Table of Contents

BUSINESS CONTINUITY MANAGEMENT AUDIT WORK PROGRAM: SAMPLE 1....................................................................3

BUSINESS CONTINUITY MANAGEMENT AUDIT WORK PROGRAM: SAMPLE 2..................................................................15
BUSINESS CONTINUITY MANAGEMENT AUDIT WORK PROGRAM: SAMPLE 3..................................................................34
 BUSINESS CONTINUITY MANAGEMENT AUDIT WORK
PROGRAM: SAMPLE 1

PROJECT TEAM (LIST MEMBERS)

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

PRELIMINARY STEPS
Schedule kickoff meetings and exit meetings. Collect the following information:
• Business continuity policy/plan (BCP)
• Board presentations covering the business continuity program.
• Disaster recovery plans for all core systems, applications and voice/data telecommunications.
• IT disaster recovery test reports, including objectives, scenarios, test scripts, and log of any issues
encountered and how they were resolved.
• Business-focused business continuity plans, including manual workarounds, plans to relocate personnel or
business processes, and plans to restore lost electronic and paper records.
• Business continuity exercise reports, including objectives, scenarios, test scripts, and log of any issues
encountered and how they were resolved.
• Strategic-level crisis management plans used by executives to manage the institution’s overall response to an
event.
• Crisis communication plans used for internal and external audiences.
• Employee call tree or other tools used to communicate with staff timely.
• Any plans related to how the institution would attend to the human impact (to its employees and their
dependents) following an event.
• Business continuity-related training programs and documentation.
• Recent SAS 70 report(s).
• Records retention policy, off-site storage program and documentation demonstrating compliance.
• Business continuity program strategic plan, schedule, and budget information.
• Business continuity program maintenance records.
• Plans regarding continuity planning with technology services providers.
• Contracts for any disaster recovery service providers.
• Business continuity-related risk assessments, including natural hazards information.

2 Source: www.knowledgeleader.com
EXAMINATION SCOPE AND OBJECTIVES
Objective: Determine examination scope and objectives for reviewing the business continuity planning program.

Time Task Initial Index

Review past reports for outstanding issues or previous problems.

Consider the following:
• Regulatory examination reports.
• Internal and external audit reports.
• Organization’s overall risk assessment and profile.

Review management’s response to issues raised since the last

examination. Consider the following:
• Adequacy and corrective action timing.
• Resolution of root causes rather than just specific issues.
• Any outstanding issues.

Interview management and review the business continuity request

for information to identify the following items:
• Any significant changes in business strategy or activities that
could affect the business recovery process.
• Any material changes in the audit program, scope or schedule
related to business continuity activities.
• Key management changes.
• Information technology environments and changes to
configuration or components.
• Changes in key service providers (technology, communication,
backup/recovery, etc.) and software vendor listings.

Determine management’s consideration of newly identified threats

and vulnerabilities to the organization’s business continuity process.
Consider the following risks:
• Technological and security vulnerabilities.
• Internally identified threats.
• Externally identified threats (including known threats published by
information-sharing organizations).

APPROPRIATENESS OF ENTERPRISEWIDE BCP

Objective: Determine the existence of an appropriate enterprisewide business continuity plan (BCP).

Time Task Initial Index

Review and verify the written BCP for the following:

The recovery of each business unit/department/function is
addressed with the following in mind:

3 Source: www.knowledgeleader.com
 Time Task Initial Index

• Its priority ranking in the risk assessment is used.

• Interdependencies are considered among systems.

Take(s) into account:

• Personnel
• Facilities
• Technology (hardware, software, operational equipment, etc.)
• Telecommunications/networks
• Vendors
• Utilities
• Documentation (data and records)
• Law enforcement
• Security
• Media
• Shareholders

Ensure that emergency preparedness and crisis management

aspects are included by performing the following tasks:
• Include an accurate employee/manager contact tree.
• Define responsibilities and decision-making authorities for
designated teams and/or staff members, including those who
have the authority to declare a disaster.
• Explain the necessary action in specific emergencies.
• Define the conditions under which the backup site would be
used.
• Incorporate procedures for notifying the backup site.
• Designate a public relations spokesperson.
• Identify sources of needed office space and equipment and a list
of key vendors (hardware/software/communications, etc.).

Determine if adequate procedures are in place to ensure that the

BCP is maintained in a current fashion and updated regularly.

OVERSIGHT AND SUPPORT

Objective: Determine the quality of BCP oversight and support provided by the board of directors and senior
management.

Time Task Initial Index

Determine if the board has established an enterprise wide business

continuity planning process appropriate for the size and complexity
of the organization that defines the organization’s business
continuity strategy.

4 Source: www.knowledgeleader.com
 Time Task Initial Index

Determine if a senior manager has been assigned responsibility to

oversee the development, implementation, testing and maintenance
of the BCP.

Determine if the board has ensured that adequate resources,

including sufficient human resources, are devoted to the business
continuity process.

Determine if the board reviews and approves the written BCP and
testing results at least annually and documents these reviews in the
board minutes.

Determine if senior management periodically reviews and prioritizes

each business unit, business process, department, and subsidiary
for its critical importance and recovery prioritization. If so, determine
how often reviews are conducted.

If applicable, determine if senior management has evaluated the

adequacy of the BCP for its service providers and ensured that the
organization’s BCP is compatible with those service provider plans,
commensurate with adequate recovery priorities.

BUSINESS IMPACT ANALYSIS

Objective: Determine if an adequate business impact analysis (BIA) and risk assessment have been completed.

Time Task Initial Index

Determine if all functions and departments were included in the BIA.

Review the BIA to determine if the identification and prioritization of

business functions are adequate.

Determine if the BIA identifies maximum allowable downtime for

critical business functions, acceptable levels of data loss and
backlogged transactions, and the cost and recovery time objectives
associated with downtime.

Review the risk assessment and determine if it includes scenarios

and probability of occurrence of disruptions of information services,
technology, personnel, facilities, and service providers from internal
and external sources, including:
• Natural events, such as fires, floods and severe weather.
• Technical events, such as communication failure, power outages,
and equipment and software failure.
• Malicious activity, including network security attacks, fraud and
terrorism.

Ensure that the risk assessment and BIA have been reviewed and
approved by senior management and the board.

Ensure that reputation, operational, compliance and other risks are

5 Source: www.knowledgeleader.com
 Time Task Initial Index

considered in the plan.

RISK MANAGEMENT
Objective: Determine if appropriate risk management over the business continuity process is in place.

Time Task Initial Index

Determine if adequate risk mitigation strategies have been

considered for:
• Alternate locations and capacity for the following:
− Data centers and computer operations.
− Back room operations.
− Work locations for business functions.
− Telecommunications
• Backup of the following:
− Data
− Operating systems
− Applications
− Utility programs
− Telecommunications
• Off-site storage of the following:
− Backup media
− Supplies
− Documentation, (e.g., BCP, operating and other
procedures, inventory listings, etc.)
• Alternate power supplies:
− Uninterruptible power supplies (UPS)
− Backup generators

Determine if satisfactory consideration has been given to geographic

diversity for:
• Alternate processing locations.
• Alternate locations for business processes and functions.
• Off-site storage

Ensure that appropriate policies, standards and processes address

business continuity planning issues, including:
• Systems development life cycle, including project management.
• The change control process.
• Data synchronization, backup and recovery.
• Employee training and communication planning.
• Insurance

6 Source: www.knowledgeleader.com
 Time Task Initial Index

• Government and community coordination

Determine if personnel are adequately trained for their specific

responsibilities under the plan and whether emergency procedures
are posted in prominent locations throughout the facility.

