0% found this document useful (0 votes)

53 views54 pages

IT-Questionnaires AIRES

Uploaded by

Ca_Jamila

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

53 views54 pages

IT-Questionnaires AIRES

Uploaded by

Ca_Jamila

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 54

Charter Eff.

Date 01/00/1900

Note: Gray cells are populated when the completed box is checked on the associated questionnaire.

Scoping/Exam Prep.
IT-Profile
IT-Items Needed
IT-Pre-Exam Update

Required-FCU & FISCU Exam>$250 Million Completed Use?

IT-Expanded 748 Compliance y

Tier 1 Review
IT-Anti-Virus & Malware y
IT-Audit Program y
IT-Business Continuity y
IT-Electronic Banking y
IT-Networks y
IT-Policy Checklist y

Tier 2 Review
IT-Firewalls y
IT-IDS-IPS y
IT-Pen Test Review y
IT-Physical & Environmental y
IT-Remote Access y
IT-Routers y
IT-Servers y
IT-Virtualization y
IT-Wireless Networks y

Overall Workbook Comments:

1
Charter Eff. Date 01/00/1900

IT - Profile
Objective: Perform initial assessment of IT services to assist in developing examination scope for the IT rev

5300 Question 5300 Response IT Services

Score
CREDIT UNION DATA

Name 0
Asset Size 0
Number of Members 0
Number of Transactional Website Users: 0
COMPLEXITY SCORE: 0
COMPLEXITY RATING: Low

INFORMATION SYSTEMS AND TECHNOLOGY (IS&T)

1 Does the credit union have a website? N/A

1a If yes, what is the website address
1b If yes, is the website hosted internally?
1c If yes, please indicate the type of website (select only one)? 1 = Informational 2 = Interactive 3 =
Transactional
1d d. If the credit union has a transactional website, please provide the name of the primary vendor used to
deliver such services
2 If the credit union does not have a website and plans to add one in the future,
2a Please identify the type of website 1 = Informational 2 = Interactive 3 = Transactional
2b If the credit union plans to add a transactional website, please provide the name of the primary vendor to
deliver such services.
2c Please provide an implementation date
3 If the credit union has an organizational email address, please provide it. N/A
4 Does the credit union have Internet access? N/A
5 Does the credit union have an internal wireless network? N/A
6 Which best describes the system the credit union uses to maintain its share and loan records (Manual, N/A
Vendor supplied in-house, Vendor online service bureau, Credit union developed in-house, Other).

7 Indicate the name of the primary share/loan data processing vendor. N/A
8 How do your members access/perform electronic financial services (select all that apply):
8a Home Banking via Internet Website N/A
8b Audio Response/Phone Based N/A
8c Automatic Teller Machine (ATM) N/A
8d Mobile Banking N/A
8e Kiosk N/A
8f Other N/A
9 What services do you offer electronically (select all that apply):
9a Account Aggregation N/A
9b Account Balance Inquiry N/A
9c Bill Payment N/A
9d Download Account History N/A
9e Electronic Cash N/A
9f Electronic Signature Authentication/Certification N/A
9g e-Statements N/A
9h External Account Transfers N/A
9i Internet Access Services N/A
9j Loan Payments N/A
9k Member Application N/A
9l Merchandise Purchase N/A
9m Merchant Processing Services N/A
9n New Loan N/A
9o New Share Account N/A
9p Remote Deposit Capture N/A
9q Account Share Transfers N/A
9r Share Draft Orders N/A
9s View Account History N/A
Other (please specify) N/A

2
Charter Eff. Date 01/00/1900

IT - Profile
Objective: Perform initial assessment of IT services to assist in developing examination scope for the IT rev

5300 Question 5300 Response IT Services

Score
CREDIT UNION DATA
DATA PROCESSING CONVERSION
Date of Conversion N/A
Data Processor Converting/Converted to N/A

DISASTER RECOVERY INFORMATION

In the event of a disaster, will the credit union communicate with members through a website? N/A
Please provide the date of the last disaster recovery test completed by the credit union. N/A

CREDIT UNION SERVICE ORGANIZATION (CUSO)

Electronic transaction services No

* Is the CUSO wholly owned by the credit union? N/A

3
Charter Eff. Date 01/00/1900

IT - Items Needed
Comment to the Credit Union: This is a list of items needed for the IT review. Applicable items
requested for this review are indicated with a "Yes". All items should be available at the start of the
examination. Please number the items to correspond with the numbering system below, provide
electronic versions of documents or reports, and include the lead contact person and phone number in the
comment box. If an item is unavailable, please state why in the comment box.

Description Yes/No/NA Comments

NCUA Rules & Regulations Part 748 A&B
1 Information Security Program in compliance with Part 748,
Appendix A.
Response Program to Unauthorized Access to Member
Information in compliance with Part 748, Appendix B.
2 IT related policies/procedures/operating standards or
guidelines not included with item 1 above.
3 Risk assessment of threats to member information in
compliance with Part 748, Appendix A.
4 Minutes of IT and supervisory committee meetings.
5 Recent monthly performance monitoring reports.
6 IT Strategic Plan.
7 Internal audit plans, if applicable, to review IT as well as
results of any IT reviews done since the last examination.
8 Most recent risk review reports/comments on IT or e-
commerce along with management's response.
9 Listing of current IT projects
10 Summary of planned changes, if any, to key personnel,
software, hardware, or operating procedures.
11 List of any IT incidents, intrusions, or attacks since the last
examination (include management's response).
12 Board reports on IT security, program changes, results of
vulnerability assessments, intrusions, etc.
Vendor Management (subset of 748A)
13 Listing of IT vendors and service providers.
14 Due diligence reviews of vendors (include contract reviews,
analysis of financials, review of Service Organization Control
Reports, vulnerability scan summaries, business continuity
tests, agreements, etc.).
15 Key vendor contracts and evidence of contract reviews.
16 Review procedures for ensuring vendor compliance with
Service Level Agreements.
17 Records Preservation policy and Records Storage Log.
IT Audit
18 Last audit review of employee access privileges and controls
for timely removals or modifications.
19 Remediation process with supporting documentation for
internally and externally conducted IT audits.
20 Risk-based audit schedule.
21 Listing of IT audits performed and their frequency.
22 External audits done on IT control procedures.
Business Continuity Planning
23 Business Continuity Plan (BCP).

4
Charter Eff. Date 01/00/1900

Description Yes/No/NA Comments

24 Business Impact Analysis (if separate from BCP).
25 Departmental/business unit recovery procedures.
26 Data center tour.
27 Results of recent disaster recovery tests, including the scope of
test procedures performed.
28 Summary of insurance policy coverages for e-commerce,
electronic crime, and loss of records/equipment.
Electronic Banking
29 Risk assessments for electronic banking services offered.
30 Listing of authentication mechanisms and other layered
controls in place to comply with FFIEC guidance.
31 Self assessment or internal audit reviews of compliance for IT
products and services (include website).
32 List of weblinking relationships (include agreements and due
diligence reviews of linked partners).
33 Electronic banking monitoring procedures for each of the
following services offered:
a) Internet banking
b) Telephone banking
c) Bill Payment
d) Mobile banking
e) External Account Transfers
f) Remote Deposit Capture
g) Mobile payments
34 Summary of relationships with CUSOs providing electronic
services.
Network
35 Listing of IT administrators and security officers. Provide a
description of experience, training, and certifications related to
IT.
36 Listing of personnel and vendors with special access
privileges to administer operating systems, networks, and
applications.
37 List of employees, vendors, and officials with remote access
privileges.
38 Log management policies and procedures.
39 Logging and review procedures for firewalls and intrusion
detection/intrusion prevention systems.
40 Listing of key software and electronic services (include
audit/monitoring software).
41 Inventory list of IT equipment (include servers and a list of
services offered on each).
42 Network topology diagram (databases, servers, routers,
firewalls, communication lines, and remote access).

5
Charter Eff. Date 01/00/1900

Description Yes/No/NA Comments

43 Results of recent security assessments and vulnerability scans
(include management's response).
44 List of firewall rules (include comments explaining the
purpose of each rule and open port).
45 Print out of wireless network administrative settings (if
applicable).
Overall Questionnaire Comments:

6
Charter Eff. Date 01/00/1900

IT Pre-Exam Update
Objective: Allow Credit Union IT management to provide an overview of the IT environment prior
to commencement of field exam work.
Question Response
1. What type of data processing system (in-house, on-line, etc.)
does the credit union use? Who is the provider and what version
of the program is the credit union using?
2. Has there been a computer conversion or any substantial
software changes since the last exam? If so, list changes and
dates that changes were made?
3. Describe senior IT management changes, if any, that have
occurred since the last exam. List specific reasons for the
changes and the affected positions.
4. Has the credit union entered into any new IT related contracts
since the last exam? What is the type and nature of the
contract(s)? Do the contracts establish measurable service level
agreements where appropriate? Have the contracts been
reviewed by legal counsel and the technology committee?

5. Describe management’s vendor procurement process and due

diligence review procedures.
6. Describe how management integrates technology strategic
planning into the overall corporate business plan. Describe
planned technology changes for the next year, and listed
anticipated effective dates of change.
7. Who is responsible for the risk assessments? How are risk
assessment results reported to the Board? Identify date, scope,
and frequency of validation methods employed for testing key
controls.
8. What virus protection and security scanning tools do you use
to scan the network? How often are scans performed and
signatures updated?
9. Describe your computer use policy. Does your policy allow
personal use of credit union PCs? Is downloading executable
files from the Internet or using personal software prohibited? Do
policies prohibit taking credit union files home or elsewhere?
How are employees informed of these policies and the
consequences of violating them?

10. Does the credit union use virus wall, spam blocking, web
filtering, or enterprise distribution control programs? If so,
describe how these systems are implemented. (e.g. control
workstation content, update virus signatures, scan e-mail, and
monitor internet use) Who is responsible for maintaining and
monitoring these tools? What reporting is regularly made?

11. Describe the process for determining and periodically

reviewing user access levels. What process is in place to handle
the addition, deletion, or modification of employee’s and
vendor’s access to networks, applications, servers, routers, etc.?
Have background checks been performed on employees with
privileged IT access? How often are background checks
updated?

7
Charter Eff. Date 01/00/1900

IT Pre-Exam Update
Objective: Allow Credit Union IT management to provide an overview of the IT environment prior
to commencement of field exam work.
Question Response
12. Is a wireless access point to the network in use? If so,
describe your usage of wireless networking and explain how the
wireless networks are secured.
13. Who is granted remote access to the network? List all
remote users, the type of connection (VPN, dial-up modem,
Internet, etc.), and how the remote user access is monitored and
controlled?
14. How often are firewall logs, system audit logs, and network
event logs reviewed? Are log files backed up? Who is
responsible for the reviews, and how are the reviews
documented?
15. Do you have an Intrusion Detection System (IDS) or an
Intrusion Prevention System (IPS)? If so, are the systems being
monitored in-house or externally? What information is regularly
reported?
16. Have there been any IT incidents, intrusions, or attacks since
the last examination? If so, describe what happened. Include the
date and management’s response.
17. Describe back-up procedures and the disaster recovery
testing process. When were disaster plans last tested? Indicate
the scope and results of recent tests. Describe your backup
processing site (e.g. is it a hot site, cold site, dual site, location
by city and state).

