is there a documented policy for incident management that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? Si Yes J. Incident Event & Comm Mgmt
J.1.2 Is there a formal Incident Response Plan. If yes, does it include: Si Yes J. Incident Event & Comm Mgmt
J.1.2.1 Reporting procedure for an information security event? Si Yes J. Incident Event & Comm Mgmt
J.1.2.2 Escalation procedure? Si Yes J. Incident Event & Comm Mgmt
J.1.2.3 An Incident / Event Response team with defined roles and response related qualifications available 24x7x365? Si Yes J. Incident Event & Comm Mgmt
J.1.2.4 Procedures to collect and maintain a chain of custody for evidence during incident investigation? Si Yes J. Incident Event & Comm Mgmt
J.1.2.5 Feedback process to ensure those reporting information security events are notified of the results after the issue has been dealt with and closed? Si Yes J. Incident Event & Comm Mgmt
J.1.2.6 Event reporting mechanism to support the reporting action, and to list all necessary actions in case of an information security event? Si Yes J. Incident Event & Comm Mgmt
J.1.2.7 Actions to be taken in the event of an information security event? Si Yes J. Incident Event & Comm Mgmt
J.1.2.8 Formal disciplinary process for dealing with those who commit a security breach? Si Yes J. Incident Event & Comm Mgmt
J.1.2.9 Process for assessing and executing client and third party notification requirements (legal, regulatory, and contractual)? Si Yes J. Incident Event & Comm Mgmt
J.1.2.10 Postmortem to include root cause analysis and remediation plan, provided to leadership? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11 Is there an identification of incident process? If yes, does it include: Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.1 Unauthorized physical access? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.2 Information system failure or loss of service? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.3 Malware activity (anti-virus, worms, Trojans)? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.4 Denial of service? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.5 Errors resulting from incomplete or inaccurate business data? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.6 Breach or loss of confidentiality? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.8 Unauthorized logical access or use of system resources? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.9 Containment? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.10 Remediation? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.11 Notification of stakeholders? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.12 Tracking? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.13 Repair? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.14 Recovery? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.15 Feedback and lessons learned? Si Yes J. Incident Event & Comm Mgmt
J.1.2.11.17 Annual testing of the procedures? Si Yes J. Incident Event & Comm Mgmt
J.1.3.1 Loss of service (equipment or facility)? Si Yes J. Incident Event & Comm Mgmt
J.1.3.2 System malfunction or overload? Si Yes J. Incident Event & Comm Mgmt
J.1.3.3 Human error? Si Yes J. Incident Event & Comm Mgmt
J.1.3.4 Non-compliance with policy or guidelines? Si Yes J. Incident Event & Comm Mgmt
J.1.3.5 Breach of physical security arrangement? Si Yes J. Incident Event & Comm Mgmt
J.1.3.6 Uncontrolled system change? Si Yes J. Incident Event & Comm Mgmt
J.1.3.7 Malfunction of software or hardware? Si Yes J. Incident Event & Comm Mgmt
J.1.3.8 Access violation? Si Yes J. Incident Event & Comm Mgmt
J.1.3.9 Physical asset loss or theft? Si Yes J. Incident Event & Comm Mgmt
K.1 Is there an established Business Resiliency program that has been approved by management and communicated to appropriate constituents? If yes, does it include: Si Yes K. Business Resiliency
K.2 Has a Business Impact Analysis been conducted? If yes, does it include: Si Yes K. Business Resiliency
K.2.1 Validation and/or refresh at least annually? Si Yes K. Business Resiliency
