Internet Banking Internal Control Questionnaire



Similar documents
FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Neutralus Certification Practices Statement

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

General IT Controls Audit Program

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

Circular to All Licensed Corporations on Information Technology Management

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

Risk Management of Outsourced Technology Services. November 28, 2000

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Certification Practice Statement

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Class 3 Registration Authority Charter

IT - General Controls Questionnaire

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

HIPAA PRIVACY AND SECURITY AWARENESS

White paper. Implications of digital certificates on trusted e-business.

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Retention & Destruction

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

CMS Operational Policy for Infrastructure Router Security

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Service Children s Education

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Danske Bank Group Certificate Policy

Best Practices: Reducing the Risks of Corporate Account Takeovers

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

VA Office of Inspector General

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Cybersecurity Health Check At A Glance

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Best Practices For Department Server and Enterprise System Checklist

PBGC Information Security Policy

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

FormFire Application and IT Security. White Paper

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Vendor Risk Assessment Questionnaire

e-authentication guidelines for esign- Online Electronic Signature Service

Internet Trading Regulations Of the Karachi Stock Exchange (Guarantee) Limited

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

An Introduction to HIPAA and how it relates to docstar

Department of the Interior Privacy Impact Assessment

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Intel Enhanced Data Security Assessment Form

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Eskom Registration Authority Charter

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Hang Seng HSBCnet Security. May 2016

PCI Data Security and Classification Standards Summary

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Vendor Questionnaire

Data Management Policies. Sage ERP Online

Payment Systems and Funds Transfer Internal Control Questionnaire

Operational Risk Publication Date: May Operational Risk... 3

How To Protect A Hampden County Hmis From Being Hacked

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

VA Office of Inspector General

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

CITY OF BOULDER *** POLICIES AND PROCEDURES

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA: Compliance Essentials

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

CoSign for 21CFR Part 11 Compliance

ELECTRONIC INFORMATION SECURITY A.R.

Transcription:

Internet Banking Internal Control Questionnaire Completed by: Date Completed: 1. Has the institution developed and implemented a sound system of internal controls over Internet banking technology and systems? 2. Are technology planning and strategic goals consistent with corporate policies and legal requirements? 3. Are sources of technology support periodically reviewed to ensure they: a. Continue to fit the institution s business plan? b. Are flexible enough to provide for future needs? 4. Have internal accounting controls been established to safeguard the assets and reliability of financial records (including transaction records and trial balances)? 5. Is the institution s policy for monitoring employee use of data communication networks, including e-mail and the Internet: a. Approved by the board of directors? b. Provided in written format to all employees? 6. Are employees informed of the consequences of violating the institution s policies on network use? 7. Are appropriate firewalls in place to prevent unauthorized access to the institution s systems? 8. Are intruders prevented from gaining access to names and addresses on the institution s internal network? 9. Are external devices attempting to access internal addresses suspected and screened out? 10. Is address screening used to filter out messages with inappropriate source addresses? 11. Is a device in place to test the system s rules to prevent deviations from established rules? 12. Is application screening used to prevent: a. Inappropriate instructions from entering the system? b. Unauthorized access to the administrator level of the server? IT B7-1

13. Does the system create a database and look for inappropriate responses by the server to messages or inquiries? 14. Does each user have an individual user ID and unique password? 15. Is network hardware stored in a secure location so that it is accessible only to authorized personnel? 16. Are time-of-day controls used to restrict access to the network? 17. Is after hours access to personal computers (PCs) and the institution s network restricted to prevent unauthorized use? 18. In order to protect the network when a PC is left unattended: a. Are time-out password controls used? b. Are users required to log out of the network when leaving their work area? 19. Are placement of and access to modems attached to the network limited only to authorized individuals? 20. Is anti-virus software used to check all diskettes and downloads from any unsecured areas? 21. Is access to and use of administrator level capabilities of the firewall hardware and software restricted? 22. Is all activity logged, and are logs reviewed for anomalies or unusual activity? 23. Are audits of the controls and firewalls conducted on a regular basis? 24. Are default settings tested to ensure that only authorized firewall functions are permitted? 25. Is a review conducted on a regular basis for the following: a. Frequency of password changes for employees with authorized access to the network? b. Screening of employees who developed or installed the network? 26. Is the use of digital signatures required to authenticate the bank, users, and transactions? 27. Are digital signatures issued, managed, and certified by an external vendor? (If not, describe the procedures used.) 28. If the institution acts as its own certificate authority (CA): a. Is the digital signature system open or closed? B7-2 IT

