Home | CSBS



Nonbank Cybersecurity Exam ProgramDocument Request ListRef.No.Program AreaRequested DocumentsDocumentsProvidedInstitutionContactIT – 1 Information Security ProgramAll policies and procedures that comprise the information security program, including but not limited to:Information SecurityAnti-virusChange ManagementSoftware Development and MaintenanceVendor ManagementBusiness Continuity/Disaster Recovery/Emergency Preparedness/Incident Response PlansRemote Access for Employees and CustomersData BackupsData RetentionData DisposalAcceptable UseRules of BehaviorClean DeskEncryption/Data at Rest and Data in MotionMobile Device Management, including Bring Your Own DeviceWritten hardware and software end-of-life policies and proceduresRisk Assessment(s)Information Security training materials for all employees, including employee completion recordsIT – 2 Board/ Management OversightIT Strategic Plan/BudgetMost recent CIO or CISO presentationMaterials to support Board discussion of risk acceptanceBoard/committee minutes to support designation of employee(s) to coordinate the information security programIT – 3 IT/IS OrganizationIT/IS Organizational Chart(s)Resumes for key IT personnelJob descriptions for key IT personnelIT Succession Plan (if separate from overall institution plan)IT – 4 Relationships Between Assets and Data FlowNetwork Diagram(s)Data Flow Diagram(s)Inventory of approved hardware and software assets, including network monitoring toolsIT – 5 Vulnerability Management ProgramWritten policies and procedures, if not already provided for #1 aboveVulnerability scans – most recentPenetration tests/vulnerability assessments – most recentRemediation ActionsIT – 6 Patch Management ProgramWritten policies and procedures, if not already provided for #1 abovePatch deployment confirmationRollback settingsIT – 7 Change Management Program (includes software development activities)Written policies and procedures, if not already provided for #1 aboveList of software development, acquisition, and maintenance changes within past 12 monthsList of hardware acquisition and maintenance changes within past 12 monthsIT – 8 IT Audit FunctionIT Audit PolicyCurrent and previous IT audit scheduleIT audit risk assessment and audit planIT audit reports for the past 24 months, including the corresponding engagement letters, if applicableActions taken to remediate findingsIT audit and regulatory finding tracking listIT – 9 Vendor Management ProgramWritten policies and procedures, if not already provided for #1 aboveList of third-party vendors, indicating which vendors are considered criticalDocumentation supporting compliance with vendor management program such as audit reports, contracts, due diligence, financial statement reviews, etc. (a sample will be selected upon receipt of the third-party vendor list)IT – 10 Incident ResponseIncident Response Plan, if not already provided for #1 aboveDocumentation to support most recent incident response plan testList of incidents occurring within previous 12 monthsIT – 11 Business Continuity/ Disaster Recovery/ Emergency ManagementBusiness Continuity/Disaster Recovery/ Emergency Management Plans, if not already provided for #1 aboveBackup policies and procedures, if not already provided for #1 aboveBusiness Impact AnalysisRisk AssessmentDocumentation to support all testing performed during previous 24 monthsIT – 12Password ManagementPassword settings for all systemsScreen lockout settings for all systemsSession expiration settings for all settingsIT – 13 Remote Access for Employees and CustomersWritten policies and procedures, if not already provided for #1 aboveDescription of who all has remote access, including third-parties, employees and board members with company-owned devices and employees and board members with personal devicesIT – 15 Insurance policies (if applicable)Cybersecurity, ransomware, data breach notificationIT – 16 Products and ServicesDescribe the technology environment:Describe all cloud services used by the institution. Include Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).List of all core applications, including online applications and network(s), and indicate whether the applications are outsourced or hosted in-house.If outsourced, please provide the name and location of the third-party provider.If in-house, please indicate whether the applications are developed and maintained in-house or are a third-party software product.Include the product name and third-party provider name and location for software products.Describe processes for network monitoring (e.g., performance, intrusion detection, web filtering) and network operations. Include whether these activities are outsourced or performed in house.State Specific DocumentsRef. No.Program AreaRequested DocumentsDocuments ProvidedInstitution ContactIT – 17 IT – 18 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download