K.2.2 Business Activity or Business Process Criticality (high, medium, low or numerical rating) that distinguishes the relative importance of each activity or process? Si Yes K. Business Resiliency
K.2.3 Identification of applications, data, equipment, facilities, personnel, supplies and paper documents necessary for recovery? Si Yes K. Business Resiliency
K.2.4 Maximum Acceptable Outage / Maximum Tolerable Period of Disruption for each Business Activity or Business Process? Si Yes K. Business Resiliency
K.2.5 Recovery Time Objectives for all essential application systems, network services, and other resources? Si Yes K. Business Resiliency
K.2.6 Recovery Point Objective for all essential application systems? Si Yes K. Business Resiliency
K.2.7 Impact to clients/customers? Si Yes K. Business Resiliency
K.2.8 Capacity to address needs/expectations of all clients/customers? Si Yes K. Business Resiliency
K.2.9 Identification of the recovery requirements for information security and the continuity of information security management? Si Yes K. Business Resiliency
K.3 Is there a formal process focused on identifying and addressing risks of disruptive incidents to the organization? If yes, does it include: Si Yes K. Business Resiliency
K.3.1 Identifying risks associated with disruptions to systems, information, people, third parties, and facilities? Si Yes K. Business Resiliency
K.3.2 Analysis of risks identified and determination of those requiring treatments? Si Yes K. Business Resiliency
K.3.3 Taking action on approved treatments? Si Yes K. Business Resiliency
K.4 Are specific response and recovery strategies defined for the prioritized activities? If yes, does it include: Si Yes K. Business Resiliency
K.4.1 The resource dependencies associated with each prioritized activity? If yes, does they include: Si Yes K. Business Resiliency
K.4.1.1 Personnel (40% or more)? Si Yes K. Business Resiliency
K.4.1.2 Information and data? Si Yes K. Business Resiliency
K.4.1.3 Information and communication technology? Si Yes K. Business Resiliency
K.4.1.4 Work places/buildings? Si Yes K. Business Resiliency
K.4.1.5 Third party services (e.g. partners and suppliers)? Si Yes K. Business Resiliency
K.5 Are formal business continuity procedures developed and documented? If yes, do they Include: Si Yes K. Business Resiliency
K.5.1 Specific actions to be taken in response to a disruptive event? Si Yes K. Business Resiliency
K.5.2 Key impacts including the unavailability of critical resource dependencies? Si Yes K. Business Resiliency
K.5.3 The continuity of Information security activities and processes (e.g. intrusion detection, vulnerability management, log collection)? Si Yes K. Business Resiliency
K.5.4 The continuity of IT operations activities and processes (e.g. network operations, data center operations, help desk)? Si Yes K. Business Resiliency
K.6 Has senior management assigned the responsibility for the overall management of the response and recovery efforts? If yes, does it include: Si Yes K. Business Resiliency
K.6.1 Virtual or physical command center where management can meet, organize, and manage emergency operations in a secure setting? Si Yes K. Business Resiliency
K.6.2 Conditions for activating the plan(s), and the associated roles and responsibilities? Si Yes K. Business Resiliency
K.6.3 Maintenance schedule to review, revise and test the recovery management plan? Si Yes K. Business Resiliency
K.6.4 Roles and responsibilities for those who invoke and execute the plan? Si Yes K. Business Resiliency
K.6.5 Alternate and diverse means of communications in the event standard communication channels are unavailable? Si Yes K. Business Resiliency
K.6.6 Interaction with the media during an event? Si Yes K. Business Resiliency
K.6.7 Resumption procedures to return to normal business operations? Si Yes K. Business Resiliency
K.6.8 Notification and escalation to clients? Si Yes K. Business Resiliency
K.7 Is there a periodic (at least annual) review of your Business Resiliency Program? If yes, does it include: Si Yes K. Business Resiliency