Examiner's Comments:

8
Charter Eff. Date 01/00/1900

IT - Expanded 748 Compliance

Scope: Determine the extent of compliance with NCUA Rules and Regulations, Part 748, Appendix A and the overall
effectiveness of the credit union's information security program.
Resources: Gramm–Leach–Bliley Act of 1999 (GLBA) “Interagency Guidelines Establishing Information Security
Standards” (501(b) guidelines), NCUA Rules and Regulations Part 748, Appendix A, FFIEC IT Handbooks, and NIST
800-53 and NIST 800-61. Note: the NCUA regulation citation is referenced after the question in the Core Review.

Question Yes/No/NA Comments

Core Review: 20 Questions
Information Security Program
1 Is the board of directors, or an appropriate board committee,
involved in developing and/or implementing the member
Information Security Program (ISP)? (III. A)
2 Does management report to the board of directors, at least
annually, on the overall status of the program in compliance
with Part 748, Appendix A and B guidelines? (III. F)

3 Does the credit union have a documented risk assessment

process? (III. B)
4 Is the credit union properly managing and controlling risk by
mitigating risks identified in the risk assessment process? (III.
C)
5 Has management adopted appropriate security measures
within the ISP to address access controls on member
information systems? (III. C. 1.a)
6 Does the ISP address physical access controls to facilities and
equipment where data files and archives of sensitive member
information are maintained? (III. C. 1.b)
7 Is the use of encryption of electronic member information
either in transit or storage addressed in the ISP? (III. C. 1.c)

8 Does the ISP address change control procedures designed to

ensure that system modifications are consistent with the credit
union's information security program. (III. C. 1.d)

9 Does the ISP include proper implementation of dual controls,

segregation of duties, and background checks? (III. C. 1.e)

10 Are monitoring systems and procedures to detect actual and

attempted attacks on or intrusions into member information
systems included in the ISP. (III. C. 1.f)
11 Is a response program that specifies actions to be taken when
the credit union suspects or detects unauthorized access to
systems including appropriate reports to regulatory and law
enforcement agencies (III.C.1.g)
12 Does management have a documented plan to protect against
destruction, loss, or damage of member information due to
potential environmental hazards. (III. C. 1.h)

13 Do staff receive training to comply with the information

security program? (III. C. 2)
14 Are key information security program controls, systems, and
operating procedures regularly tested? (III. C. 3)

9
Charter Eff. Date 01/00/1900

IT - Expanded 748 Compliance

Question Yes/No/NA Comments

15 Does the ISP address appropriate procedures to dispose of
member information and consumer information? (III.C.4 )

16 Does the ISP include procedures to effectively oversee critical

service provider arrangements? (III. D)
17 Does Management monitor, evaluate, and adjust the program,
as needed and based on changes to the risk assessment? (III.
E)
18 Has management developed and implemented a risk-based
response program to address incidents of unauthorized access
to member information?
19 Is the program appropriate for the size and complexity of the
credit union and the nature and scope of its activities?

20 Does the program outline procedures to address incidents of

unauthorized access to member information in systems
maintained by its domestic and foreign service providers?

Expanded Review: 60 Questions Yes/No/NA Comment

Risk Assessment
21 Has the credit union properly categorized and assessed the
risks to its information assets?
22 Does the credit union effectively update the risk assessment
prior to making system changes, implementing new products
or services, or confronting new external conditions that would
affect the risk analysis?

Access Controls
23 Are perimeter protections including firewalls, malicious code
prevention (anti-virus), outbound filtering (data leak
prevention - DLP), and security monitoring in place?
24 Do procedures address remote access controls for wireless,
VPN, modems, and Internet-based access?
25 Are there procedures to address the administration and
periodic review of access rights at enrollment, change of
duties, and at employee separation?
26 Are there minimum configuration standards enforced for user
ID and password content?
27 Are user accounts automatically locked until released by an
administrator or delayed access when the maximum number of
unsuccessful attempts is exceeded?
Physical Controls
28 Is access to the data center (computer room) or areas
containing member information adequately controlled?
29 Are areas containing member data or information systems
secured with security devices that provide monitoring and/or
logs of failed and successful access?

10
Charter Eff. Date 01/00/1900

IT - Expanded 748 Compliance

Question Yes/No/NA Comments

30 Are the communication routers/switches and patch panels that
are not located within the computer facility adequately
secured?
31 Does the data center (computer room) have adequate fire
suppression controls?
32 Is the computer room climate adequately controlled?
33 Does the data center (computer room) have sufficient backup
power (UPS and/or generator)? Describe its capacity.

Encryption
34 Does the Risk Assessment, ISP, or other documented
guideline document the minimum encryption standard?
35 Is critical and/or sensitive data in transit encrypted?
36 Is critical and/or sensitive data in storage encrypted?
Change Management
37 Does the credit union have written change management
procedures that address management approval, scheduled
upgrades, testing, and implementation?
38 Does the credit union employ automated processes to update
workstations and servers?
39 Does Management have a formal process to determine the
types of changes to the information system that are allowed?

Monitoring
40 Are the appropriate system logging functions enabled to
capture audit trails related to network components?
41 Has management implemented automated methods to convert
logs with different content and formats to a single standard
format with consistent data field representations?

42 Are system, security, and server logs reviewed on a regular

basis to detect inappropriate activity?
43 Has management established standards for log file size,
security, and retention timeframes?
44 Does management have a program in place to monitor
physical controls access logs (badge readers, cameras…)?

Incident Response - (See also 748 Appx B - last section)

45 Does the ISP address the establishment of an incident response
team?
46 Are there procedures for assessing the nature and scope of an
incident, and identifying what member information systems
and types of member information have been accessed without
permission?

11
Charter Eff. Date 01/00/1900

IT - Expanded 748 Compliance

Question Yes/No/NA Comments

47 Are there appropriate steps to contain and control the incident
to prevent further unauthorized access to or use of member
information?
48 Do procedures address the actions of external vendors if
managed services (outsourced firewall and network security)
are used?
Disaster Recovery/Business Continuity
49 Is the BCP/DRP appropriate for the size and complexity of the
credit union?
50 Does the credit union test the contingency plan using a defined
test to determine the plan’s effectiveness, organizational
readiness, and document results to initiate corrective actions?

51 Does the credit union conduct regular backups of user-level

and system-level information?
Security Awareness Training
52 Is there a formal, documented security awareness and training
policy that addresses purpose, scope,
roles, responsibilities, and coordination among organizational
entities?
53 Does Management provide basic security awareness training
to all information system users (including managers, senior
executives, and contractors) as part of initial training for new
users, and when required by system changes?

54 Does the credit union document and monitor individual

security training activities including basic security awareness
training and specific information system security training?

Information Destruction
55 Does management sanitize information system media, both
digital and non-digital, prior to disposal, release out of
organizational control, or release for reuse.
Vendor Oversight
56 Is the vendor oversight program appropriate for the size and
complexity of the credit union's outsourced services?

57 Do contracts contain the required language and clauses to

comply with regulations or laws?
58 Does the vendor oversight program establish standards for
documenting initial and ongoing vendor reviews performed by
credit union management?
59 Does the oversight program contain a component to rate
vendors according to the criticality or risk of service provided?

12
Charter Eff. Date 01/00/1900

IT - Expanded 748 Compliance

Question Yes/No/NA Comments

60 Is there a contract management process in place to address
legal review, monitoring of service level and information
security agreements, and renewal and cancelation timeframes?

61 Has management evaluated the adequacy of the vendor's

incident response practices and contractual notification
requirements based on the outsourced service?
62 Have third party incident response practices been evaluated
and incorporated into the credit union's procedures?

63 Does management determine that the scope, completeness,

frequency, and timeliness of third-party audits and tests of the
service provider’s security are supported by the financial
institution’s risk assessment?
Part 748 Appendix B - Response Programs for
Unauthorized Access to Member Information
Does the credit union's response program contain:
64a Procedures for assessing the nature and scope of an incident,
and identifying what member information systems and types
of member information have been accessed without
permission?
64b Notifying the appropriate NCUA Regional Director, and, in
the case of state-chartered credit unions, its applicable state
supervisory authority, as soon as possible when the credit
union becomes aware of an incident involving unauthorized
access to or use of sensitive member information?

64c Suspicious Activity Report (“SAR”) regulations, notifying

appropriate law enforcement authorities, in addition to filing a
timely SAR in situations involving Federal criminal violations
requiring immediate attention, such as when a reportable
violation is ongoing?
64d Appropriate steps to contain and control the incident to
prevent further unauthorized access to or use of member
information?
64e Notifying members when warranted?
64f Notification of affected members when the incident involves
unauthorized access to member information systems
maintained by a credit union’s service providers?

Does the member notice:

65a Provide information in a clear and conspicuous manner?
65b Describe the incident in general terms and the type of member
information that was the subject of unauthorized access or
use?
65c Describe what the credit union has done to protect the
members’ information from further unauthorized access?

13
Charter Eff. Date 01/00/1900

IT - Expanded 748 Compliance

Question Yes/No/NA Comments

65d Include a telephone number that members can call for further
information and assistance?
65e Remind members of the need to remain vigilant over the next
twelve to twenty-four months, and to promptly report
incidents of suspected identity theft to the credit union?

Does the member notice include the following when

necessary:
66a A recommendation that the member review account
statements and immediately report any suspicious activity to
the credit union?
66b A description of fraud alerts and an explanation of how the
member may place a fraud alert in the member’s consumer
reports to put the member’s creditors on notice that the
member may be a victim of fraud?
66c A recommendation that the member periodically obtain credit
reports from each nationwide credit reporting agency and have
information relating to fraudulent transactions deleted?

66d An explanation of how the member may obtain a credit report

free of charge?
66e Information about the availability of the FTC’s online
guidance regarding steps a consumer can take to protect
against identity theft?
67 Are member notices delivered in a manner designed to ensure
that a member can reasonably be expected to receive it?

