Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



Home > News & Events > Financial Institution Letters




Financial Institution Letters

Graphic of US coins

Division of Supervision
and Consumer Protection

Information
Technology

IT-MERIT
PROCEDURES

SEPTEMBER 2002


Management

Strategic Management
1. Describe how management integrates technology strategic planning into the overall Corporate Business Plan.
Examiner Evaluation of the Banks Response:

 

 


Technology Changes

2. Describe new technology implemented since the last exam or in the past two years, whichever is the shortest time period. Describe planned or anticipated technology changes in the next year.
Examiner Evaluation of the Banks Response:


 

Risk Assessments

3. Explain managements process for identifying, risk ranking, and mitigating IT risks within the organization.
  • Who is responsible for this process?
  • What is the mechanism for reporting these risks to the Board?
  • What is managements process for determining the confidentiality of electronic and paper-based information?
  • How is the information protected?
Examiner Evaluation of the Banks Response:


 

Board Reporting

4. Detail what reports and other communications are provided to the Board for its evaluation of IT risks within the organization.
  • What is the frequency of this communication?
Examiner Evaluation of the Banks Response:


 

Network Diagram
5. Provide the banks network topology/schematic diagram.
Examiner Evaluation of the Banks Response:


 

Vendor Management
6. Describe managements vendor management process and ongoing due diligence program.
  • Provide a list of the banks key IT vendors and consultants.
  • Are all of these vendors covered by a current contract?
  • How has management evaluated the vendors procedures for conducting employee background checks?
Examiner Evaluation of the Banks Response:


 


Information Security

Information Security Program

7. Has the Board or its designated committee approved a written Information Security Program?

Do the polices addressing the Information Security Program cover the following:

  • Roles and responsibilities (central security coordination, segregation of duties, incident response, skill continuity)?
  • Personnel security (background checks, acceptable use training email/Internet)?
  • Audit (scope, internal/external auditor qualifications, system log reviews, audit trails)?
  • Vendor management?
  • Access controls (mainframe/network logical controls, password parameters, authentication, etc.)?
  • Configuration management (security patches, software upgrades, parameter changes)?
  • Contingency planning (business continuity, backups, disaster recovery)?
  • Virus protection?
  • Telecommunications (firewalls, modems, intrusion detection, encryption)?
  • Restricted access (terminal/data center access)?
  • Safety (fire prevention/detection, housekeeping)?
  • Inventory management (theft detection, media disposal, hardware, software, source documents, output)?

Who is responsible for maintaining the Information Security Program?

Examiner Evaluation of the Banks Response:

 

 


Roles and Responsibilities
8. Who are the information security officer and the system administrator? Provide detail on their experience, training and certifications, and other duties within the organization.
Examiner Evaluation of the Banks Response:


 

Access Controls
9. Describe the process for determining and reviewing user access levels?
Examiner Evaluation of the Banks Response:

 

10. Provide details on the following password control features utilized by the banks applications and operating systems:
  • Password length.
  • Change interval.
  • Password composition rule.
  • Password history.
  • Lockout rule.
Examiner Evaluation of the Banks Response:


 

Disaster Recovery
11. Describe the banks disaster recovery testing process. Include the scope, results, and date of the banks most recent disaster recovery test.
Examiner Evaluation of the Banks Response:


 
 12. Describe the banks backup procedures.
  • What is backed up?
  • What is the rotation schedule?
  • Where are backup media stored?
  • How soon after backup media are created are the media taken off-site?

Examiner Evaluation of the Banks Response:


 

Physical Security
13. How are critical technology resources physically secured (mainframe, servers, telecommunications equipment, wiring closet)?
Examiner Evaluation of the Banks Response:


 


Audit

Audit Scope
14. How does management establish the scope and frequency of IT audits?
Examiner Evaluation of the Banks Response:


 

Audit Methods

15. What validation methods (internal and/or external audits, security assessment, penetration study) does management use to determine compliance with written and approved corporate policies?
  • Provide date, scope and frequency of the validation methods described above.
  • Provide detail on managements process for addressing audit findings/corrective actions.
  • Is this process documented?
Examiner Evaluation of the Banks Response:


 

Audit Trails
16. Which of the following activity logs/exception reports are reviewed and who performs the review?
  • New loans.
  • File maintenance.
  • Dormant.
  • Parameter changes.
  • Kiting.
  • Employee accounts.
  • Audit logs.
  • Backup logs.
  • System reports.
  • Firewall logs.
  • Intrusion Detection System (IDS) logs.
Examiner Evaluation of the Banks Response:


 
Last Updated 10/09/2002 communications@fdic.gov