K.8 Are there any dependencies on critical third party service providers? If so, have: Si No K. Business Resiliency
K.8.1 Contact information for key service provider personnel been documented? Si Yes K. Business Resiliency
K.8.1.1 Is the contact information reviewed and updated at least annually? Si Yes K. Business Resiliency
K.8.2 Notification and escalation protocols been established? Si Yes K. Business Resiliency
K.8.3 Communication in the event of a disruption that impacts the delivery of their products and services? Si Yes K. Business Resiliency
K.8.4 Processes been implemented to notify the service provider when their Business Resiliency Procedures are modified? Si Yes K. Business Resiliency
K.9 Is there a formal, documented exercise and testing program in place? If yes, does it include: Si Yes K. Business Resiliency
K.9.1 Specific IT Disaster Recovery exercises and tests that address the unavailability of specific resources? If yes, are the following included: Si Yes K. Business Resiliency
K.9.1.1 Production data center(s)? Si Yes K. Business Resiliency
K.9.1.2 Data stores? Si Yes K. Business Resiliency
K.9.1.3 Recovery supporting personnel (40% or more)? Si Yes K. Business Resiliency
K.9.1.4 Network? Si Yes K. Business Resiliency
K.9.2 Specific business activity exercises and tests that address the unavailability of specific resources i.e., realistic scenarios? If yes, does it include: Si Yes K. Business Resiliency
K.9.2.1 Information and communication technology? Si Yes K. Business Resiliency
K.9.2.2 Network due to dedicated denial of service / cyber attacks? Si Yes K. Business Resiliency
K.9.2.3 Work places/buildings? Si Yes K. Business Resiliency
K.9.2.4 Personnel? Si Yes K. Business Resiliency
K.9.2.5 Third party services (e.g. partners and suppliers)? Si Yes K. Business Resiliency
K.9.3 Are measurable recovery objectives defined for each exercise and test? If yes, do they include: Si Yes K. Business Resiliency
K.9.3.1 Recovery Time Objectives for all essential application systems, network services, and other resources? Si Yes K. Business Resiliency
K.9.3.2 Recovery Point Objective for all essential application systems? Si Yes K. Business Resiliency
K.9.4 Are the recovery objective attainment results and the issues identified evaluated with improvement actions identified and acted upon? Si Yes K. Business Resiliency
K.9.5 Is the exercise and testing schedule reviewed and enhanced when there are significant changes within the organization or to the environment in which it operates? Si Yes K. Business Resiliency
K.9.6 Is there an annual schedule of planned Business Resiliency exercises and tests? If yes, do they include: Si Yes K. Business Resiliency
K.9.6.1 Evacuation drills? Si Yes K. Business Resiliency
K.9.6.2 Notification procedure and mechanism tests? Si Yes K. Business Resiliency
K.9.6.3 Tabletop exercises? Si Yes K. Business Resiliency
K.9.6.4 Application recovery tests? Si Yes K. Business Resiliency
K.9.6.5 Remote access tests? Si Yes K. Business Resiliency
K.9.6.6 Full scale exercises / end-to-end? Si Yes K. Business Resiliency
K.9.6.7 Production transaction processing? Si Yes K. Business Resiliency
K.9.6.8 Typical business volumes / full capacity? Si Yes K. Business Resiliency
K.9.6.9 Business relocation test? Si Yes K. Business Resiliency
K.9.6.10 Data center failover test? Si Yes K. Business Resiliency
K.9.6.11 Critical service providers included in testing? Si Yes K. Business Resiliency
K.9.6.12 Recovery site tests? Si Yes K. Business Resiliency
K.9.6.13 Assessment of the ability to retrieve vital records? Si Yes K. Business Resiliency
K.9.6.14 Recovery and continuity of information security controls that may be impacted by a Disaster Recovery event? Si Yes K. Business Resiliency
K.9.6.15 Recovery and continuity of information security operational processes and controls that may be impacted by a by a non-Disaster Recovery event (e.g. loss of physical work place, reduction in available Si Yes K. Business Resiliency