Determine if the continuity strategy includes alternatives for

interdependent components and stakeholders, including:
• Utilities
• Telecommunications
• Third-party technology providers
• Key suppliers/business partners
• Customers/members

Determine if there are adequate processes in place to ensure that

the plan is maintained to remain accurate and current.
• Designated personnel are responsible for maintaining changes in
processes, personnel and environment(s).
• The board of directors reviews and approves the plan annually
and after significant changes and updates.
• The process includes notification and distribution of revised plans
to personnel and recovery locations.

Determine if audit involvement in the business continuity program is

effective, including:
• Audit coverage of the business continuity program.
• Assessment of business continuity preparedness during line(s) of
business reviews.
• Audit participation in testing in an observer role.
• Audit review of testing plans and results.

TESTING
Objective: Determine whether the BCP includes appropriate testing to ensure that the business processes will be
maintained, resumed and/or recovered as intended.

Time Task Initial Index

Determine if the BCP is tested at least annually.

Verify that all critical business units/departments/functions are

included in the testing.

Verify that tests include the following:

• Goals and objectives are set in advance.
• Conditions and activity volumes are realistic.

7 Source: www.knowledgeleader.com
 Time Task Initial Index

• Backup system and data files are used while maintaining off-site
backup copies for use in case of an event concurrent with the
testing.
• Internal audit reviews and participates.
• A post-test analysis report and review process are conducted
that include a comparison of test results to the original goals.
• Corrective action plans are developed for all problems
encountered.
• A board of directors’ review is performed.

Determine if interdependent departments, vendors and key market

providers have been involved in testing at the same time to uncover
potential conflicts and/or inconsistencies.

Determine if the level of testing is adequate for the size and

complexity of the organization. Determine if the testing includes:
• Operating systems and utilities testing (infrastructure).
• Critical applications testing (application level).
• Application data transfers (integrated testing).
• Complete environment and workload testing (stress test).

Determine whether testing at an alternative location includes:

• Network connectivity
• Items processing and back room operations connectivity and
information.
• Other critical data feed connections/interfaces.

Determine whether testing of the information technology

infrastructure includes:
• Involved personnel rotation
• Business unit personnel involvement

Determine whether management considered testing with the

following items:
• Critical service providers
• Customers
• Affiliates
• Correspondent institutions
• Payment systems and major financial market participants.

8 Source: www.knowledgeleader.com
IT DOCUMENTATION
Objective: Determine if the information technology environment has a properly documented BCP that
complements the enterprisewide and other departmental BCPs.

Time Task Initial Index

Verify that the IT BCP properly supports and reflects the goals and
priorities found in the business unit BCP.

Determine if all critical resources and technologies are covered by

the BCP, including voice and data communication networks, etc.

Determine if the BCP includes the entire network and

communication connections.

Determine if the BCP establishes required processing priorities if all

applications cannot be processed.

HARDWARE BACKUP AND RECOVERY

Objective: Determine whether the BCP includes appropriate hardware backup and recovery.

Time Task Initial Index

Describe the arrangements for alternative processing capability in

the event any specific hardware, the data center, or any portion of
the network becomes disabled or inaccessible and determine if
those arrangements are in writing.

If the organization is relying on in-house systems at separate

physical locations for recovery, verify if the equipment is capable of
independently processing all critical applications.

If the organization is relying on outside facilities for recovery,

determine if the recovery site can perform the following:
• Required volume can be processed.
• Sufficient processing time can be provided for the anticipated
workload based on emergency priorities.
• The organization can use the facility until it achieves a full
recovery from the disaster and resumes activity at the
organization’s facilities.

Review the contract between applicable parties, such as recovery

vendors.

Determine how the recovery facility’s customers would be

accommodated if simultaneous disaster conditions were to occur to
several customers during the same period.

Determine whether the organization ensures that when any changes

(e.g., hardware or software upgrades or modifications) in the

9 Source: www.knowledgeleader.com
 Time Task Initial Index

production environment occur that a process is in place to make or

verify a similar change in each alternate recovery location.

Determine whether the organization is kept informed of any changes

at the recovery site that might require adjustments to the
organization’s software or its recovery plan.

SOFTWARE BACKUP AND RECOVERY

Objective: Determine whether the business continuity process includes appropriate data and application software
backup and recovery.

Time Task Initial Index

Determine the following questions:

• Are duplicates of the operating systems available both on- and
off-site?
• Are duplicates of the production programs, including both source
(if applicable) and object versions, available both on-and off-site?
• Are all programming and system software changes included in
the backup?
• Is backup media stored off-site in a place from which it can be
retrieved quickly at any time?
• Are frequency and number of backup generations adequate
given the volume of transactions being processed and the
frequency of system updates?
• Are duplicates of transaction files maintained on-and off-site?
• Are data file backups taken off-site timely and not brought back
until a more current backup is off-site?

Review the written IT continuity plan and determine if the plan

addresses the backup of the systems and programming function (if
applicable), including:
• Programming tools and software backup
• Program and system documentation off-site copies

PREPARATION FOR DATA CENTER RECOVERY

Objective: Determine whether the BCP includes appropriate preparation to ensure that the data center recovery
processes will work as intended.

Time Task Initial Index

Determine if the data center has a properly documented BCP. Verify

that the information technology BCP properly supports and
reasonably reflects the goals and priorities found in the corporate
BCP.

10 Source: www.knowledgeleader.com
 Time Task Initial Index

Determine if the plan addresses how backlogged transactions and

other activities will be brought current.

Determine if there are plans in place that address the return to

normal operations and original business locations once the situation
has been resolved and permanent facilities are available again.

Determine if adequate documentation is housed at the alternate

recovery location, including:
• BCP copies
• Necessary system documentation copies.

INCLUSION OF SECURITY PROCEDURES

Objective: Determine that the BCP includes appropriate security procedures.

Time Task Initial Index

Determine whether adequate physical security and access controls

exist over data backups and program libraries throughout their life
cycle, including when they are created, transmitted/delivered to
storage, stored, retrieved and loaded and destroyed.

Determine if appropriate physical and logical access controls have

been considered and planned for the inactive production system
when processing is temporarily transferred to an alternate facility.

Determine if the intrusion detection and incident response plan

consider resource availability and facility and systems changes that
may exist when alternate facilities are used.

Determine if the methods by which personnel are granted temporary

access (physical and logical) during continuity planning
implementation periods are reasonable.
• Evaluate the extent to which backup personnel have been
reassigned different responsibilities and tasks when business
continuity planning scenarios are in effect and if these changes
require a revision to the levels of systems, operational, data and
facilities access.
• Review the assignment of authentication and authorization
credentials to determine if they are based on primary job
responsibilities and if they also include business continuity
planning responsibilities.