Overall Questionnaire Comments:

14
Charter Eff. Date 01/00/1900

IT Anti-Virus and Malware Protection

Scope: Review and determine whether the credit union utilizes anti-virus and malware protection; review policies and
procedures for managing the systems.
Resource: NIST Special Publication 800-53.
Question Yes/No/NA Comments
Core Review - 6 Questions
Malware Protection Controls
1 Are there policies and procedures in place that address
malware protection?
2 Is malware protection installed on all servers and workstations
in the credit union network?
3 Does the credit union use an automated process to update its
malware solution(s) on a regular basis?
3a If yes, is there a process to verify the updates were
successfully installed on all devices?
3b If no, is documentation adequate to show that updates have
been performed on each workstation and server?
4 Does the credit union utilize web filtering to prevent
employees from visiting dangerous websites?
5 Does the credit union allow remote access to the network
using laptops or other mobile devices?
5a If yes, does the credit union utilize a network access control
solution?
6 Does the credit union's incident response procedures address
handling of malware infections?
Expanded Review - 13 Questions Yes/No/NA Comment
Server Protection
7 Is the virus software and update application located on a server
or other appliance in the credit union network?
8 Do malware detection scans occur for servers at least weekly,
or more often for any servers identified as critical by the credit
union's risk assessment?
9 Is logging enabled to record detection and removal of malware
events?
10 Are network maintenance checklists utilized to document the
review of logs and security event notifications?
11 Is an Intrusion Detection or Prevention System (IDS/IPS) in
place to monitor critical servers and/or DMZ servers?
12 Are incoming e-mails scanned for questionable file
attachments?
13 Does the credit union use spam filtering software to reduce the
amount of unsolicited e-mails?
Workstation Protection
14 Are workstations properly secured to prevent employees from
disabling or modifying malware protection, security settings,
and automated operating system patches?
15 Do malware detection scans on workstations occur on an
acceptable periodic basis?
16 Are incoming e-mail attachments automatically scanned by
the desktop malware solution prior to download?
17 Are portable devices disabled or automatically scanned for
malware upon usage?

15
Charter Eff. Date 01/00/1900

IT Anti-Virus and Malware Protection

Scope: Review and determine whether the credit union utilizes anti-virus and malware protection; review policies and
procedures for managing the systems.
Resource: NIST Special Publication 800-53.
Question Yes/No/NA Comments
18 Does the credit union use pop-up blockers to eliminate/reduce
the amount of unsolicited pop-up advertisements on the
internet?
19 Does the credit union allow employees to connect to the
network using personal computers or mobile devices?
19a If yes, does the credit union limit this access to low-risk data
and applications?
Overall Questionnaire Comments:

16
Charter Eff. Date 01/00/1900

IT - Audit Program
Scope: To determine whether Information Technology activities are subject to regular, independent review (internal
and/or external), and whether management is appropriately addressing significant matters resulting from such reviews.

Resources: FFIEC Information Security Handbook and NIST Special Publication 800-12, 800-53, 800-100.
Question Yes/No/NA Comments
Core Review - 8 Questions
Audit Program
1 Does the credit union have policies or procedures in place that
describe how and when independent reviews of IT related
areas will be performed?
2 Is adequate documentation of IT audits maintained?
3 Does the credit union have an internal audit department?
4 Is internal audit involved in auditing the IT area?
4a If no, are external resources used to perform audit of the IT
area?
4b If yes, does the audit staff receive adequate IT training?
5 Is the IT audit function independent and free from influence
by management and/or departments that it audits?

6 Does internal audit regularly report review activity and results

to the Supervisory Committee?
7 Are IT audit findings, summaries, and management responses
from independent assessments clearly communicated to
management and the board for risk mitigation?

8 Is a follow-up process in place to ensure that material findings

and weaknesses are corrected?
Expanded Review - 15 Questions Yes/No/NA
Policies and Procedures
9 Do policies or procedures address any of the following
external reviews:
9a External Vulnerability Assessment?
9b Penetration Testing? If yes, consider Pen Test Review
Questionnaire.
9c Assessment of IT department general controls?
9d IT Risk Assessment to include Part 748, Appendix A?
9e Security Assessment?
10 Does the internal audit program include a written audit plan
that includes the following reviews:
10a The risk assessment process?
10b Employee & vendor access levels to critical systems?
10c Employee compliance to IT & computer use policies?
10d The vendor management process?
10e Service Organization Control (SOC) reports and test whether
"Client Control Considerations" are properly implemented by
the applicable departments?
11 Does the policy address the frequency of testing?
Audit and Accountability - Technical
12 Does the credit union implement automated inspection of
auditable events on internal information systems?

17
Charter Eff. Date 01/00/1900

Resources: FFIEC Information Security Handbook and NIST Special Publication 800-12, 800-53, 800-100.
Question Yes/No/NA Comments
13 Do audit records of the information system identify, at a
minimum:
13a What type of event occurred?
13b When the event occurred?
13c Where the event occurred?
13d The source of the event?
13e The success or failure of the event?
13f The identity of any user/subject associated with the event?

14 Are audit records stored?

15 How long are audit records stored?
16 In the event a scheduled audit fails, are designated officials
notified?
17 Has the credit union designated appropriate staff to review and
analyze information system audit records?
18 Is a reporting function in place to disseminate audit findings
and corrective action by management (i.e. Reports to the
Supervisory Committee and Board of Directors?)

19 Is the credit union generating automated audit record system

reports?
20 Does the credit union utilize a time protocol to synchronize
the time stamps across its network devices for audit records?

21 Are audit tools and records protected from unauthorized

access, modification, and deletion?
22 Are tools in place to prevent an individual from falsely
denying having performed a particular action? (i.e. digital
signatures, digital mail receipts)
23 Does the credit union monitor for leakage of organizational
information?
Overall Questionnaire Comments:

18
Charter Eff. Date 01/00/1900

IT - Business Continuity Planning (BCP)

Scope: Determine if the Business Continuity Planning (BCP) meets the requirements of R&R Part 748 and 749.
Resources: FFIEC Business Continuity Planning Handbook, NCUA Rules and Regulations Part 749 Records Preservation
and Appendix B - Catastrophic Act Preparedness Guidelines, NIST 800-34, and NIST 800-53.
Question Yes/No/NA Comments
Core Review - 6 Questions
1 Has the credit union developed a program to prepare for a
catastrophic act? (RR 749 App. B)
2 Has the credit union performed a Business Impact Analysis
(BIA)? RR 749 (App. B (1))
3 Does the program incorporate a risk assessment to determine
critical systems and necessary resources? (RR 749 App. B (2))

4 Does the written plan address the following:

4a Person(s) with authority to enact the plan? (RR 749 App. B (3)
(i))
4b Preservation and ability to restore vital records? (RR 749 App.
B (3)(ii))
4c A method for restoring vital member services through
identification of alternate operating location(s) or mediums to
provide services, such as telephone centers, shared service
centers, agreements with other credit unions, or other
appropriate methods? (RR 749 App. B (3)(iii))
4d Communication methods for employees and members? (RR
749 App. B (3)(iv))
4e Notification of regulators via a Catastrophic Act Report? (RR
748.1(b) and RR 749 App. B (3)(v))
4f Training and documentation of training to ensure all employees
and volunteer officials are aware of procedures to follow in the
event of destruction of vital records or loss of vital member
services? (RR 749 App. B (3)(vi))
4g Testing procedures, including a means for documenting the
testing results? (RR 749 App. B (3)(vii))
5 Are internal controls in place for reviewing the plan at least
annually and for revising the plan as circumstances warrant?
(RR 749 App. B (4))
6 Is the Business Continuity Plan tested on an annual basis? (RR
749 App. B (5))
Expanded Review - 10 Questions Yes/No/NA Comment
Business Continuity Planning
7 Does the credit union's business continuity and/or disaster
recovery plan (BCP/DRP) address the timely recovery of its IT
functions in the event of a disaster?
7a Is the BCP/DRP appropriate for the size and complexity of the
credit union?
8 Does the contingency plan for information systems address the
following:
8a Essential missions and business functions and associated
contingency requirements?
8b Recovery time objectives, restoration priorities, and metrics?

8c Contingency roles, responsibilities, and contact information for

personnel that support the plan?

19
Charter Eff. Date 01/00/1900

IT - Business Continuity Planning (BCP)

8e Eventual, full information system restoration without

deterioration of the security measures originally planned and
implemented?
8f Review and approval by designated officials within the
organization?
8g Revisions to address changes to the organization, information
system, or environment of operation?
8h Problems encountered during contingency plan implementation,
execution, or testing?
9 Has credit union management:
9a Established an alternate storage site including necessary
agreements to permit the storage and recovery of information
system backups? (RR 749.3)
9b Ensured equipment and supplies required to resume operations
are available at the alternate site or contracts are in place to
support delivery to the site in time to support the organization-
defined time period for resumption?

10 Has the organization established alternate telecommunications

services including necessary agreements to permit the
resumption of information system operations for essential
missions and business functions when the primary
telecommunications capabilities are unavailable?

Backup And Recovery

11 Has management established appropriate backup policies and
procedures to ensure the timely restoration of critical services?

12 Does management periodically test backup and retention of data

as well as the erasure and release of media when retention is no
longer required?
13 Are updated hardware and software inventories maintained,
including version numbers for software?
Backup Power
14 Does the credit union have adequate uninterruptible power
supply (UPS) protection to perform an orderly systems
shutdown in case of power loss?
15 Has management ensured that critical systems are connected to
a backup power source?
16 Are backup power sources periodically tested?

20
Charter Eff. Date 01/00/1900

IT - Business Continuity Planning (BCP)

21
Charter Eff. Date 01/00/1900

8d Maximum number of bad login attempts before locking out

members?
8e Procedures to reauthorize members who are locked out of their
accounts?
8f Require members to change their password the first time they
access the account and after being unlocked/reset?
9 Do electronic banking sessions time out after periods of user
inactivity?
10 Does the electronic banking system have reasonable
transaction limits consistent with normal usage?
11 Do E-banking solutions have alerting features that notify
members when transactions of elevated risk occur?
12 Are inactive accounts disabled or purged after a defined
number of days?
Expanded Review Yes/No/NA Comments
FFIEC Authentication Guidance
13 Does the credit union have a documented risk assessment
process for all electronic banking services covered by the 2005
FFIEC Authentication Guidance & 2011 Supplement?

22
Charter Eff. Date 01/00/1900

IT - Electronic Banking
Scope: To determine whether adequate controls are in place for the credit union to safely deliver electronic banking through multiple
channels such as Internet, mobile devices, and telephone banking.
Resources Used: FFIEC E-banking Booklet, LTCU 05-CU-18 Guidance for Authentication in Internet Banking Environment, LTCU
06-CU-13 Authentication for Internet Based Services, LTCU 11-CU-09 Supplement to Authentication in an Internet Banking
Environment, LTCU 02-CU-17 E-commerce Guide for Credit Unions.
Question Yes/No/NA Comments
14 Does management update the risk assessment at least
annually?
15 Does the risk assessment process address new electronic
banking services prior to implementation?
16 Has management developed a written action plan that includes
a timeline to address any weaknesses identified in existing
electronic banking controls?
17 Does management have documentation to support that it is
working with any applicable technology service providers to
implement the action plan for compliance?
18 Has the credit union implemented appropriate authentication
solution(s) to protect member accounts consistent with LTCUs
05-CU-18 & 11-CU-09?
19 Is the authentication solution required for all member
accounts?
20 Are any identified high-risk accounts and/or transactions
protected by layered security controls?
21 Do layered security controls include anomaly detection and
response:
21a At initial login?
21b At initiation of funds transfers to external parties?
22 Does the fraud detection and monitoring system consider
customer history and behavior to enable a timely and effective
response by the credit union?
23 Is there a monitoring process for account maintenance
activities?
24 Do layered security controls include simple device
identification and/or basic challenge questions?
25 Has management considered the additional layered controls
outlined in the Supplemental Guidance?
26 Does the electronic banking system utilize challenge questions
as part of the authentication solution? If no, skip questions 26
a&b.
26a Has management reviewed the challenge questions and
implemented sophisticated challenge questions?
26b Does the solution refrain from exposing all challenge
questions at the same session?
27 Does the electronic banking system utilize device
identification? If no, skip questions 27 a&b.
27a Does the device authentication solution utilize cookies not
susceptible to copying?
27b Does the device authentication solution creates a complex
digital “fingerprint” by looking at a number of characteristics?