K.9.6.16 Recovery and continuity of IT operational processes and controls that may be impacted by a by a non-Disaster Recovery event (e.g. loss of physical work place, reduction in available IT operations per Si Yes K. Business Resiliency
K.9.7 Do planned exercises strive to increase the effectiveness of exercise scenarios over time? Si Yes K. Business Resiliency
K.9.8 Are the results of exercises conducted internally shared with customers? No Yes K. Business Resiliency
K.9.9 Are joint exercises conducted with customers? Si Yes K. Business Resiliency
K.9.10 Is there an established exercise scenario addressing cyber resilience? If yes, does it include: No Yes K. Business Resiliency
K.9.10.1 Malware? No Yes K. Business Resiliency
K.9.10.2 Insider Threats? No Yes K. Business Resiliency
K.9.10.3 Data or Systems Destruction and Corruption? No Yes K. Business Resiliency
K.9.10.4 Communications Infrastructure Disruption? No Yes K. Business Resiliency
K.9.10.5 Simultaneous Attack? No Yes K. Business Resiliency
K.10 Is there an Influenza Pandemic / Infectious Disease Outbreak Plan? If yes, does it include: Si Yes K. Business Resiliency
K.11 Is there insurance coverage for business interruptions or general services interruption? If yes, are there: Si Yes K. Business Resiliency
L.1 Is there an internal audit, risk management, or compliance department, or other management oversight unit with responsibility for identifying and tracking resolution of outstanding regulatory issues? Si Yes L. Compliance
L.1.1 Does the audit function have independence from the lines of business? Si Yes L. Compliance
L.1.2 Are audits performed to ensure compliance with any legal, regulatory, or industry requirements? Si Yes L. Compliance
L.1.3 Are there staff dedicated to compliance and risk responsibilities? Si Yes L. Compliance
L.1.4 Is training to employees on legislative and regulatory requirements provided and updated on a regular basis? Si Yes L. Compliance
L.1.5 Are management reporting or reporting to government agencies maintained in accordance with applicable law? Si Yes L. Compliance
L.2 Are there policies and procedures to ensure compliance with applicable legislative, regulatory and contractual requirements to address intellectual property rights on business processes or informatio Si Yes L. Compliance
L.3 Is there a records retention policy covering paper & electronic records, including email in support of applicable regulations, standards and contractual requirements? Si Yes L. Compliance
L.4 Is licensing maintained in all jurisdictions where the business is or where licensing is required? Si Yes L. Compliance
L.5 Is there an internal compliance and ethics program to ensure professional ethics and business practices are implemented? Si Yes L. Compliance
L.5.1 Is there an official whistleblowing policy and/or procedure to report compliance issues? Si Yes L. Compliance
L.5.2 Are there policies and procedures to address bribery, corruption or the prohibition of providing monetary offers to government officials, corporate representatives? Si Yes L. Compliance
L.5.3 Are there policies and procedures for corporate governance and public responsibility? Si Yes L. Compliance
L.5.4 Are there policies and procedures to maintain compliance with international requirements for trade and export? Si Yes L. Compliance
L.5.5 Are there policies and procedures to address internal/external due diligence of business partners and business initiatives? Si Yes L. Compliance
L.5.6 Are there defined monitoring and oversight functions for suspected fraud instances or fraud investigation? Si Yes L. Compliance
L.5.7 Are there mechanisms in place to notify client for suspected or actual fraudulent activity? Si Yes L. Compliance
L.6 Are marketing or selling activities conducted directly to Client's customers? If yes is/are there: Si No L. Compliance
L.6.1 A formal consumer protection compliance program? Si Yes L. Compliance
L.6.2 Training conducted for employees or agents with customer contact on consumer protection compliance responsibilities? Si Yes L. Compliance
L.6.3 Processes in place to review call center scripts or call monitoring to identify compliance issues? Si Yes L. Compliance