11 Source: www.knowledgeleader.com
CRITICAL OUTSOURCED ACTIVITIES
Objective: Determine whether the BCP addresses critical outsourced activities.

Time Task Initial Index

Determine if the BCP addresses communications and connectivity

with technical service providers in the event of a disruption at the
institution.

Determine if the BCP addresses communications and connectivity

with technology service providers (TSPs) in the event of a disruption
at the service provider’s facilities.

Determine if there are documented procedures in place for

accessing, downloading and uploading information with TSPs,
correspondents, affiliates and other service providers from primary
and recovery locations, in the event of a disruption.

Determine if the institution has a copy of the TSP’s BCP and

incorporates it, as appropriate, into its plans.

Determine if management has received and reviewed testing results

of the TSPs.

When testing with the critical service providers, determine whether

management considered testing:
• From the institution’s primary location to the TSPs’ alternative
location.
• From the institution’s alternative location to the TSPs’ primary
location.
• From the institution’s alternative location to the TSPs’ alternative
location.

Determine if institution management has assessed the adequacy of

the TSP’s business continuity program through its vendor
management program (e.g., contract requirements, vendor reviews,
etc.).

CONCLUSIONS
Objective: Discuss corrective action and communicate findings.

Time Task Initial Index

From the procedures performed, perform the following actions:

• Document conclusions related to the quality and effectiveness of
the business continuity process.
• Determine and document to what extent, if any, you may rely
upon the procedures performed by the internal and external
auditors when determining the scope of the business continuity
procedures.

12 Source: www.knowledgeleader.com
 Time Task Initial Index

Review your preliminary conclusions with the examiner-in-charge

(EIC) regarding:
• Violations of laws, rulings and regulations.
• Significant issues warranting inclusion as matters requiring board
attention or recommendations in the report of examination.
• The potential impact of your conclusions on composite and
component ratings.

Discuss your findings with management and obtain proposed

corrective action and deadlines for remedying significant
deficiencies.

Document your conclusions in a memo to the EIC that provides

report-ready comments for all relevant sections of the FFIEC report
of examination.

Organize work papers to ensure clear support for significant findings

and conclusions.

FINAL STEPS

Time Task Initial Index

Review preliminary results with management.

Issue a final report.

13 Source: www.knowledgeleader.com
 BUSINESS CONTINUITY MANAGEMENT AUDIT WORK
PROGRAM: SAMPLE 2

PROJECT TEAM (LIST MEMBERS)

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

Examination Objective: Determine the quality and effectiveness of the organization’s business continuity
planning process. These procedures will disclose the adequacy of the planning process for the organization to
maintain, resume and recover operations after disruptions ranging from minor outages to full-scale disasters. This
work program can be used to assess the adequacy of the business continuity planning process enterprisewide or
across a particular line of business. Depending on the examination objectives, a line of business can be selected
to sample how the organization’s continuity planning process works on a micro-level or for a particular business
function or process.

This work program is intended to be comprehensive and assist examiners in determining the effectiveness of a
financial institution’s business continuity planning process. However, examiners may choose to use only particular
components of the work program based on the size, complexity and nature of the institution’s business.

The objectives and procedures are divided into Tier I and Tier II:
• Tier I assess an institution’s process for identifying and managing risks.
• Tier II provides additional verification where risk is evident.

Tier I and Tier II objectives and procedures are intended to be a toolset examiners may use when selecting
examination procedures for their particular examination. Examiners should use these procedures as necessary to
support examination objectives.

Review Process: For each of the review area, process owners must document the status of each control
objectives listed in the audit steps. Each control maturity must be ranked according to the scale detailed below.
Once the process has been completed and submitted to management, they can create a remediation plan to
address each of the items.

Maturity Model

The scale is based on the Capability Maturity Model with generic definitions from COBIT.

0 Non-Existent: Recognizable processes are completely lacking. The enterprise has not even recognized
that there is an issue to be addressed.

1 Initial/Ad Hoc: There is evidence that the enterprise has recognized that the issues exist and need to be
addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that
tend to be applied individually or case-by-case.

14 Source: www.knowledgeleader.com
 Maturity Model

2 Repeatable but Intuitive: Processes have developed to the stage where similar procedures are followed
by different people undertaking the same task. There is no formal training or communication of standard
procedures, and responsibility is left to the individual. Individual knowledge is relied on heavily and,
therefore, errors are likely.

3 Defined Process: Procedures have been standardized and documented and communicated through
training. It is mandated that these processes should be followed; however, it is unlikely that deviations will
be detected. The procedures themselves are not sophisticated but are the formalization of existing
practices.

4 Managed and Measurable: Management monitors and measures compliance with procedures and takes
action where processes appear to not be working effectively. Processes are under constant improvement
and provide good practice. Automation and tools are used in a limited or fragmented way.

5 Optimized: Processes have been refined to a level of good practice, based on the results of continuous
improvement and maturity modeling with other enterprises. IT is used in an integrated way to automate the
workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

TIER I OBJECTIVES AND PROCEDURES

Objective 1: Determine examination scope and objectives for reviewing the business continuity planning
program.

Audit Steps Status Maturity Action Plan

Review past reports for outstanding issues or previous

problems. Consider the following:
• Pre-examination planning memos.
• Prior regulatory examination reports.
• Prior work paper examinations.
• Internal and external audit reports, including SAS 70
reports.
• Business continuity test results.
• The organization’s overall risk assessment and profile.

Review management’s response to issues raised since the

last examination. Consider the following:
• The adequacy and timing of corrective action.
• Resolution of root causes rather than just specific
issues.
• The existence of any outstanding issues.
• Monitoring systems used to track the implementation of
ongoing recommendations.

Interview management and review the business continuity

request information to identify:
• Any significant changes in business strategy or
activities that could affect the business recovery

15 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

process.
• Any material changes in the audit program, scope or
schedule related to business continuity activities.
• IT environments and changes to configuration nor
components.
• Changes in key service providers (technology,
communication, backup/recovery, etc.) and software
vendors.
• Any other internal or external factors that could affect
the business continuity process.

Determine management’s consideration of newly identified

threats and vulnerabilities to the organization’s business
continuity process. Consider the following risks:
• Technological and security vulnerabilities.
• Internally identified threats.
• Externally identified threats (including security alerts,
pandemic alerts, or emergency warnings published by
information sharing organizations or local, state and
federal agencies).

Establish the scope of the examination by focusing on

factors that present the greatest degree of risk to the
institution or service provider.

Objective 2: Determine the quality of business continuity plan oversight and support provided by the board of
directors and senior management.

Audit Steps Status Maturity Action Plan

Determine whether the board has established an ongoing,

process-oriented approach to business continuity planning
that is appropriate for the size and complexity of the
organization. This process should include a business
impact analysis (BIA), a risk assessment, risk
management, and risk monitoring and testing. Overall, this
planning process should encompass the organization’s
business continuity strategy, which is the ability to recover,
resume and maintain all critical business functions.

Determine whether a senior manager or committee has

been assigned responsibility to oversee the development,
implementation, and maintenance of the BCP and the
testing program.

Determine whether the board and senior management

have ensured that integral groups are involved in the
business continuity process (e.g., business line
management, risk management, IT, facilities management,
and audit).