28 Does the credit union have in place a member awareness

program to educate members against fraud and identity theft?

23
Charter Eff. Date 01/00/1900

35 Is there an authentication solution in place to address FFIEC

authentication guidance?
36 If no, has management limited functionality of the system
and/or implemented other compensating controls?
37 Has management updated the customer awareness program to
address mobile banking threats?
37a Is the mobile banking provided via an application downloaded
to a cell phone or PDA? If No, proceed to question 44.

38 If there is a rating or review associated with the application is

management monitoring and addressing negative comments?

39 Is the vendor conducting code reviews (formal or lightweight)

to address quality and potential security vulnerabilities?

40 Does the application allow the user to save their user name
and password in the application for automatic login?

41 If yes, is the user provided notice acknowledging the risk of

storing login in credentials?
42 Does the credit union offer an alternate website and/or
electronic banking page formatted for mobile devices?
43 If yes, is the mobile site hosted by the same third party hosting
the regular site?
Online or Mobile Deposits
44 Does the credit union provide members the ability to make
deposits using online banking or a mobile device? If no, skip
this section.
45 Have disclosures been provided to members to identify the
terms for using the service?

24
Charter Eff. Date 01/00/1900

IT - Electronic Banking
Scope: To determine whether adequate controls are in place for the credit union to safely deliver electronic banking through multiple
channels such as Internet, mobile devices, and telephone banking.
Resources Used: FFIEC E-banking Booklet, LTCU 05-CU-18 Guidance for Authentication in Internet Banking Environment, LTCU
06-CU-13 Authentication for Internet Based Services, LTCU 11-CU-09 Supplement to Authentication in an Internet Banking
Environment, LTCU 02-CU-17 E-commerce Guide for Credit Unions.
Question Yes/No/NA Comments
46 Have daily and monthly transaction and dollar limits been put
in place?
46a Has management established criteria to grant and remove
member access for use of the service?
47 If yes, is the access controlled by the system or service,
without employee involvement?
48 Do credit union systems have the ability to identify duplicate
deposit submissions?
Bill Pay Controls
49 Does the credit union provide bill payment services to
members? If no, skip this section.
50 Does the credit union have a written Bill Pay Procedure
Manual that provides guidance to employees?
51 Has management reviewed and adjusted the default bill pay
limits?
52 Do members have to submit a request to be enrolled?
53 Do members receive a Bill Pay Agreement which details their
responsibilities and rights for using the system and all required
consumer compliance disclosures?
53a Is access to the bill pay solution provided to the member after
they sign-in to the online banking?
54 If no, does the bill pay vendor's sign-in process meet required
authentication standards?
55 Are bill pay transactions reviewed and reconciled daily?
E-Statements
56 Does the credit union offer E-Statements? If no skip this
section.
57 Do members have to submit a request to be enrolled?
58 Is the email address provided by the member validated to
complete the enrollment process for e-statements?
59 Are members notified by e-mail that e-statements are available
for review?
60 Do members receive an agreement which details their
responsibilities and rights for using the system and all required
consumer compliance disclosures?
Account Aggregation Controls
61 Does the credit union offer account aggregation services to
members? If no, skip this section.
62 Is the account aggregation service provided by a third party
vendor?
62a Is there a contract in place with the account aggregation
providers which addresses:
62b Liability of the credit union and provider?
62c Statement processor will remain in compliance with legal and
regulatory requirements?
62d The authentication and verification process

25
Charter Eff. Date 01/00/1900

65 Has the credit union addressed security on the connection

between the credit union and the internet banking vendor?

CU Hosted Internet Banking

66 Does the credit union host the internet banking application
internally? If no, skip this section.
67 Is the application hosted on a server in a Demilitarized Zone
(DMZ)?
68 Are there design controls in place which construct and test
changes to the software in a test setting?
69 Have unnecessary services on the web server been disabled
and appropriate controls implemented?
70 Does the credit union obtain penetration tests and regular
security scans of the Internet Banking network?
71 Are login pages for Home Banking/Bill Pay SSL encrypted?

Additional Internet Banking Controls

72 Does the credit union accept new members through the
Internet or other electronic channels?
73 Does management have a process to monitor electronic
banking usage and performance?
74 Are member account numbers masked on web pages?
75 Does the webpage display the date and time of the last good
and bad log-in attempts to the account?
76 Are internet banking passwords maintained at the credit
union?
77 If yes, are passwords encrypted?
78 If yes, is access to password files controlled?
79 Has the credit union registered similar domain names
including formal names and acronyms, as well as different
neighborhoods (suffixes) such as “.com,” “.org,” “.net,”
“.coop,” etc. to avoid confusion and prevent fraud?

80 Can members change their contact information or other

critical information via internet banking?
81 If yes, does the credit union contact the member using both the
old and new contact information to verify the information
changed via internet banking was performed by the member?

82 Does the website display a warning against unauthorized

access to internet banking?
83 Are invalid login attempts logged?

26
Charter Eff. Date 01/00/1900

86 Are appropriate controls in place for personnel with electronic

banking duties (manage/access the system)?
87 Is administrative access limited to those employees who need
access based upon their job description?
88 Are employee privileges only granted for functions that match
their job duties?
89 Are strong passwords required for E-banking administrative
platforms?
90 Does each user of E-banking administrative platforms have
unique credentials (i.e. no shared user IDs or passwords)?

91 Are administrative logs reviewed by a supervisor and audited

periodically?
Overall Questionnaire Comments:

27
Charter Eff. Date 01/00/1900

IT - Networks
Scope: To review the operational controls and policies in place to secure the network infrastructure.
Resources: NIST Special Publication 800-53, Consensus Audit Guidelines, FFIEC Information Security Booklet.
Questions Yes/No/NA Comment
Core Review - 14 Questions
Critical Network Security Controls
1 Are there written network password policies and/or
procedures? If yes, do they address the following:
1a The expiration period for system passwords?
1b Password length and composition?
1c Additional controls on administrator passwords?
2 Are user accounts disabled for employees who have left the
organization or change job responsibilities?
3 Do contingency measures exist to provide management access
in the event the system administrator is not available?

4 Does the credit union have an up-to-date network topology

(diagram) available for review?
5 Does the credit union network contain any servers that
communicate directly with the Internet? If yes:
5a Are these servers segmented from the internal network in a
DMZ?
5b Are DMZ servers monitored via Intrusion Detection or
Prevention Systems (IDS/IPS)?
6 Does the credit union maintain an asset inventory of all
computer systems connected to the network and the network
devices themselves?
7 Does the credit union have a logging policy?
8 Does the credit union utilize web filtering for employee
Internet access?
9 Are user workstations locked down to prevent installation of
unauthorized software and hardware? (e.g. no local
administrator access for default user profile?)
10 Are employees allowed to connect to the network using
personally-owned computers?
11 Does the credit union have formalized patch management
procedures for network devices (workstations, servers,
security appliances, routers, etc.?)
12 Does the credit union obtain periodic network vulnerability
assessments?
13 Is a Data Leakage Protection (DLP) solution in place on the
network?
14 Are critical daily/periodic network security and continuity
tasks documented and supported with operating checklists?

Expanded Review - 21 Questions Yes/No/NA Comment

General
15 Does the credit union have a formal written policy or
methodology to guide how networked applications are
approved, prioritized, acquired, developed, and maintained?

16 When new programs or services are under consideration, are

they approved by the following prior to implementation:

28
Charter Eff. Date 01/00/1900

Network Architecture/Design
19 Is a detailed listing of critical computer equipment and
programs maintained?
20 Has management identified and reviewed network
infrastructure access points and associated risks and
vulnerabilities?
22 Are policies, procedures, and practices in place describing
how the network components (such as network servers, web
servers, transaction servers, application and content servers,
and electronic mail servers) are configured to ensure adequate
security?
23 Are the network services segregated to ensure data integrity
and security (for example, web services and e-mail services
should not be on the same server)?
24 For each network component, does the credit union maintain a
current inventory of the components' specifications (such as
type of server, the operating system, required software,
software version, and the last updates installed)?

25 Does the credit union have written configuration policies and

configuration checklists for servers, PCs, firewalls, routers,
etc.
26 Do the configuration policies and procedures address the
following:
26a Enabling and monitoring error logs and system auditing
functions?
26b configuring components based upon the security required for
the applications installed?
26c removing or disabling unnecessary network and operating
system services?
26d implementing the necessary logical access controls?
27 Does the credit union have a process in place to address
replacing components on a periodic basis or when necessary?

Patch/Change Management
28 Does the credit union have written change management
procedures that address management approval, scheduled
upgrades, testing, and implementation?
29 Does the change control documentation provide adequate
audit trails, logs and support for all types of software
modifications?

29
Charter Eff. Date 01/00/1900

IT - Networks
Scope: To review the operational controls and policies in place to secure the network infrastructure.
Resources: NIST Special Publication 800-53, Consensus Audit Guidelines, FFIEC Information Security Booklet.
Questions Yes/No/NA Comment
30 Are there policies and procedures in place to handle
emergency and temporary software fixes as well as new
releases or upgrades?
31 Are policies, procedures, and practices in place to allow the
credit union to restore its previous software versions in the
event a software modification adversely affects one or more
systems?
32 Are policies, procedures, and practices in place to maintain
compatibility throughout the credit union's system
environment?
33 Is there a specific test environment set up, separate from the
production environment to allow for testing patches and
updates without destroying or damaging critical data?