L.6.5 Training conducted for employees or agents with customer interaction on compliant marketing practices? N/A Yes L. Compliance
L.6.6 Policies and procedures to ensure compliance with applicable laws and regulations including Unfair, Deceptive, or Abusive Acts or Practices? Si Yes L. Compliance
L.7 Are there direct interactions with your client's customers? If yes, is/are there: Si No L. Compliance
L.7.1 A formalized complaint management function, including reporting within the organization? Si Yes L. Compliance
L.7.2 A process to provide periodic summary reports regarding types and resolution of complaints? Si Yes L. Compliance
L.7.3 A process to receive and respond to complaints or request from government agencies, including states attorney generals? Si Yes L. Compliance
L.7.4 Calls recorded for telemarketing purposes or collections purposes? Si Yes L. Compliance
L.7.5 Records retained for consumer complaints? Si Yes L. Compliance
L.7.6 An escalation process to address complaints to management and the client? Si Yes L. Compliance
L.8 Are policies and procedures maintained for enabling compliance with applicable legal, regulatory, statutory, or contractual obligations related to any information security requirements? Si Yes L. Compliance
L.8.1 Are procedures maintained for compliance with log-on banners to inform users of restrictions to access of data? Si Yes L. Compliance
L.8.2 Are vulnerability testing and remediation processes maintained to meet information security requirements in accordance with applicable law or industry standards? Si Yes L. Compliance
L.8.3 Are web site(s) maintained or hosted for the purpose of advertising, offering or managing or servicing accounts, products or services to client? Si Yes L. Compliance
L.9 Is there a formalized governance process to identify and assess changes that could significantly affect the system of internal controls for security, confidentiality and availability? Si Yes L. Compliance
L.9.1 Is there a formalized process for receiving, monitoring and where necessary implementing regulatory alerts? Si Yes L. Compliance
L.9.2 Are regulatory tracking reports maintained? Si Yes L. Compliance
L.10 Are accounts opened, transactions initiated or other account initiation activity applying payments, taking payments, transferring funds, etc. through either electronic, telephonic, written or in-pers N/A Yes L. Compliance
L.10.1 Are customer account activities monitored for unusual or suspicious activity? Si Yes L. Compliance
M.1 Are constituents allowed to utilize mobile devices within your environment? If yes, which of the following functions are allowed: Si No M. Mobile
M.1.1 View Scoped Data? Si No M. Mobile
M.1.2 Process Scoped Data? Si No M. Mobile
M.3 Is there a mobile device management program in place that has been approved by management and communicated to appropriate constituents? Si Yes M. Mobile
P.1 Is Scoped Data transmitted, processed, or stored that can be classified as non-public information (NPI), personally identifiable information (PII), or sensitive customer financial information? If yes Si Yes P. Privacy
P.1.2 Is a response program maintained that includes policies and procedures to address privacy incidents, unauthorized disclosure, unauthorized access or breach of Scoped Data? No Yes P. Privacy
P.2 Is Scoped Data transmitted, processed, or stored that can be classified as Protected Health Information (PHI), electronic health records, or personal health records of a covered entity? If yes, ident Si Yes P. Privacy
P.2.7 Is a business associate contract in place to address obligations for the privacy and security requirements for the services provided? Si Yes P. Privacy
P.3 For Scoped Data, is personal information about individuals transmitted to or received from countries outside the United States? If yes, list the countries. Si No P. Privacy
P.3.8 Is there privacy awareness training provided to constituents regarding their obligation to data protection? No Yes P. Privacy