16 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

Determine whether the board and senior management

have established an enterprise wide BCP and testing
program that addresses and validates the continuity of the
institution’s mission-critical operations.

Determine whether the board and senior management

review and approve the BIA, risk assessment, written BCP,
testing program and testing results at least annually and
document these reviews in the board minutes.

Determine whether the board and senior management

oversee the timely revision of the BCP and testing
program, based on problems noted during testing and
changes in business operations.

Objective 3: Determine whether an adequate business impact analysis (BIA) and risk assessment have been
completed.

Audit Steps Status Maturity Action Plan

Determine whether the workflow analysis was performed

to ensure that all departments and business processes,
as well as their related interdependencies, were included
in the BIA and risk assessment.

Review the BIA and risk assessment to determine

whether the prioritization of business functions is
adequate.

Determine whether the BIA identifies maximum allowable

downtime for critical business functions, acceptable levels
of data loss and backlogged transactions, cost and
recovery time objectives (RTOs), recovery point
objectives (RPOs), recovery of the critical path (business
processes or systems that should receive the highest
priority), and the costs associated with downtime.

Review the risk assessment and determine whether it

includes the impact and probability of disruptions of
information services, technology, personnel, facilities and
services provided by third parties, including:
• Natural events, such as fires, floods,
severe weather, air contaminants and hazardous
spills.
• Technical events, such as
communication failure, power failure, equipment and
software failure, transportation system disruptions, and
water system disruptions.
• Malicious activity, including fraud, theft,
or blackmail; sabotage; vandalism and looting; and
terrorism.

17 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

• Pandemics

Verify that reputation, operational, compliance and other

risks that are relevant to the institution are considered in
the BIA and risk assessment.

Objective 4: Determine whether appropriate risk management over the business continuity process is in place.

Audit Steps Status Maturity Action Plan

Determine whether adequate risk mitigation strategies

have been considered for:
• Alternate locations and capacity for the following:
− Data centers and computer operations.
− Back room operations
− Work locations for business functions.
− Telecommunications and remote computing.
• Backup of the following items:
− Data
− Operating systems
− Applications
− Utility programs
− Telecommunications
• Secure and up-to-date off-site storage of:
− Backup media
− Supplies
− BCP
− System documentation (e.g., topologies;
inventory listing; firewall, router, and network
configurations; operating procedures).
• Alternate power supplies (e.g., uninterruptible power
source, backup generators).
• Data recovery (e.g., backlogged transactions,
reconciliation procedures).
• Preparation for return to normal operations once the
permanent facilities are available.

Determine whether satisfactory consideration has been

given to geographic diversity for the following:
• Alternate facilities
• Alternate processing locations
• Alternate telecommunications
• Alternate staff
• Off-site storage

18 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

Verify that appropriate policies, standards and processes

address business continuity planning issues, including:
• Security
• Project management
• The change control process
• Data synchronization, backup and recovery.
• Crisis management (responsibility for disaster
declaration and dealing with outside parties).
• Incident response
• Remote access
• Employee training
• Notification standards (employees, customers,
regulators, vendors, service providers).
• Insurance
• Government and community coordination

Determine whether personnel are regularly trained for their

specific responsibilities under the plan(s) and whether
emergency procedures are posted in prominent locations
throughout the facility.

Determine whether the continuity strategy addresses

interdependent components, including:
• Utilities
• Telecommunications
• Third-party technology providers
• Key suppliers/business partners
• Internal systems and business processes

Determine whether there are adequate processes in place

to ensure that a current BCP is maintained and
disseminated appropriately. Consider the following:
• Designation of personnel who are responsible for
maintaining changes in processes, personnel and
environment(s).
• Timely distribution of revised plans to personnel.

Determine whether audit involvement in the business

continuity program is effective, including:
• Audit coverage of the business continuity program
• Assessment of business continuity preparedness during
line(s) of business reviews
• Audit participation in testing as an observer and as a
reviewer of test plans and results

19 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

• Documentation of audit findings.

Objective 5: Determine the existence of an appropriate enterprisewide business continuity plan (BCP).

Audit Steps Status Maturity Action Plan

Review and verify that the written BCP addresses the

following:
• The recovery of each business
unit/department/function/application:
− Priority ranking in the risk assessment is used.
− Interdependencies among systems are
considered.
− Long-term recovery arrangements are
considered.
• The recovery of vendors and outsourcing arrangements
• The following are considered:
− Personnel
− Communications with employees, emergency
personnel, regulators, vendors/suppliers,
customers and the media
− Technology issues (hardware, software, network,
data processing equipment,
telecommunications, remote computing, vital
records, electronic banking systems, telephone
banking systems, utilities).
− Vendor ability to service a contracted customer
base in the event of a major disaster or regional
event.
− Facilities
− Liquidity
− Security
− Financial disbursement (purchase authorities and
expense reimbursement for senior
management during a disaster)
− Manual operating procedures
• Includes emergency preparedness and crisis
management aspects that:
− Include an accurate contact tree as well as
primary and emergency contact information for
communicating with employees, service
providers, vendors, regulators, municipal
authorities and emergency response personnel.
− Define responsibilities and decision-making
authorities for designated teams or staff
members.
− Explain actions to perform in specific
emergencies.

20 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

− Define the conditions under which the backup

site would be used.
− Include procedures in place for notifying the
backup site.
− Designate a knowledgeable public relations
spokesperson.
− Identify sources of needed office space and
equipment and a list of key vendors
(hardware/software/telecommunications, etc.).

Objective 6: Determine whether the BCP includes appropriate hardware backup and recovery.

Audit Steps Status Maturity Action Plan

Determine whether there is a comprehensive, written

agreement or contract for alternative processing or facility
recovery.

If the organization is relying on in-house systems at

separate physical locations to recover, verify that the
equipment is capable of independently processing all
critical applications.

If the organization is relying on outside facilities for

recovery, determine whether the recovery site can perform
the following actions:
• Process the required volume.
• Provide sufficient processing time for the anticipated
workload based on emergency priorities.
• Make available until the institution achieves full recovery
from the disaster and resumes activity at the institution’s
facilities.

Determine how the recovery facility’s customers would be

accommodated if simultaneous disaster conditions were to
occur on several customers during the same period.

Determine whether the organization ensures that when a

change (e.g., hardware or software upgrades or
modifications) in the production environment occurs that a
process is in place to make or verify a similar change in
each alternate recovery location.

Determine whether the organization is kept informed of any

changes at the recovery site that might require adjustments
to the organization’s software or its recovery plan(s).

Objective 7: Determine that the BCP includes appropriate security procedures.

21 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

Determine whether adequate physical security and access

controls exist over data backups and program libraries
throughout their life cycle, including when they are created,
transmitted/delivered, stored, retrieved, loaded and
destroyed.

Determine whether appropriate physical and logical access

controls have been considered and planned for the inactive
production system when processing is temporarily
transferred to an alternate facility.

Determine whether the intrusion detection and incident

response plan consider facility and systems changes that
may exist when alternate facilities are used.

Determine whether the methods by which personnel are

granted temporary access (physical and logical) during the
continuity planning implementation period are reasonable.