Network Monitoring
34 Do the credit union's policies and procedures establish
network infrastructure performance standards for the
following areas:
34a Target throughput parameters?
34b Hardware monitoring procedures?
34c Transaction volume, response times, and bandwidth
availability vs. bandwidth capacity?
34d System uptime?
35 Does management use automated network system monitoring
tools?
Overall Questionnaire Comments:

30
Charter Eff. Date 01/00/1900

IT - Policy Checklist
Objective: Provide a general list of subjects normally covered in effective IT policies to assist in the
examiner's review and evaluation of credit union IT policies.
Section A: General IT Policies
1 Information security program (risk assessments, tests of controls, training, board reports)
2 Designated security officer responsible for ensuring compliance (Appendix A, RR 748)
3 Physical access controls and environmental controls for the data center
4 System, network, e-mail, and database administration
5 Firewall, router, and server security management
6 Monitoring and backup of firewall and intrusion detection logs
7 Wireless communication
8 System access levels and administrative authorities granted by duty position
9 Password administration for critical systems (network & EDP system logon, home banking)
10 Use of encryption to protect sensitive data
11 Use of modems (these can undermine firewall protection if not properly managed)
12 Remote access for vendors and employees, if applicable
13 Frequency of system patches and updates, logs maintained
14 Virus protection and updates
15 Vulnerability scanning and penetration tests
16 Regulatory compliance of website content, e-forms, e-statements, applications, etc.
17 Vendor management (Procurement, Contract Reviews, Service Level Agreements, Due Diligence Reviews,
Vulnerability Scans, SAS 70s, Business Continuity Tests, etc.)
18 Problem resolution and member service
19 Backup & recovery procedures
20 Testing of business continuity and disaster recovery plans
21 Procedures for disposal of hardware, software, and documents containing sensitive information
Section B: Personnel Policies
22 Acceptable usage of Internet, e-mail, and social media
23 Mobile device usage
24 No expectation of privacy
25 Installation of personal software
26 Prohibited use of e-mail for sending private/confidential information
27 Disciplinary actions to be taken for non-compliance
28 Password protection
29 Information systems security awareness
30 Code of ethics/fraud policy
31 Procedures for removal of systems access upon termination of employment
32 Acknowledgement form(s) to be signed by employees annually
33 Evidence of periodic monitoring of compliance
Section C: IT Security Incident Response Policy
34 Definition of a security incident
35 Containment procedures (isolate, do not use compromised systems)
36 Preservation of evidence (make 2 copies of the hard drive of the compromised system)
37 Contact persons to notify (including FBI or local law enforcement)
38 A formal reporting process (notifying senior management, filing suspicious activity reports)

31
Charter Eff. Date 01/00/1900

IT - Firewalls
Scope: Determine whether the firewall environment has been designed to adequately support the network infrastructure
and whether day-to-day operations promotes the integrity of the firewalls in place.
Resources used: NIST SP 800 - 41, Consensus Audit Guidelines, World Bank Technology Risk Checklist.
Question Yes/No/NA Comment
Core Review- 14 Questions
1 Does management have a formal, documented firewall
configuration management policy that addresses the
following:
1a Purpose
1b Scope
1c Roles
1d Responsibilities
1e Management commitment
1f Coordination among organizational entities
1g Compliance
2 Does the firewall administrator receive adequate training?
3 Does the credit union have a comprehensive list of what
should be allowed/disallowed through the firewall?
4 Is the firewall located in a controlled access area?
5 Is the firewall(s) secured against unauthorized access from the
Internet, Extranet and Intranet users?
6 Are inner firewalls placed around all critical, financial and
transactional systems?
7 Can the firewall be accessed by a secondary IT Committee
member or assigned staff member in an emergency?

8 Do you place firewalls at all sub-network boundaries where

policies differ between the connecting sub-networks?

9 Does the credit union maintain an inventory of all firewalls in

use?
10 Are firewall configuration changes properly documented,
reviewed, and approved?
11 Is adequate documentation maintained to support the specific
business reason for each firewall rule?
12 Has the firewall been tested to ensure that it would fail closed?

13 Are internally hosted web services protected by firewalls that

inspect all traffic for common web application attacks?

14 Are firewall rules reviewed periodically determine whether

they are still required from a business perspective?

Expanded Review - 40 Questions Yes/No/NA Comment

Firewall Security & Maintenance
15 Does the firewall system enforce approved authorizations for
logical access to the system in accordance with applicable
policy (policy reviewed above)

32
Charter Eff. Date 01/00/1900

IT - Firewalls
Scope: Determine whether the firewall environment has been designed to adequately support the network infrastructure
and whether day-to-day operations promotes the integrity of the firewalls in place.
Resources used: NIST SP 800 - 41, Consensus Audit Guidelines, World Bank Technology Risk Checklist.
Question Yes/No/NA Comment
16 Does Management configure the firewall to provide only
essential capabilities and specifically prohibits or restricts the
use of management identified functions, ports, protocols,
and/or services such as:
16a IP spoofing attacks?
16b Denial of Service attacks?
16c Programs like finger, whois, tracert and nslookup?
17 Is there a default deny rule?
18 Is the firewall operating system updated regularly?
19 Is the firewall system(s) appropriately configured to protect
the confidentiality and integrity of information at rest, i.e. rule
sets?
20 Is the firewall rule change control process automated?
21 Does the credit union have an automated monitoring system
that provides real-time alerts about firewall configuration
changes?
22 Does the credit union use automated tools to evaluate the
firewall rule set for errors or conflicts after making significant
changes?
23 Do assigned individuals monitor events on the information
system in accordance with Management's organization defined
monitoring objectives and detect information system attacks?

24 Are automated alerts in place?

25 Are alerts sent to a Security Information and Event
Management (SIEM)?
26 Are firewall logs reviewed?
27 Is the log review conducted at least each business day?
28 Are the firewall logs maintained for a specified period of
time?
29 Are firewall logs backed up?
Firewall Business Continuity
30 Has Management obtained maintenance support and/or spare
parts for firewalls within a Management defined time period
of failure?
31 Can the firewall be quickly reconfigured from backups (e.g.,
to restore a previous configuration)?
32 Is backup recovery of the firewall tested at least annually?

33 Is the firewall on an Uninterruptible Power Supply (UPS)?

34 Does management revise the firewall's dynamic configuration
policies as part of its incident response actions?

35 Is the firewall backed up?

36 Are backups safeguarded?
Has Management tested the firewall recovery using a firewall
37 backup?

33
Charter Eff. Date 01/00/1900

IT - Firewalls
Scope: Determine whether the firewall environment has been designed to adequately support the network infrastructure
and whether day-to-day operations promotes the integrity of the firewalls in place.
Resources used: NIST SP 800 - 41, Consensus Audit Guidelines, World Bank Technology Risk Checklist.
Question Yes/No/NA Comment
38 Is automatic failover enabled?
Firewall Security Assessment
39 Are vulnerability assessments periodically run on the firewall
to identify open ports and services?
40 Did the last assessment result in a favorable rating?
41 Does management take corrective action on the
recommendations from the assessments?
42 Are external penetration tests attempted after major system
updates?
43 Is there an audit trail of who accesses the firewall
administrative accounts?
44 Are firewall rules, policies, and procedures reviewed at least
annually by a qualified auditor?
45 Is each rule documented sufficiently to allow for review by a
qualified auditor?
46 Is there an audit trail of changes made during the past year?

Firewall Vendor Management

47 Do non-corporate personnel or vendors access the firewall? If
no, skip this section
48 If so, have contracts with this vendor been reviewed by
corporate legal personnel?
49 Does Management document, for each connection, the
interface characteristics, security requirements, and the
nature of the information communicated with third party
vendors?
50 Does Management authorize connections from the information
system via the firewall to other information systems outside of
the credit union's authorization boundary (network) through
the use of appropriate contractual agreements?

51 Do access control limits restrict access to specific static

external IP addresses in the case of remote vendor support?

52 Is access limited to only the firewall? If vendor has other

access please indicate.
53 Is all access by encrypted channel (e.g., SSH)? Exception:
terminals directly connected to the firewall do not require a
encrypted channel.
54 If the firewall product uses a remote management architecture
(e.g., Checkpoint management module and firewall module),
are the controls adequate?
Overall Questionnaire Comments:

34
Charter Eff. Date 01/00/1900

35
Charter Eff. Date 01/00/1900

7 Is the review process documented?

8 Is rule configuration process documented in a procedure?

Expanded Review - 42 Questions Yes/No/NA Comment

IDS/IPS - Appliance Characteristics
9 What type of intrusion detection/prevention system(s)
(IDS/IPS) are used?
9a Network-based
9b Host-based
10 What IDS/IPS design type is being used?
10a Signature
10b Anomaly
10c Hybrid
11 Does the network diagram accurately show the placement of
the IDS/IPS sensors?
Access Control
12 Is access to the IDS/IPS system limited to appropriate staff
(vendor or credit union employee)?
13 Can the IDS/IPS be accessed by a secondary IT staff member,
or a designated backup staff member in an emergency?

14 Is the IDS/IPS system located in a physically secure location?

Configuration Management
15 Are the IDS/IPS configurations processes in line with the
policies and procedures?

36
Charter Eff. Date 01/00/1900

IT - IDS / IPS
Scope: Evaluate whether the credit union is adequately securing and monitoring its network environment with an
Intrusion Detection System and/or Intrusion Prevention System to detect potentially harmful network activity.
Resources: NCUA Rules and Regulations Part 748, Appendix A, National Institute of Standards and Technology (NIST)
Special Publication 800-94, Guide to Intrusion Detection and Prevention (IDP) Systems and NIST Special Publication,
800-61, Incident Response.
Question Yes/No/NA Comment
16 Is there a separation of duties between those who configure the
IDS and those who monitor the IDS?
17 Is the IDS/IPS operating system updated regularly?
18 Does Management ensure the IDS/IPS system maintains an
up-to-date list of attack signatures?
Alerts and Monitoring
19 Are automated, real time alerts in place?
20 Are alerts sent to a centralized logging system?
20a Are alerts parsed using an automated system?
20b How long are the IDS/IPS logs maintained?
21 Are IDS/IPS logs backed up?
22 Is a review of the IDS/IPS alert logs performed daily?
22a If no, how often is the review completed?
23 Is a qualified individual responsible for the regular monitoring
of network traffic for potential intrusions?
Host Based System - Alerts and Monitoring
24 Does the system monitor changes in identified critical
operating system files?
25 Does the system monitor changes in the identified application
files?
26 Does the system monitor administrator activity on critical
servers?
27 Are there separation of duties between server system
administrators and IDS administrators?
Incident Response
28 Does management include dynamic reconfiguration of the
IDS/IPS as part of the incident response capability.
29 Do intrusion detection policies and procedures address
escalation procedures?
30 Do policies and procedures address how and when to notify an
appropriate individual to determine the need to file a
Suspicious Activity Report?
31 Are documented escalation procedures in place based on the
threat-level?
Custom Signatures
32 Does management deploy custom signatures; if no, skip this
section.
33 Is third party or credit union staff trained to add custom
signatures?
34 Are custom signatures approved by management prior to
implementation?
35 Is documentation retained for the approval and change
process?
36 Are custom signatures verified by an independent party and is
documentation retained of the verification?
Business Continuity

37
Charter Eff. Date 01/00/1900

39 Does Management obtain maintenance support for IDS/IPS

appliances within a defined time period of failure?