b. Are written policies and procedures in place for the issuance, renewal, and revocation of certificates? c. Are subscribers credentials established and verified according to the institution s written procedures? d. Are the administrative reporting systems adequate to provide for directory lookup and auditing (i.e., time stamping)? 29. Is the CA area adequately secured and: a. Are controls in place to protect servers housing CA information and directories? b. Does contingency planning provide for customer needs in case of system failure or disaster? c. Does the CA conform to established standards (e.g., NIST or IETF)? d. Has an audit process been established and put in place? e. Is the institution staying current on applicable laws? f. Has the institution addressed the legal implications of providing a CA function? g. Does the CA establish classes of certificates based on message or transaction sensitivity? h. Have limitations been established for certificates such as: The number of transactions? The type of transactions? Expiration dates? 30. Does the institution periodically perform a cost/benefit analysis of the business? 31. Does the institution use biometric devices for authentication purposes? 32. Has a risk assessment, audit, or cost/benefit analysis been performed on the biometric devices used for authenticating the transaction to be processed? (Indicate results.) 33. Have acceptable biometric tolerances been established for authenticating the transaction to be processed? 34. Are management reports prepared that address statistical performance of the biometric authentication devices being used? 35. Are controls in place to monitor system performance for: a. Transaction volume? b. Response times? c. Availability and downtime? IT B7-3

d. Capacity reports? e. Customer service logs and complaint summaries? 36. Does management have a plan to project future system needs to ensure continued availability of the network to meet increasing customer demands? 37. Does the institution have the ability to provide customer service and support for the Internet banking products and services? 38. If customer service is outsourced: a. Are the vendor s responsibilities for attaining established service levels documented? b. Does management monitor customer problems, demands, or complaints? 39. Have customer service levels been established and communicated to the individuals who provide support? 40. Does management: a. Monitor adherence to service levels? b. Assess the adequacy of customer service? c. Take the appropriate steps to deal with deficiencies in customer support and service? 41. Is approval required to initiate program changes? 42. Are program changes approved at critical points during the development process? 43. Do written procedures exist, and are they followed for emergency and temporary software fixes? 44. Does change control documentation provide adequate audit trails and support for software changes? 45. Are written procedures in place that address the mode of distribution of all software released? 46. Are all new releases adequately tested prior to distribution? 47. Are controls in place to guard against virus infection during distribution of the software and to ensure the integrity of the software? 48. Does the institution rely on a third-party Internet service provider (ISP) to support access to Internet banking services? If so: a. Does the ISP s performance meet service level agreements? b. Is it the ISP s responsibility to monitor the institution s Internet links and report when these links are down or unavailable? B7-4 IT

c. Does the ISP have a contingency plan and business recovery capabilities? d. Has the contingency plan been tested and a written copy of the testing results obtained and reviewed for deficiencies? e. Does the ISP have adequate support staff? f. Is the institution subject to differing service access types that may cause less than acceptable support? g. Does the ISP provide institution-defined filtering, or do the institutions establish their own firewallfiltering parameters? h. Does the ISP have sound controls over changes to the institution s Internet address? Describe them. i. Does the ISP have sound security standards and practices in place? j. Has the institution assessed the soundness of the ISP s financial condition? 49. Is a risk assessment or audit performed on key management practices? 50. Has the internal auditing staff been involved in the planning and implementation of the Internet banking system? 51. During internal and external audit exams: a. Are vendor management processes evaluated? b. Is the relationship of specific vendors as they relate to information systems and technology evaluated? 52. Has management conducted an evaluation of vendor controls such as: a. Security controls and reporting? b. Security for access control, user authentication, and data privacy? c. Security monitoring activities including: Real-time intrusion detection? Penetration testing of offsite or in-house networks? d. The vendors ability to meet negotiated standards of service levels? e. Testing conducted by the vendor prior to distribution of the product? f. Virus detection processes? g. Contingency planning and business resumption plans? IT B7-5

53. Does the audit function review the consistency between the institution s disclosed security and privacy standards and the actual practices of the institution? 54. Does the institution outsource its Internet banking processing? a. If so, has the institution reviewed the regulatory agency examination report of the vendor? 55. Does the institution use encryption to provide for data privacy, security, and verification? B7-6 IT

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information