Evaluate the extent to which backup personnel have been

reassigned different responsibilities and tasks when
business continuity planning scenarios are in effect and if
these changes require a revision to systems, data and
facilities access.

Review the assignment of authentication and authorization

credentials to determine whether they are based upon
primary job responsibilities and whether they also include
business continuity planning responsibilities.

Objective 8: Determine whether the BCP effectively addresses pandemic issues.

Audit Steps Status Maturity Action Plan

Determine whether the board or a committee thereof and

senior management provide appropriate oversight of the
institution’s pandemic preparedness program.

Determine whether the BCP addresses the assignment of

responsibility for pandemic planning, preparing, testing,
responding and recovering.

Determine whether the BCP includes the following

elements, appropriately scaled for the size, activities and
complexities of the organization:
• A preventative program is included to reduce the
likelihood that an institution’s operations will be
significantly affected by a pandemic event, including
monitoring potential outbreaks, educating employees,
communicating and coordinating with critical service
providers and suppliers, and providing appropriate
hygiene training and tools to employees.
• A documented strategy is created that provides for
scaling the institution’s pandemic efforts so they are

22 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

consistent with the effects of a particular stage of a

pandemic outbreak, such as first cases of humans
contracting the disease overseas, first cases within the
United States and first cases within the organization
itself.
• A comprehensive framework of facilities, systems or
procedures is created that provides the organization the
capability to continue its critical operations if many of
the institution’s staff are unavailable for prolonged
periods. Such procedures could include social
distancing to minimize staff contact, telecommuting or
conduction operations from alternative sites.
• A testing program is developed to better ensure that the
institution’s pandemic planning practices and
capabilities are effective and will allow critical operations
to continue.
• An oversight program is included to ensure ongoing
reviews and updates to the pandemic plan so that
policies, standards and procedures include up-to-date,
relevant information provided by governmental sources
or by the institution’s monitoring program.

Determine whether pandemic risks have been incorporated

into the business impact analysis and whether continuity
plans and strategies reflect the results of the analysis.

Determine whether the BCP addresses management

monitoring of alert systems that provide information
regarding the threat and progression of a pandemic.
Further, determine if the plan provides for escalating
responses to the progress of a particular stage of an
outbreak.

Determine whether the BCP addresses communication and

coordination with financial institution employees and the
following outside parties regarding pandemic issues:
• Critical service providers
• Key financial correspondents
• Customers
• Media representatives
• Local, state, and federal agencies
• Regulators

Determine whether the BCP incorporates management’s

analysis of the impact on operations if essential functions
or services provided by outside parties are disrupted during
a pandemic.

Determine whether the BCP includes continuity plans and

other mitigating controls (e.g., social distancing,
teleworking, functional cross-training and conducting

23 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

operations from alternative sites) to sustain critical internal

and outsourced operations if large numbers of staff are
unavailable for long periods.

Determine whether the BCP addresses modifications to

normal compensation and absenteeism policies to be
enacted during a pandemic.

Determine whether management has analyzed remote

access requirements, including the infrastructure
capabilities and capacity that may be necessary during a
pandemic.

Determine whether the BCP provides for an appropriate

testing program to ensure that continuity plans will be
effective and allow the organization to continue its critical
operations. Such a testing program may include:
• Stress testing online banking, telephone banking, and
ATM and call center capacity to handle increased
customer volumes.
• Telecommuting to simulate and test remote access.
• Internal and external communications processes and
links.
• Tabletop operations exercises.
• Local, regional or national testing/exercises.

Objective 9: Determine whether the BCP addresses critical outsourced activities.

Audit Steps Status Maturity Action Plan

Determine whether the BCP addresses communications

and connectivity with TSPs in the event of a disruption on
the institution.

Determine whether the BCP addresses communications

and connectivity with TSPs if a disruption of any of the
service provider’s facilities occurs.

Determine whether there are documented procedures in

place for accessing, downloading and uploading
information with TSPs, correspondents, affiliates and other
service providers from primary and recovery locations in
the event of a disruption.

Determine whether the institution has a copy of the TSP’s

BCP and incorporates it, as appropriate, into its plans.

Determine whether management has received and

reviewed testing results of their TSPs.

When testing with the critical service providers, determine

whether management considered testing:

24 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

• From the institution’s primary location to the TSP’s

alternative location.
• From the institution’s alternative location to the TSP’s
primary location.
• From the institution’s alternative location to the TSP’s
alternative location.

Determine whether institution management has assessed

the adequacy of the TSP’s business continuity program
through its vendor management program (e.g., contract
requirements, SAS 70 reviews).

Objective 10: Determine whether the BCP testing program is sufficient to demonstrate the financial institution’s
ability to meet its continuity objectives.

Audit Steps Status Maturity Action Plan

Testing Policy

Determine whether the institution has a business continuity

testing policy that sets testing expectations for the
enterprise wide continuity functions, business lines,
support functions and crisis management.

Determine whether the testing policy identifies key roles

and responsibilities of the participants in the testing
program.

Determine whether the testing policy establishes a testing

cycle with increasing levels of test scope and complexity.

Testing Strategy

Determine whether the institution has a business continuity

testing strategy that includes documented test plans, their
related testing scenarios, testing methods, and testing
schedules and addresses expectations for mission-critical
business lines and support functions, including:
• Testing program scope and detail level.
• Staff, technology and facilities involvement.
• Testing expectations for internal and external
interdependencies.
• An evaluation of the reasonableness of assumptions
used in developing the testing strategy.

Determine whether the testing strategy articulates

management’s assumptions and whether the assumptions
(e.g., available resources and services, length of
disruption, testing methods, capacity and scalability issues,
and data integrity) appear reasonable based on a
cost/benefit analysis and recovery and resumption

25 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

objectives.

Determine whether the testing strategy addresses the

need for enterprise wide testing and testing with significant
third parties.

Determine whether the strategy includes guidelines for the

frequency of testing that are consistent with the criticality of
business functions, RTOs, RPOs and recovery of the
critical path, as defined in the BIA and risk assessment,
corporate policy and regulatory guidelines.

Determine whether the testing strategy addresses the

documentation requirements for all facets of the continuity
testing program, including test scenarios, plans, scripts,
results and reporting.

Determine whether the testing strategy includes testing the

effectiveness of an institution’s crisis management process
for responding to emergencies, including:
• Roles and responsibilities of crisis management group
members.
• Risk assumptions
• The crisis management decision process.
• Coordination with business lines, IT, internal audit and
facilities management.
• Communication with internal and external parties using
diverse methods and devices (e.g., calling trees, toll-
free telephone numbers, instant messaging, websites).
• Notification procedures to follow for internal and
external contacts.

Determine whether the testing strategy addresses physical

and logical security considerations for the facility, vital
records and data, telecommunications, and personnel.

Execution, Evaluation and Retesting

Determine whether the institution has coordinated the

execution of its testing program to fully exercise its
business continuity planning process and whether the test
results demonstrate the readiness of employees to achieve
the institution’s recovery and resumption objectives (e.g.,
the sustainability of operations and staffing levels, full
production recovery, achievement of operational priorities,
timely recovery of data).