Security Assessment - Testing

40 Are external penetration tests attempted after a major system
update?
41 Are external penetration tests conducted periodically?
41a Did the last test result in a favorable rating?
41b Did management take corrective action on the
recommendations from the penetration test results?
42 Is there an audit trail of who accesses the IDS/IPS
administrative accounts?
43 Are IDS/IPS signatures, policies, and procedures reviewed at
least annually by a qualified auditor?
44 Is each signature documented sufficiently to allow for review
by a qualified auditor?
45 Is there an audit trail of configuration changes made during
the past year?
IDS/IPS - Vendor Management
46 Do non-corporate personnel or vendors access the IDS/IPS? If
no, skip this section
47 If so, have contracts with this vendor been reviewed by
corporate legal personnel?
48 Do access control limits restrict access to specific static
external IP addresses in the case of remote vendor support?

49 Is remote access limited to only the IDS/IPS?

49a If no, please describe.
50 Is all access by encrypted channel (e.g., SSH)? Exception:
terminals directly connected to the IDS do not require a
encrypted channel.
Overall Questionnaire Comments:

38
Charter Eff. Date 01/00/1900

IT Penetration Test Review

Scope: Determine if management has appropriately contracted for a penetration test; (2) determine if the test report is
adequate; (3) determine the scope of the penetration test.
Reference: NCUA Rules and Regulations Part 748, Appendix A.
Question Yes/No/NA Comment
Core Review - 7 Questions
Penetration Test Agreement/Scope
1 Does the Penetration Test agreement indicate:
1a All compromised systems, if applicable, are restored to their
initial configurations, if possible?
1b All files, tools, and other data left behind by the exercise is
removed to the greatest extent possible?
2 Does the scope establish a clear and explicit test plan?
3 Does the scope identify:
3a Specific domain names
3b Network address range/s
3c Individual hosts
3d Particular applications
3e Third parties
3f Appliances/servers (routers, switches, mail servers, DNS
servers)
3g Test or production environments
4 Does the agreement identify systems not to be tested?
5 Does the Penetration Test agreement include Client Support to
assist with any identified issues, mitigation strategies or
vulnerability elimination steps contained in the report?

Penetration Test Report

6 Does the Penetration Testing Firm provide:
6a An Executive Summary Report
6b Technical Manager's Report
6c Technical Details Report
7 Did management's response include timely action to address
the weaknesses identified in the report?
Expanded Review - 2 Questions Yes/No/NA Comment
Penetration Test Areas
8 Did Management contract for the following type(s) of
Penetration Test(s):
8a Network services test?
8b Client-side test?
8c Web application test?
8d Remote dial-up war dial test
83 Social Engineering?
8f Other?
8g Any specific limitations?
9 Did the Penetration Test Work Plan include:
9a Network Survey (reconnaissance)?
9b Scan Types?

39
Charter Eff. Date 01/00/1900

IT Penetration Test Review

40
Charter Eff. Date 01/00/1900

IT - Physical & Environmental

Scope: Determine that physical and environmental controls and policies and procedures have been adequately
documented and implemented.
Resources: Part 748, Appendix A III C 1.b., NIST 800-53, and FFIEC IT Examination Handbook. Physical controls refer
to facilities (e.g., physical controls such as locks and guards, environmental controls for temperature, humidity, lighting,
fire, and power) are applicable to provide protection to, or support for, critical information systems (including its
information technology assets such as email, servers, data centers, workstations, and communications equipment).

Question Yes/No/NA Comment

Core Review - 9 Questions
1 Does management have a documented physical and
environmental protection policy ?
2 Does management enforce physical access controls for access
points (including designated entry/exit points) to the facilities
and sensitive areas?
3 Is there a documented policy/procedure in place for granting
and revoking physical access?
4 Is access to the data center and other sensitive areas limited to
appropriate personnel?
5 Is there a process in place to monitor access to the data center
or sensitive areas of the credit union?
6 Does management test the access controls for adequacy and
effectiveness on a periodic basis (i.e. social engineering)?

7 Is security training provided to new and existing employees?

8 Does management have documented procedures in place to

address implementation and monitoring of environmental
controls?
9 Does the data center have a fire suppression system?
Expanded Review - 18 Questions Yes/No/NA Comment
Physical Access Controls
10 Does the risk assessment support the type and frequency of
access control being used?
11 Do the physical access controls provide a monitoring or
logging capability?
12 Does management conduct testing of access controls to ensure
effectiveness?
13 Is physical access to data lines (wire closets) within
organizational facilities adequately controlled?
14 Are file rooms and loan vaults adequately secured?
15 Does the credit union control access to printers, shredders, and
recycle bins to prevent unauthorized individuals from
obtaining the output?
Access Authorization
16 Is there a documented list of personnel authorized to access
the data center and other areas where information or systems
reside?
17 Is documentation of the approval/revocation and the
timeframes of its completion maintained?
18 Does management periodically review authorizations to
ensure such authorizations are current and appropriate?
Data Center Controls

41
Charter Eff. Date 01/00/1900

IT - Physical & Environmental

Question Yes/No/NA Comment

19 Can power to the information system or individual system
components be shut off in emergency situations?
20 Are there emergency shutoff switches or devices in a
designated area or near the system component to facilitate safe
and easy access for personnel?
21 Are emergency power shutoff switches protected from
unauthorized activation?
22 Does the credit union have a short-term uninterruptible power
supply (UPS) with adequate capacity to facilitate an orderly
shutdown of the system in the event of a power loss?

23 Is the data center temperature and humidity level within the

organization-defined acceptable levels?
24 Are the temperature and humidity levels monitored to ensure
compliance with the defined target?
25 Does the credit union position information system components
to minimize potential damage from physical and
environmental hazards and to minimize the opportunity for
unauthorized access?
Fire Suppression
26 What type of fire suppression and detection system is in
place?
26a Gaseous Suppression
26b Handheld extinguishers
26c Smoke detectors
26d Sprinklers
27 If sprinklers are used has the risk assessment or management
addressed the potential water damage?
Overall Questionnaire Comments:

42
Charter Eff. Date 01/00/1900

IT - Remote Access
Scope: Determine whether appropriate remote access technologies, policies, procedures, and practices are in place and
the credit union is operating in accordance with policies.
Resources: NIST Special Publications 800-46 and 800-111.
Question Yes/No/NA Comment
Core Review - 6 Questions
1 Has management performed a risk assessment on the use of
remote access to the credit union's systems?
2 Are there policies and procedures in place that address remote
access?
2a Does the policy address controls for vendor remote access?

3 Has remote access been granted based upon job duties and/or
business needs ?
4 Is an appropriate level of authentication in place for remote
access?
5 Is all remote access monitored and logged?
6 Can remote users access or retrieve sensitive or confidential
information residing in the internal network?
6a If yes, is encryption implemented on the remote access
solution?
6b If yes, is the device used for remote access required to have
the same security and encryption standards as devices inside
the network?
Expanded Review - 21 Questions Yes/No/NA Comment
Remote Access Controls
7 Does the credit union have a remote access server?
7a If yes, does the server reside in the DMZ?
7b If yes, does the remote access server host any other services or
applications?
8 Does the credit union use a remote desktop solution?
8a If yes, does the solution enable a direct connection between
the remote user client device and the internal workstation?

8b If yes, and hosted by a third party, has the credit performed

proper due diligence on the vendor?
9 Does the credit union allow remote users to use personal
equipment for remote access?
9a If yes, does the credit union require the remote user to
maintain a security standard equivalent to the credit unions?

10 Does the credit union validate remote PC security before

granting access?
11 Has management created remote access user profiles?
12 Do administrators connect remotely using their administrator
credentials?
13 Is the remote user list reviewed periodically to remove
dormant users or users no longer having a business need?

14 Are remote users prohibited from accessing the network or

workstations during their required annual leave?
Vendor Access

43
Charter Eff. Date 01/00/1900

IT - Remote Access
Scope: Determine whether appropriate remote access technologies, policies, procedures, and practices are in place and
the credit union is operating in accordance with policies.
Resources: NIST Special Publications 800-46 and 800-111.
Question Yes/No/NA Comment
15 Is vendor access to the credit union's network for diagnostic
and/or maintenance activities properly restricted?

16 Is vendor access to the network blocked using firewall rules or

VPN solutions?
17 Are vendors required to notify the credit union of the system
changes to be performed?
18 Does IT staff monitor the vendor while connected to the
network?
19 Is a vendor's access limited to only their system?
Modems - Dial-in Access
20 Does the credit union have or use modems for primary or
emergency connectivity to vendors? If no. skip this section.

21 Is any data communicated to other companies via unsecured

modems?
22 Are methods in place to ensure that modems are not
susceptible to unauthorized access?
23 Are there users with dial-in authority?
24 Is dial-in access restricted to appropriate personnel?
25 Have dial-in time limits been established?
26 Have call back options been enabled?
27 Does management employ the proper procedures to detect and
deny unauthorized remote access?
Overall Questionnaire Comments:

44
Charter Eff. Date 01/00/1900

IT - Routers
Scope: Determine whether installed routers adequately support the network infrastructure and whether day-to-day
operations promote the integrity of the routers in place.
Resources used: NIST SP 800 - 53, NIST SP 800 - 34, FFIEC Information Security Handbook.
Question Yes/No/NA Comment
Core Review - 10 Questions
1 Does the Information Security Program (ISP)incorporate
router configuration policies?
2 Are baseline configurations maintained for routers within the
information system?
3 Are changes to the router configuration documented and
reviewed by approved individuals?
4 Before changes are made to router configurations, is the
potential security impact considered?
5 Does documentation (i.e. topology maps) exist to identify the
routers existing on the credit union's network?
6 Does documentation exist for the current firmware version
installed on the routers?
7 Is physical access to routers adequately controlled in the main
office and in branches?
8 Is logical access to the routers controlled through the use of
passwords or other means?
9 Is a telnet, SSH, or HTTPS protocol used to maintain the
router?
9a If so, is access granted only to specific workstations on the
internal network side of the router?
10 Is the responsibility for managing the routers assigned to a
specific person or third party?
10a Does the responsible individual or third party have the
requisite knowledge and training to provide router
maintenance and support?
Expanded Review - 21 Questions Yes/No/NA Comment
11 Are default router configurations used, and are they set to
Default/Deny?
12 Has the credit union verified routers are properly configured
for the credit union's system requirements? How has this been
verified?
13 If the router(s) is/are maintained remotely, are communication
links secured?
14 Is router configuration reviewed and retained by independent,
internal employees?
15 Is the router configuration reviewed regularly?
16 Are commented, offline copies of all router configurations
maintained and consistent with the actual configuration
running on the router(s)?
17 Is router log activity monitored and retained?
18 Have backup router configuration files been tested, and how
often?
19 Are there written backup test procedures?
20 Is router log activity monitored?
21 Has the service timestamps command been used to ensure the
complete date and time are stamped onto entries in the routers
buffer log?