P.5 Is there a documented privacy policy or procedures for the protection of information transmitted, processed, or maintained on behalf of the client? Si Yes P. Privacy
P.6 Are there regular privacy risk assessments conducted? If yes, provide frequency and scope. If no, explain reason. Si Yes P. Privacy
P.7 Is there a data classification retention program that identifies the data types that require additional management and governance? Si Yes P. Privacy
P.7.1 Are there documented policies, procedures, and controls to limit access based on need to know or minimum necessary for constituents? If yes, describe. Si Yes P. Privacy
P.11 Are transactions for covered accounts accessed, modified, or processed, including address changes and discrepancies? If yes, describe. No Yes P. Privacy
Q.1 Is Software provided? Si Yes Q. Software Security
Q.1.1 Is there a secure software development lifecycle policy (including mobile software applications) that has been approved by management, communicated to appropriate constituents and an owner to maintai Si Yes Q. Software Security
Q.1.1.1 Has the policy been reviewed in the last 12 months? If yes, did it include: Si Yes Q. Software Security
Q.1.1.1.1 Feedback from interested parties? Si Yes Q. Software Security
Q.1.1.1.2 Results of independent reviews? No Yes Q. Software Security
Q.1.1.1.3 Policy compliance? Si Yes Q. Software Security
Q.1.1.1.4 Changes that could affect the approach to managing information security? No Yes Q. Software Security
Q.1.1.1.5 Reported information security incidents? Si Yes Q. Software Security
Q.1.1.1.6 Recommendations provided by relevant authorities? No Yes Q. Software Security
Q.1.1.1.7 Records management? Si Yes Q. Software Security
Q.1.1.2 Is there a process to approve exceptions to the policy? Si Yes Q. Software Security
Q.1.1.2.1 Does security own the approval process? Si Yes Q. Software Security
Q.1.1.3 Is the SDLC policy communicated? If yes, to: Si Yes Q. Software Security
Q.1.1.3.1 Full time constituents? Si Yes Q. Software Security
Q.1.1.3.2 Part time constituents? N/A Yes Q. Software Security
Q.1.1.3.3 Contractors? N/A Yes Q. Software Security
Q.1.1.3.4 Temporary workers? N/A Yes Q. Software Security
Q.1.2 Is a secure code review performed? If yes, what is the frequency: Si Yes Q. Software Security
Q.1.2.1 As developed? Si Yes Q. Software Security
Q.1.2.2 Monthly? No Yes Q. Software Security
Q.1.2.3 Quarterly? No Yes Q. Software Security
Q.1.2.4 Annually? No Yes Q. Software Security
Q.1.2.5 Other? Si Yes Q. Software Security
Q.1.2.6 Third party review? No Yes Q. Software Security
Q.1.3 Are applications given ratings that reflect the types of data accessed (e.g., high, medium low)? Si Yes Q. Software Security
Q.1.4 Are the risks from internal and external sources clearly understood based on risk exposure? Si Yes Q. Software Security
Q.1.5 Is there a Software Security Group responsible for application security? Si Yes Q. Software Security
Q.1.6 Is a security architecture risk analysis performed when new platforms are designed? If yes, does it include: Si Yes Q. Software Security
Q.1.6.1 Security feature review i.e., authentication, access controls, use of cryptography, etc.? Si Yes Q. Software Security
Q.1.6.2 Security architecture design review for high risk applications? Si Yes Q. Software Security
Q.1.6.3 Threat modeling into the business requirements/design process of the SDLC? Si Yes Q. Software Security
Q.1.6.4 Review when major changes are introduced into applications? Si Yes Q. Software Security
Q.1.7 Is there a secure application development life cycle process? If yes, does it include: Si Yes Q. Software Security
Q.1.7.1 Common vulnerabilities/bugs that need to be eliminated? Si Yes Q. Software Security
Q.1.7.2 Secure code reviews against the entire code base in the development phase? Si Yes Q. Software Security
Q.1.7.3 Review by qualified individual? Si Yes Q. Software Security
Q.1.7.4 Use of automated code review tools? No Yes Q. Software Security
Q.1.7.5 Remediation of findings? Si Yes Q. Software Security
Q.1.7.6 Formal software security training for developers? Si Yes Q. Software Security