Determine whether test results are analyzed and

compared against stated objectives, test issues are
assigned ownership, a mechanism is developed to
prioritize test issues, test problems are tracked until
resolution, and recommendations for future tests are

26 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

documented.

Determine whether the test processes and results have

been subject to independent observation and assessment
by a qualified third party (e.g., internal or external auditor).

Determine whether an appropriate level of retesting is

conducted in a timely fashion to address test problems or
failures.

Testing Expectations for Core Firms and Significant Firms

Note: The following testing expectations only apply to core and significant firms as defined by interagency
guidelines.
Core firms are defined as organizations that perform core clearing and settlement activities in critical financial
markets. Significant firms are defined as organizations that process a significant share of transactions in critical
financial markets.

Determine whether core and significant firms have

established a testing program that addresses their critical
market activities and assesses the progress and status of
the implementation of the testing program to address BCP
guidelines and applicable industry standards.

Determine the extent to which core and significant firms

have demonstrated through testing or routine use that they
can recover and, if relevant, resume operations within the
specified time frames addressed in the BCP guidelines and
applicable industry standards.

Determine whether core and significant firm’s strategies

and plans address wide-scale disruption scenarios for
critical clearance and settlement activities in support of
critical financial markets. Determine whether test plans
demonstrate their ability to recover and resume operations,
based on guidelines defined by the BCP and applicable
industry standards from geographically dispersed data
centers and operations facilities.

Determine that backup sites can support typical payment

and settlement volumes for an extended period

Determine that backup sites are fully independent of the

critical infrastructure components that support the primary
sites.

Determine whether the tests validate the core and

significant firm’s backup arrangements to ensure that:
• Trained employees are located at the backup site at the
time of disruption.
• Backup site employees are independent of the staff
located at the primary site at the time of disruption.
• Backup site employees can recover clearing and
settlement of open transactions within the timeframes

27 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

addressed in the BCP and applicable industry guidance.

Determine that the test assumptions are appropriate for

core and significant firms and consider:
• Primary data centers and operations facilities that are
completely inoperable without notice.
• Staff members at primary sites, who are located at both
data centers and operations facilities, that are
unavailable for an extended period.
• Other organizations in the immediate area that are also
affected.
• Infrastructure (power, telecommunications,
transportation) that is disrupted.
• Whether data recovery or reconstruction necessary to
restart payment and settlement functions can be
completed within the timeframes defined by the BCP
and applicable industry standards.
• Whether continuity arrangements continue to operate
until all pending transactions are closed.

For Core Firms

Determine whether the core firm’s testing strategy includes

plans to test the ability of significant firms, which clear or
settle transactions, to recover critical clearing and
settlement activities for geographically dispersed backup
sites within a reasonable time frame.

For Significant Firms

Determine whether the significant firm has an external

testing strategy that addresses key interdependencies,
such as testing with third-party market providers and key
customers.

Determine whether the significant firm’s external testing

strategy includes testing from the significant firm’s backup
sites to the core firms’ backup sites.

Determine whether the significant firm meets the testing

requirements of applicable core firms.

Determine whether the significant firm participates in

“street” or market wide tests sponsored by core firms,
markets or trade associations that test the connectivity
from alternate sites and include transaction, settlement,
and payment processes to the extent practical.

28 Source: www.knowledgeleader.com
Objective 11: Discuss corrective action and communicate findings.

Audit Steps Status Maturity Action Plan

From the procedures performed:

• Determine the need to proceed to Tier II objectives and
procedures for additional validation to support
conclusions related to any of the Tier I objectives and
procedures.
• Document conclusions related to the quality and
effectiveness of business continuity procedures.
• Determine and document to what extent, if any, you
may rely upon the procedures performed by the internal
and external auditors when determining the scope of the
business continuity procedures.
• Determine conclusions regarding the testing program
and whether it is appropriate for the size, complexity
and risk profile of the institution.
• Document whether the institution has demonstrated,
through an effective testing program, that it can meet its
testing objectives, including those defined by
management, the FFIEC and applicable regulatory
authorities.

Review your preliminary conclusions with the examiner-in-

charge (EIC) regarding:
• Law, rulings and regulation violations.
• Significant issues warranting inclusion as matters
requiring board attention or recommendations in the
report of examination.
• The potential impact of your conclusions on composite
and component ratings.

Discuss your findings with management and obtain

proposed corrective action and deadlines for remedying
significant deficiencies.

Document your conclusions in a memo to the EIC that

provides report-ready comments for all relevant sections of
the report examination.

Organize and document your work papers to ensure clear

support for significant findings and conclusions.

TIER II OBJECTIVES AND PROCEDURES

Tier II objectives and examination procedures may be used to provide additional verification of the effectiveness
of business continuity planning or identify potential root causes for weaknesses in the business continuity
program. These procedures may be used in their entirety or selectively, depending on the scope of the
examination and the need for additional verification. Examiners should coordinate this coverage with other
examiners to avoid duplication of effort while reviewing various issues found in other work programs.

29 Source: www.knowledgeleader.com
The procedures provided in this section should not be construed as requirements for control implementation. The
selection of controls and control implementation should be guided by the risk profile of the institution. Therefore,
the controls necessary for any single institution or any given area may differ from those noted in the following
procedures.

Objective 1: Determine whether the testing strategy addresses various event scenarios, including potential
issues encountered during a wide-scale disruption:

Audit Steps Status Maturity Action Plan

Determine whether the strategy addresses staffing

consideration, including:
• The ability to perform transaction processing and
settlement.
• The ability to communicate with key internal and
external stakeholders.
• The ability to reconcile transaction data.
• The accessibility, rotation and cross-training of staff
necessary to support critical business operations.
• The ability to relocate or engage staff form alternate
sites.
• Staff and management succession plans.
• Staff access to key documentation (plans, procedures,
and forms).
• The ability to handle increased workloads supporting
critical operations for an extended period.

Determine whether the strategy addresses technology

considerations, including:
• Testing the data, systems applications and
telecommunication slinks necessary for supporting
critical financial markets.
• Testing critical applications, recovering data, failover of
the network and resilience of telecommunications links.
• Incorporating the results of telecommunications diversity
assessments and confirming telecommunications circuit
diversity.
• Testing disruption events affecting connectivity, capacity
and integrity of data transmission.
• Testing recovery of data lost when switching to out-of-
region, asynchronous backup facilities.

Determine whether the business line testing strategy

addresses the facilities supporting the critical business
functions and technology infrastructure, including:
• Environmental controls: The adequacy of backup
power generators; heating, ventilation and air
conditioning (HVAC) systems; mechanical systems; and
electrical systems.
• Workspace recovery: The adequacy of floor space,
desktop computers, network connectivity, email access

30 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

and telephone service.

• Physical security facilities: The adequacy of physical
perimeter security, physical access controls, protection
services and video monitoring.

Objective 2: Determine if test plans adequately complement testing strategies.

Audit Steps Status Maturity Action Plan

Scenarios: Test Content

Determine whether the test scenarios include a variety of

threats and event types, a range of scenarios that reflect
the full scope of the institution’s testing strategy, an
increase in the complexity and scope of the test and test of
wide-scale disruptions over time.