45
Charter Eff. Date 01/00/1900

Overall Questionnaire Comments:

46
Charter Eff. Date 01/00/1900

2 Are servers located in a secure location?

3 Did management create, implement and document a
patching process?
4 Are any servers that communicate directly with the Internet
or other untrusted network segmented from the internal
network in a DMZ?
5 Does the credit union obtain periodic network vulnerability
assessments?
6 To harden and configure the OS, did the CU remove or
disable unnecessary services, applications, and network
protocols?
7 Does management's system monitoring include server logs?

8 Are servers administered remotely?

Expanded Review - 31 Questions Yes/No/NA Comment
Server Security Planning
9 Does the operating system have adequate security features?

10 Is management oversight adequate?

11 Are Human Resource implications managed appropriately?

Securing the Operating System

12 Has the appropriate user authentication taken place with, for
example:
12a Have unneeded default accounts been removed or disabled?

12b Have non-interactive accounts been disabled?

12c Have user groups been created?
12d Have user accounts been created?
12e Has automated time synchronization been configured?
13 Is the password length appropriate?
14 Is password complexity required?
15 Is password aging required?
16 Are passwords reused?
17 Is password authority appropriate?
18 Is password security appropriate?
19 Are account lock-outs appropriate?
20 Has management installed or configured other security
mechanisms to strengthen authentication for servers with
critical data and/or processes?
21 Have resource controls been configured appropriately?

47
Charter Eff. Date 01/00/1900

IT - Servers
Scope: To evaluate whether general security issues are addressed for critical servers that store or process personal
financial information, such as: Web; email; database; infrastructure management; and file servers.
Resources: NIST SP 800 - 123, Consensus Audit Guidelines.
Question Yes/No/NA Comment
22 Have the following security controls been installed and
configured:
22a Anti-virus and malware detection/prevention software?
22b Host-based intrusion detection and prevention software
(IDPS)?
22c Patch management solution?
22d Disk encryption technologies?
23 Are servers monitored for capacity utilization?
Server Software Security
24 Is there evidence management securely installed server
software?
25 Does the Information Security Program, or any other
management directive, provide guidance on configuring
access controls for critical servers?
26 Does the server OS limit which files can be accessed by the
service processes?
27 Has the server been configured to limit the amount of OS
resources it can consume?
28 Have timeouts been configured?
29 Have the maximum number of open connections been
minimized?
30 Has management implemented authentication and
encryption technologies?
Security Maintenance
31 Have the logging capabilities been identified along with log
monitoring requirements?
32 Are server logs reviewed?
33 Are logs maintained?
34 Are automated log file analysis tools used?
35 Are server backup procedures in place?
36 Are server data backup policies adequate?
37 Are server backup types appropriate?
38 Does the CU maintain a test server?
39 Are procedures adequate to recover from a security
compromise?
Overall Questionnaire Comments:

48
Charter Eff. Date 01/00/1900

IT - Virtualization
Scope: To determine whether appropriate controls and oversight are in place to provide effective operation and security
are in the virtual environment. This questionnaire is focused on VMware as it is the dominant industry solution, however
the concepts in the questions can be posed to all virtualization solutions.
Resources: FFIEC Information Security Handbook, NIST Special Publication 800-53, VMware Security Hardening
Guide.
Question Yes/No/NA Comment
Core Review - 12 Questions
1 Is there a policy in place to address virtualization deployment
and controls?
2 Which types of virtualization are being used by the credit
union?
2a Desktop virtualization
2b Virtual testing environments
2c Presentation virtualization
2d Application virtualization
2e Storage virtualization
3 What type of virtualization software does the credit union use?

4 Has management assessed the security and logging

requirements for the services being virtualized?
5 Does the credit union utilize custom roles to assure that only
the minimum necessary privileges are assigned to people in
order to prevent unauthorized access or modification?

6 Is every virtual machine in the virtual infrastructure installed

with appropriate security applications?
7 Are unused services in the operating system disabled?
8 Are virtual machines appropriately segmented on their own
network segments (separate network adapters or VLANs)?

9 Have storage requirements been reviewed for adequacy?

9a Has management configured clustering/high availability?
9b Is there an automated process in place for allocating resources
to virtual machines?
10 Has a fault tolerance solution been implemented?
11 Is there a documented change/patch management process in
place for the virtualized environment?
12 Has management addressed the requirements for licensing the
software being used on the virtual systems?

Expanded Review - 33 Questions Yes/No/NA Comment

Virtual Machines
13 Is every virtual machine in the virtual infrastructure, installed
with:
13a Antivirus agents
13b Spyware filters
13c Intrusion detection systems
13d Other security measures that you normally would install on a
physical server?
14 Are security patches applied on machines?

49
Charter Eff. Date 01/00/1900

16 Have unused physical devices, such as CD/DVD, floppy, and

USB adapters been removed or disabled?
17 Is the copy and paste operations between the guest operating
system and remote console disabled?
18 Does the credit union use a hardened base operating system
image (with no applications installed) when creating new
servers?
18a If Yes, are the security measures and patches updated
periodically on the image?
19 Are server resources adequately assigned and controlled to
prevent a denial of service within a host server?
20 Is the logging feature for the virtual machines turned on and
configured to prevent overwriting and space issues?
21 Is the credit union using remote services such as SSH and
terminal services to minimize the use of the VI Console?

Service Console
22 Is the service console appropriately segmented from the
network by the use of VLANs and/or a single switch and
ports?
23 Is the service console's firewall set to high security (by
default)? If no explain in comment.
24 Do you use the VI client, either connected to the host or
through the service console, to configure or maintain the
server host?
25 Is a directory service such as LDAP or NIS used to define and
authenticate users on the service console instead of local user
accounts?
26 Are user accounts on the service consoles shared?
27 Is remote root access for the service console disabled?
28 Is the SU privilege appropriately restricted? (Enter all
employee names in comment box)?
29 Are password aging and complexity requirements enforced for
any local user accounts?
30 Is the credit union running additional software on the service
console?
31 Are there patching and change management procedures for the
service console?
32 Is there an effective log management program in place for the
virtual environment?
Server Host
33 Are virtual servers labeled to allow accurate identification of
servers?
34 Was the default machine port and machine port group created
during server setup?

50
Charter Eff. Date 01/00/1900

36 Are the virtual switches configured to run in promiscuous

mode?
37 Are virtual switch security profiles, reject - MAC address
changes and reject - forged transmissions, being used on ESX
server host?
38 Is Storage Area Network (SAN) zoning being used in the
virtual environment (SAN environment only)?
39 Did the credit union accept the recommended partition settings
during the installation of the servers?
Virtual Center
40 Is the credit union using only a local Virtual Center
administrator account to manage the Virtual Center?
41 Is access to the Virtual Center appropriately controlled
through the use of firewalls and TPC/UDP port access?
42 Is the Virtual Center installed on a separate server or virtual
machine?
43 Has the Virtual Center been upgraded to a version that
supports certificate-based encryption?
44 Does the credit union allow default self-signed certificates?

45 Is the command, Generate Virtual Center Server log bundle,

used to document and monitor changes the Virtual Center? If
no, how is monitoring performed (use comment box).

Overall Questionnaire Comments:

51
Charter Eff. Date 01/00/1900

IT - Wireless Networks
Scope: Review policies/procedures and the adequacy of security and controls being used on the wireless local area
networks (WLANs).
Resources Used: NSA Wireless Security Checklist, NIST SP800-48 , and NIST SP800-97 - Within NIST SP800-48,
Security Checklist (Table 3-3) and the Security Summary (Table 3-4) present guidelines and recommendations for creating
and maintaining a secure 802.11b wireless network.
Question Yes/No/NA Comment
Core Review - 12 Questions
1 Does the credit union have a WLAN usage policy that
specifies which user or departments are authorized to use
WLAN technology and for what purposes?
2 Does the risk assessment process address WLANs?
3 Are wireless users educated about the risks of WLAN
technology and how to mitigate those risks?
4 Did management employ the services of security professionals
to assist with WLAN security issues if the requisite skill sets
are not currently available in the organization?

5 Does the credit union have comprehensive WLAN security

assessments at regular and random intervals?
6 Does the credit union employ legacy wireless protocols such
as WEP, TKIP, or WPA?
7 Does the credit union employ a WLAN intrusion detection
system?
8 Does the credit union test and deploy software patches and
upgrades to wireless equipment on a regular basis?
9 Are default admin user IDs and passwords changed using
strong passwords?
10 Has the CU adequately implemented physical access controls
for wireless access points (APs) and authentication servers
(ASs)?
11 Are WLANs turned off after business hours or when not in
use?
12 Is logging activated with log entries frequently reviewed by
staff?
Expanded Review - 24 Questions Yes/No/NA Comment
Security Architecture
13 Briefly describe the appliance in use and placement in the
network
14 Are WLAN equipment and security devices included in the
topology for the CU Network Infrastructure?
15 Is there a current inventory of WLAN/WWAN Hardware
Devices and Network Interface Cards (NICs)?
16 Are all wireless network connections based on an IEEE
802.11i using IEEE 02.1X/EAP authentication?
17 Are clearly defined and/or enhanced security configuration
standards in place for the wireless authentication server (AS)?

18 Did planning and design of the wireless network include a site

survey to determine the proper location of access points (APs),
given the desired coverage area?
19 Does the credit union employ only WPA2-Enterprise certified
workstations and access points?
20 Does the credit union utilize products that use FIPS-validated
cryptographic modules?

52
Charter Eff. Date 01/00/1900

21a With insecure and unused management protocols on the APs

disabled, and remaining management protocols configured for
least privilege?
21b With WEP and TKIP disabled?
21c With strong, unique administrative passwords?
21d To terminate sessions after a configurable time period?
21e To support authentication and data encryption for
administrative sessions?
21f Do access points log security relevant events and forward
them to a remote audit server in real time?
Workstation Controls
22 Are clearly defined and/or enhanced security configuration
standards in place for wireless workstations/ laptops (STAs) to
account for WLAN risks?

23 Are STAs configured with the following security features:

23a Personal firewalls?

23b Anti-virus software?
23c Disabling of file and printer sharing?
23d Disabling SNMP, NetBIOS over TCP/IP, and all unnecessary
TCP services?
Monitoring & Maintenance
24 Are all passwords changed regularly?
25 Does the credit union periodically update the certificates on
the clients and the servers?
26 Do wireless security audit processes and procedures identify
the types of security relevant events that should be captured,
and determine how audit records will be securely stored for
subsequent analysis?
27 Does the credit union have an auditing tool to automate the
review of AP and AS audit data?
28 Does the CU regularly monitor security alert organizations for
notices related to their WLAN/WWAN devices?