Q.1.7.7 Security experts that work with developers for every application? Si Yes Q. Software Security
Q.1.7.8 Outsourcing development? If yes, describe: No Yes Q. Software Security
Q.1.7.9 All developers subject to the SDLC? Si Yes Q. Software Security
Q.1.7.10 Identification of security defects documented and communicated with development to prevent reoccurrence? Si Yes Q. Software Security
Q.1.8 Is there a QA and/or UAT process? If yes does it include: Si Yes Q. Software Security
Q.1.8.1 Edge/boundary value condition testing? Si Yes Q. Software Security
Q.1.8.2 Testing procedures to determine whether security features are effective? If yes, are they: Si Yes Q. Software Security
Q.1.8.2.1 Derived by obtaining a list of security features by the architecture group? Si Yes Q. Software Security
Q.1.8.3 Dynamic scanning against web based applications while in the Q/A phase? If no, is there a: NA Yes Q. Software Security
Q.1.8.3.1 Form of black box testing or scripts specific to abuse cases that are used? Si Yes Q. Software Security
Q.1.8.4 Remediation of security vulnerabilities identified? Si Yes Q. Software Security
Q.1.8.5 Fuzz testing (e.g., small #'s, large #'s, negative values, binary sequences, command line inputs, random values, etc.}? Si Yes Q. Software Security
Q.1.9 Is each release subject to a full secure code review? Si Yes Q. Software Security
Q.1.10 Are penetration tests performed? If yes, are they: Si Yes Q. Software Security
Q.1.10.1 Performed by a 3rd party? No Yes Q. Software Security
Q.1.10.2 Internal Penetration Testers? If yes, are they: Si Yes Q. Software Security
Q.1.10.2.1 Part of the development group? No Yes Q. Software Security
Q.1.10.3 Consistently use the same approach (e.g., tools, methods, time spent, etc.)? Si Yes Q. Software Security
Q.1.10.4 Performed on a set frequently? If yes, describe Si Yes Q. Software Security
Q.1.10.5 Issues remediated? Si Yes Q. Software Security
Q.1.10.6 Conducted on the complete production version, not just the components Si Yes Q. Software Security
Q.1.10.7 Any un-remediated Penetration Test issues in the application under review? Si Yes Q. Software Security
Q.1.10.8 Authenticated when a Penetration Test is performed? Si Yes Q. Software Security
Q.1.10.9 Performed in the production environment? Si Yes Q. Software Security
Q.1.11 Are discovered vulnerabilities communicated to developers? If yes, explain Si Yes Q. Software Security
Q.1.12 Does the Software Security Group interface with the Incident Response group or function? If yes, are: Si Yes Q. Software Security
Q.1.12.1 Vulnerabilities identified by the Incident Response group provided to the Software Security Group? Si Yes Q. Software Security
Q.1.13 Does the incident response process include steps to identify root/cause and prevent reoccurrence? Si Yes Q. Software Security
Q.1.14 Are hosted production applications monitored for vulnerabilities? Si Yes Q. Software Security
Q.1.15 Are third party code reviews performed prior to release into production? No Yes Q. Software Security
Q.1.16 Is there a Change or Configuration Management policy or program? If yes, does it include: Si Yes Q. Software Security
Q.1.16.1 Vulnerability Management to ensure code has been properly analyzed? Si Yes Q. Software Security
Q.1.17 Are applications analyzed on a regular basis to determine their vulnerability against recent attacks? Si Yes Q. Software Security
Q.1.18 Are any vulnerabilities identified in production fed through the same mechanisms used to track and remediate results from Penetration Tests? Si Yes Q. Software Security
Q.1.19 Are library modules used in the development of the application? If yes, are they: Si Yes Q. Software Security
Q.1.19.1 Inventoried? Si Yes Q. Software Security
Q.1.19.2 Identified as to which application the libraries or modules are used in? Si Yes Q. Software Security
Q.1.19.3 Version reviewed at least every 6 months? Si Yes Q. Software Security
Q.1.19.4 Open source? No Yes Q. Software Security
V.1 Are Cloud Services provided? If yes, what service model is provided (select all that apply): No Yes V. Cloud Security