Determine whether the scenarios include detailed steps

that demonstrate the viability of continuity plans, including:
• Deviation from established test scripts to include
unplanned events, such as the loss of key individuals or
services.
• Tests of the ability to support peak transaction volumes
from backup facilities for extended periods.

Determine that the test scenarios reflect key

interdependencies. Consider the following:
• Do plans include clients and counterparties that pose
significant risks to the institution and are periodic
connectivity tests performed from their primary and
contingency sites to the institution’s primary and
contingency sites?
• Do plans test capacity and data integrity capabilities
using simulated transaction data?
• Do plans include testing or modeling backup
telecommunications facilities and devices to ensure that
key internal and external parties are available?

Plans: How the Institution Conducts Testing

Determine that the test plans and test scripts are

documented and reflect the testing strategy, that they
encompass all critical business and supporting systems
and that they provide test participants with the information
necessary to conduct tests of the institution’s continuity
plans, including:
• Participants’ roles and responsibilities, defined decision
makers and rotation of test participants.
• Assigned command center and assembly locations.
• Test even dates and time stamps.

31 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Action Plan

• Test scope and objectives, including RTOs, RPOs,

recovery of the critical path, duration of test and extent
of testing (e.g., connectivity, interoperability, transaction,
capacity).
• Sequential, step-by-step procedures for staff and
external parties, including instructions regarding
transaction data and reference to manual workaround
processes as needed.
• Detailed information regarding the critical platforms,
applications and business processes to be recovered.
• Detailed schedules to complete each test.
• A summary of test results (e.g., based on goals and
objectives, successes and failures and deviations from
test plans or test scripts) using quantifiable
measurement criteria.

32 Source: www.knowledgeleader.com
 BUSINESS CONTINUITY MANAGEMENT AUDIT WORK
PROGRAM: SAMPLE 3

EXAMINATION OBJECTIVE
Assess the quantity of risk and the effectiveness of the institution’s risk management processes as they relate to
the security measures instituted to ensure confidentiality, integrity and availability of information and to instill
accountability for actions taken on the institution’s systems. The objectives and procedures are divided into Tier 1
and Tier II:
• Tier I assesses an institution’s process for identifying and managing risks.
• Tier II provides additional verification where risk warrants it.

Tier I and Tier II are intended to be a tool set examiners will use when selecting examination procedures for their
particular examination. Examiners should use these procedures as necessary to support examination objectives.

Internal audit provided a maturity ranking for each of the audit steps listed in the eight objectives of the FFIEC
standard. Internal audit used the Capability Maturity Model scale for ranking each audit step. The scale is
provided below with generic definitions from COBIT 4.1.

Maturity Model

The scale is based on the Capability Maturity Model with generic definitions from CobiT 4.1.
Nonexistent: Complete lack of any recognizable processes. The enterprise has not even recognized that
0
there is an issue to be addressed.
Initial/Ad Hoc: There is evidence that the enterprise has recognized that the issues exist and need to be
1 addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that
tend to be applied on an individual or case-by-case basis. The overall approach.
Repeatable but Intuitive: Processes have developed to the stage where similar procedures are followed
by different people undertaking the same task. There is no formal training or communication of standard
2
procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge
of individuals and, therefore, errors are likely.
Defined Process: Procedures have been standardized and documented and communicated through
training. It is mandated that these processes should be followed; however, it is unlikely that deviations will
3
be detected. The procedures themselves are not sophisticated but are the formalization of existing
practices.
Managed and Measurable: Management monitors and measures compliance with procedures and takes
4 action where processes appear not to be working effectively. Processes are under constant improvement
and provide best practices. Automation and tools are used in a limited or fragmented way.
Optimized: Processes have been refined to a level of good practice, based on the results of continuous
5 improvement and maturity modeling with other enterprises. IT is used in an integrated way to automate the
workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

33 Source: www.knowledgeleader.com
OBJECTIVE 1: DETERMINE THE APPROPRIATE SCOPE FOR THE EXAMINATION.

Audit Steps Status Maturity Recommendations

Review past reports for outstanding issues or previous
problems. Consider:
• Regulatory reports of examination
• Internal and external audit reports
• Independent security tests
• Regulatory, audit and security reports from service
providers
Review management’s response to issues raised at the
last examination. Consider:
• Adequacy and timing of corrective action
• Resolution of root causes rather than just specific
issues
• Existence of any outstanding issues
Interview management and review examination
information to identify changes to the technology
infrastructure or new products and services that might
increase the institution’s risk from information security
issues. Consider:
• Products or services delivered to either internal or
external users
• Network topology, including changes to configuration
or components
• Hardware and software listings
• Loss or addition of key personnel
• Technology service providers and software vendor
listings
• Changes to internal business processes
• Key management changes
• Internal reorganizations
Determine the existence of new threats and vulnerabilities
to the institution’s information security. Consider:
• Changes in technology employed by the institution
• Threats identified by institution staff
• Known threats identified by information sharing and
analysis organizations and other nonprofit and
commercial organizations
• Vulnerabilities raised in security testing reports

34 Source: www.knowledgeleader.com
OBJECTIVE 2: DETERMINE THE COMPLEXITY OF THE INSTITUTION’S INFORMATION
SECURITY ENVIRONMENT.

Audit Steps Status Maturity Recommendations

Review the degree of reliance on service providers for
information processing and technology support, including
security management. Review evidence that service
providers of information processing and technology
participate in an appropriate industry Information Sharing
and Analysis Center (ISAC).
Identify unique products and services and any required
third-party access requirements.
Determine the extent of network connectivity internally and
externally and the boundaries and functions of security
domains.
Identify the systems that have recently undergone
significant changes, such as new hardware, software,
configurations and connectivity. Correlate the changed
systems with the business processes they support, the
extent of customer data available to those processes and
the role of those processes in funds transfers.
Evaluate management’s ability to control security risks
given the frequency of changes to the computing
environment.
Evaluate security maintenance requirements and the
extent of historical security issues with installed
hardware/software.
Identify whether external standards are used as a basis
for the security program and the extent to which
management tailors the standards to the financial
institutions’ specific circumstances.
Determine the size and quality of the institution’s security
staff. Consider:
• Appropriate security training and certification
• Adequacy of staffing levels and impact of any turnover
• Extent of background investigations
• Available time to perform security responsibilities

OBJECTIVE 3: DETERMINE THE ADEQUACY OF THE RISK ASSESSMENT PROCESS.

Audit Steps Status Maturity Recommendations

Review the risk assessment to determine whether the
institution has characterized its system properly and
assessed the risks to information assets. Consider
whether the institution has:
• Identified and ranked information assets (e.g., data,
systems, physical locations) according to a rigorous
and consistent methodology that considers the risks to
customer nonpublic information as well as the risks to

35 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Recommendations
the institution
• Identified all reasonably foreseeable threats to the
financial institution assets
• Analyzed its technical and organizational vulnerabilities
• Considered the potential effect of a security breach on
customers as well as the institution
Determine whether the risk assessment provides
adequate support for the security strategy, controls and
monitoring that the financial institution has implemented.
Evaluate the risk assessment process for the
effectiveness of the following key practices:
• Multidisciplinary and knowledge-based approach
• Systematic and centrally controlled
• Integrated process
• Accountable activities
• Documented
• Knowledge enhancing
• Regularly updated
Identify whether the institution effectively updates the risk
assessment prior to making system changes,
implementing new products or services, or confronting
new external conditions that would affect the risk analysis.
Identify whether, in the absence of the above factors, the
risk assessment is reviewed at least once a year.