29 Have key employees received appropriate training regarding

network, application, and security controls?
30 Does the CU have a formal process for identifying, testing and
applying WLAN/WWAN-related patches, updates, and
service packs?
Business Continuity
31 Can the wireless appliance be quickly reconfigured from
backups (e.g. to restore a previous configuration)?

53
Charter Eff. Date 01/00/1900

IT - Wireless Networks
Scope: Review policies/procedures and the adequacy of security and controls being used on the wireless local area
networks (WLANs).
Resources Used: NSA Wireless Security Checklist, NIST SP800-48 , and NIST SP800-97 - Within NIST SP800-48,
Security Checklist (Table 3-3) and the Security Summary (Table 3-4) present guidelines and recommendations for creating
and maintaining a secure 802.11b wireless network.
Question Yes/No/NA Comment
32 Can the wireless device be accessed by a secondary IT
employee, Supervisory Committee member or assigned staff
member in an emergency?
33 Is the recovery of the wireless appliance tested at least
annually?
34 Is the wireless device on an Uninterruptible Power Supply
(UPS)?
35 Is there a copy of vendor documentation for the devices used
by the CU?
36 Is there a trained backup to the primary WLAN administrator?

Overall Questionnaire Comments:

IT Audit Preparation Guide
100% (1)
IT Audit Preparation Guide
55 pages
Credit Union E-Commerce Questionnaire
No ratings yet
Credit Union E-Commerce Questionnaire
27 pages
IIBF Information System Banker Full Notes
100% (1)
IIBF Information System Banker Full Notes
3 pages
SACCOS Audit & Compliance Guide
No ratings yet
SACCOS Audit & Compliance Guide
8 pages
CISA Notes
No ratings yet
CISA Notes
173 pages
Credit Union Vendor Checklist
No ratings yet
Credit Union Vendor Checklist
5 pages
Ch07 Information Systems Auditing and Controls
No ratings yet
Ch07 Information Systems Auditing and Controls
13 pages
Okpnbsjxvdjd
No ratings yet
Okpnbsjxvdjd
4 pages
ERP Software IS Audit Guide
0% (1)
ERP Software IS Audit Guide
2 pages
ISACA CISA Exam Syllabus Topics
No ratings yet
ISACA CISA Exam Syllabus Topics
4 pages
CA (PL) IT Governance Sample Question Answer
No ratings yet
CA (PL) IT Governance Sample Question Answer
15 pages
Uco Bank AUDIT
No ratings yet
Uco Bank AUDIT
5 pages
IT Audit Methodology Guide
No ratings yet
IT Audit Methodology Guide
4 pages
IT Security Audit Guide and Best Practices
No ratings yet
IT Security Audit Guide and Best Practices
8 pages
Is Audit Scope 30.08.2025
No ratings yet
Is Audit Scope 30.08.2025
8 pages
CHM - DUE DILIGENCE - 2021-EDITED
No ratings yet
CHM - DUE DILIGENCE - 2021-EDITED
16 pages
Process For Gathering Information in Audit
No ratings yet
Process For Gathering Information in Audit
3 pages
IT Audit Checklist - Guidelines - ACV
No ratings yet
IT Audit Checklist - Guidelines - ACV
16 pages
CISA - 27e - CH - 4 - Information Systems Operations and Business Resilience
No ratings yet
CISA - 27e - CH - 4 - Information Systems Operations and Business Resilience
154 pages
IT Audit: Controls & Risk Assessment
No ratings yet
IT Audit: Controls & Risk Assessment
3 pages
Checklist For IT Security Audit
No ratings yet
Checklist For IT Security Audit
48 pages
IT Audit. IT Audit
No ratings yet
IT Audit. IT Audit
3 pages
INFORMATIONS SYSTEMS AUDIT NOTES Muchelule
No ratings yet
INFORMATIONS SYSTEMS AUDIT NOTES Muchelule
59 pages
Information Technology Risk Profile Script Questionnaire: Core Processing
No ratings yet
Information Technology Risk Profile Script Questionnaire: Core Processing
5 pages
IT Audit Insights for Afghan Bank
No ratings yet
IT Audit Insights for Afghan Bank
69 pages
Risk Assessment
No ratings yet
Risk Assessment
12 pages
4
No ratings yet
4
5 pages
Company Name Date of Recent Assessment Version No. Date of Next Review Approved by & Date
No ratings yet
Company Name Date of Recent Assessment Version No. Date of Next Review Approved by & Date
20 pages
Service Offer
No ratings yet
Service Offer
13 pages
ITGC Controls 1752567289
No ratings yet
ITGC Controls 1752567289
14 pages
IT Audit Guide for Field Teams
No ratings yet
IT Audit Guide for Field Teams
90 pages
IT Audit Checklist
82% (11)
IT Audit Checklist
90 pages
Information Systems Audit Checklist
100% (6)
Information Systems Audit Checklist
3 pages
System Audit Explained
No ratings yet
System Audit Explained
9 pages
Etgrm Lors
No ratings yet
Etgrm Lors
22 pages
INFORMATIONS SYSTEMS AUDIT NOTES Muchelule
No ratings yet
INFORMATIONS SYSTEMS AUDIT NOTES Muchelule
60 pages
ITGC Audit Checklist V1
No ratings yet
ITGC Audit Checklist V1
19 pages
Cisa
100% (1)
Cisa
12 pages
MIS Exam Prep Questions
No ratings yet
MIS Exam Prep Questions
11 pages
TPRM
No ratings yet
TPRM
123 pages
IT Infrastructure Audit Guide
No ratings yet
IT Infrastructure Audit Guide
3 pages
IS Auidt and Infrastructure MGT
No ratings yet
IS Auidt and Infrastructure MGT
13 pages
Comprehensive Guide to System Audits
No ratings yet
Comprehensive Guide to System Audits
7 pages
IT Infrastructure & Outsourcing Guide
No ratings yet
IT Infrastructure & Outsourcing Guide
28 pages
Is Security Audit
No ratings yet
Is Security Audit
52 pages
Ais Chapter 1 and 2 Quizlet
100% (1)
Ais Chapter 1 and 2 Quizlet
63 pages
ITGC Audit Program Sample PDF
80% (5)
ITGC Audit Program Sample PDF
3 pages
Cybersecurity Assessment Guide
No ratings yet
Cybersecurity Assessment Guide
29 pages
IT Audit Basics The IS Audit Process by S. Anantha Sayana, CISA, CIA
No ratings yet
IT Audit Basics The IS Audit Process by S. Anantha Sayana, CISA, CIA
4 pages
Developing The IT Audit Plan
No ratings yet
Developing The IT Audit Plan
16 pages
Disa Fafd PDF
No ratings yet
Disa Fafd PDF
107 pages
Sample Is Audit 31-8-16
No ratings yet
Sample Is Audit 31-8-16
15 pages
The Goal For Service Level Management Is To Maintain and Improve The IT Service Quality Through
100% (1)
The Goal For Service Level Management Is To Maintain and Improve The IT Service Quality Through
10 pages
Cisa Notes 2 (AutoRecovered)
No ratings yet
Cisa Notes 2 (AutoRecovered)
66 pages
2018 Final Exam Question Paper New
No ratings yet
2018 Final Exam Question Paper New
12 pages
Ais Terms
No ratings yet
Ais Terms
11 pages
Datasheet BACS en
No ratings yet
Datasheet BACS en
29 pages
Intranet, Extranet, Internet, Wan Lan, Man
100% (2)
Intranet, Extranet, Internet, Wan Lan, Man
4 pages
WSN Unit 04
No ratings yet
WSN Unit 04
17 pages
A Technique To Differentiate Clustered Operating Systems
No ratings yet
A Technique To Differentiate Clustered Operating Systems
6 pages
Julian Cybersecurity Presentation
No ratings yet
Julian Cybersecurity Presentation
18 pages
Ee2022-10 Tos-20-25
No ratings yet
Ee2022-10 Tos-20-25
6 pages
Cisco Model DPC3928/EPC3928 DOCSIS/EuroDOCSIS 3.0 8x4 Wireless Residential Gateway With Embedded Digital Voice Adapter
No ratings yet
Cisco Model DPC3928/EPC3928 DOCSIS/EuroDOCSIS 3.0 8x4 Wireless Residential Gateway With Embedded Digital Voice Adapter
64 pages
Xyz Routing
No ratings yet
Xyz Routing
6 pages
Chapter 4 5
No ratings yet
Chapter 4 5
33 pages
3G3MX2 V2 Series Multi Function Compact Inverter Manual 202401
No ratings yet
3G3MX2 V2 Series Multi Function Compact Inverter Manual 202401
652 pages
WirelessHART & NFC in IoT Explained
No ratings yet
WirelessHART & NFC in IoT Explained
105 pages
Introduction To ITC
No ratings yet
Introduction To ITC
39 pages
Virgin Media Terms 220901 v4
No ratings yet
Virgin Media Terms 220901 v4
17 pages
Lloyd Dewey Lee, Jr. "Buddy" Maars Inc
No ratings yet
Lloyd Dewey Lee, Jr. "Buddy" Maars Inc
17 pages
OEB902101 USN9810 V900R001 System Overview-20110914-A - ISSUE1.30
No ratings yet
OEB902101 USN9810 V900R001 System Overview-20110914-A - ISSUE1.30
66 pages
F5 LTM
No ratings yet
F5 LTM
121 pages
01-03 DHCP Configuration
No ratings yet
01-03 DHCP Configuration
111 pages
CARRIB 2012 - Andrew Massias
No ratings yet
CARRIB 2012 - Andrew Massias
5 pages
BSNL - Recruitment of Telecom Technical Asst For Odisha Telecom Circle
No ratings yet
BSNL - Recruitment of Telecom Technical Asst For Odisha Telecom Circle
11 pages
iPrimaryAwd Computing Specifcation
100% (1)
iPrimaryAwd Computing Specifcation
26 pages
Scenario Based Interview Questions
No ratings yet
Scenario Based Interview Questions
30 pages
Lesson2 - Introduction To IT
No ratings yet
Lesson2 - Introduction To IT
54 pages
Wi-Fi Eavesdropping Insights
No ratings yet
Wi-Fi Eavesdropping Insights
59 pages
Nokia Cloud Native Packet Coreions Application Note EN
100% (5)
Nokia Cloud Native Packet Coreions Application Note EN
27 pages
ProxySG SWG Initial Configuration Guide
No ratings yet
ProxySG SWG Initial Configuration Guide
36 pages
Home Router Setup Guide
No ratings yet
Home Router Setup Guide
2 pages
GPlus UFEI
No ratings yet
GPlus UFEI
89 pages
Slide Set 4-Network Security
No ratings yet
Slide Set 4-Network Security
36 pages
A Survey of Intelligent Building Automation With Machine Learning and IoT
No ratings yet
A Survey of Intelligent Building Automation With Machine Learning and IoT
35 pages
Energy Efficiency in Cloud Computing Data Center A
No ratings yet
Energy Efficiency in Cloud Computing Data Center A
33 pages