OBJECTIVE 4: EVALUATE THE ADEQUACY OF SECURITY POLICIES AND STANDARDS

RELATIVE TO THE RISK TO THE INSTITUTION.

Audit Steps Status Maturity Recommendations

Review security policies and standards to ensure that they
sufficiently address the following areas when considering
the risks identified by the institution. If policy validation is
necessary, consider performing Tier II procedures.
• Authentication and Authorization
− An acceptable use policy that dictates the
appropriate use of the institution’s technology,
including hardware, software, networks and
telecommunications
− Administration of access rights at
enrollment, when duties change and at employee
separation
− Appropriate authentication mechanisms,
including token-based systems, digital certificates,
or biometric controls and related enrollment and
maintenance processes as well as database
security.

36 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Recommendations
• Network Access
− Security domains
− Perimeter protection, including firewalls,
malicious code prevention, outbound filtering and
security monitoring
− Appropriate application access controls
− Remote access controls, including
wireless, VPN, modems and internet-based
• Host Systems
− Secure configuration (hardening)
− Operating system access
− Application access and configuration
− Malicious code prevention
− Logging
− Monitoring and updating
• User Equipment
− Secure configuration (hardening)
− Operating system access
− Application access and configuration
− Malicious code prevention
− Logging
− Monitoring and updating
• Physical controls over access to hardware, software,
storage media, paper records and facilities
• Encryption controls
• Malicious code prevention
• Software development and acquisition, including
processes that evaluate the security features and
software trustworthiness of code being developed or
acquired, as well as change control and configuration
management
• Personnel security
• Media handling procedures and restrictions, including
procedures for securing, transmitting and disposing of
paper and electronic information
• Service provider oversight
• Business continuity
• Insurance
Evaluate the policies and standards against the following
key actions:
• Implementing through ordinary means, such as system
administration procedures and acceptable-use policies
• Enforcing with security tools and sanctions

37 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Recommendations
• Delineating the areas of responsibility for users,
administrators and managers
• Communicating in a clear, understandable manner to
all concerned
• Obtaining employee certification that they have read
and understood the policy
• Providing flexibility to address changes in the
environment
• Conducting annually a review and approval by the
board of directors

OBJECTIVE 5: EVALUATE THE SECURITY-RELATED CONTROLS EMBEDDED IN VENDOR

MANAGEMENT.

Audit Steps Status Maturity Recommendations

Evaluate the sufficiency of security-related due diligence
in service provider research and selection.
Evaluate the adequacy of contractual assurances
regarding security responsibilities, controls and reporting.
Evaluate the appropriateness of nondisclosure
agreements regarding the institution’s systems and data.
Determine that the scope, completeness, frequency and
timeliness of third-party audits and tests of the service
provider’s security are supported by the financial
institution’s risk assessment.
Evaluate the adequacy of incident response policies and
contractual notification requirements in light of the risk of
the outsourced activity.

OBJECTIVE 6: DETERMINE THE ADEQUACY OF SECURITY MONITORING:

Audit Steps Status Maturity Recommendations

Obtain an understanding of the institution’s monitoring
plans and activities, including both activity monitoring and
condition monitoring.
Identify the organizational unit and personnel
responsible for performing the functions of a security
response center.

Evaluate the adequacy of information used by the

security response center. Information should include
external information on threats and vulnerabilities (ISAC
and other reports) and internal information related to
controls and activities.

Obtain and evaluate the policies governing security

response center functions, including monitoring,
classification, escalation and reporting.

38 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Recommendations
Evaluate the institution’s monitoring plans for
appropriateness given the risks of the institution’s
environment.

Where metrics are used, evaluate the standards used

for measurement, the information measures and
repeatability of measured processes, and
appropriateness of the measurement scope.

Ensure that the institution utilizes sufficient expertise to

perform its monitoring and testing.

For independent tests, evaluate the degree of

independence between the people testing security from
the people administering security.

Determine the timeliness of identification of vulnerabilities

and anomalies and evaluate the adequacy and timing of
corrective action.
Evaluate the institution’s policies and program for
responding to unauthorized access to customer
information, considering guidance in Supplement A to the
Section 501(b) GLBA information security guidelines.
If the institution experienced unauthorized access to
sensitive customer information, determine that it:
• Conducted a prompt investigation to determine the
likelihood the information accessed has been or will be
misused
• Notified customers when the investigation determined
misuse of sensitive customer information has occurred
or is reasonably possible
• Delivered notification to customers, when warranted,
by means the customer can reasonably be expected to
receive, including telephone, mail or electronic mail
• Appropriately notified its primary federal regulator

OBJECTIVE 7: EVALUATE THE EFFECTIVENESS OF ENTERPRISEWIDE SECURITY

ADMINISTRATION.

Audit Steps Status Maturity Recommendations

Review board and committee minutes and reports to
determine the level of senior management support of and
commitment to security.
Determine whether management and department heads
are adequately trained and sufficiently accountable for the
security of their personnel, information and systems.
Review security guidance and training provided to ensure
awareness among employees and contractors, including
annual certification that personnel understand their
responsibilities.

39 Source: www.knowledgeleader.com
 Audit Steps Status Maturity Recommendations
Determine whether security responsibilities are
appropriately apportioned among senior management,
front-line management, IT staff, information security
professionals and other staff, recognizing that some roles
must be independent of others.
Determine whether the individual or department
responsible for ensuring compliance with security policies
has sufficient position and authority within the organization
to implement the corrective action.
Evaluate the process used to monitor and enforce policy
compliance (e.g., granting and revocation of user rights).
Evaluate the adequacy of automated tools to support
secure configuration management, security monitoring,
policy monitoring, enforcement and reporting.
Evaluate management's ability to effectively control the
pace of change to its environment, including the process
used to gain assurance that changes to be made will not
pose undue risk in a production environment. Consider the
definition of security requirements for the changes,
appropriateness of staff training, quality of testing and
post-change monitoring.
Evaluate the coordination of incident response policies
and contractual notification requirements.

OBJECTIVE 8: DISCUSS CORRECTIVE ACTION AND COMMUNICATE FINDINGS.

Audit Steps Status Maturity Recommendations

Determine the need to proceed to Tier II procedures for
additional validation to support conclusions related to any
of the Tier I objectives.
Review your preliminary conclusions with the EIC
regarding:
• Violations of law, rulings, regulations, etc.
• Significant issues warranting inclusion as matters
requiring attention or recommendations in the report of
examination
• Potential impact of your conclusions on composite or
component IT ratings
• Potential impact of your conclusions on the institution’s
risk assessment
Discuss your findings with management and obtain
proposed corrective action for significant deficiencies.
Document your conclusions in a memo to the EIC that
provides report-ready comments for all relevant sections
of the report of examination and guidance to future
examiners.
Organize your work papers to ensure clear support for
significant findings by examination objective.

40 Source: www.knowledgeleader.com
41 Source: www.knowledgeleader.com