WIXLIB

IS.8.0InformationSecurityAccess ReviewPoliciesUser access policies are inplace that define how usersare added, removed, andchangedDo you have a documentedprocess in place for useraccess, changes, dAccessDo the in scope systemsemploy role-based access?IS.10.0InformationSecurityAccess ReviewsSystems require role-basedaccess based on users jobfunctions.User access is reviewed atleast ew PoliciesUser access policies includeTerminations and requireaccounts to be disabledwithin 1 business day fromall systemsDo you have documentedtermination procedures inplace?IS.12.0InformationSecurityRemote The Vendor properlysecures remote access to itsnetworks.Passwords for thesolution(s) provided toNCBA Member firms havebeen appropriatelyimplemented to protectapplication data, includingpassword length, strength,history, expiration.-8 character minimum- At least two character setsrequired for passwordcomplexity- Password reuse restricted-maximum passwordage/change interval of 90days-account lockout enforcedafter no more than 3Is remote access to theproduction environmentappropriately secured?Do Passwords for thesolution(s) provided toNCBA Member firms meetthe below requirements:-8 character minimum- At least two character setsrequired for passwordcomplexity- Password reuse restricted-maximum passwordage/change interval of 90days-account lockout enforcedafter no more than 3incorrect attempts, andlocks out until reset by anadministratorVersion 1.0Are access reviewsperformed at leastquarterly?2/22/2019Inspect Policy and validate thatthere is a process in place toprovide access to in scopesystems. Does this includeadministrative rights?Review Policy or Role Matrixand Validate that the systemsuse role-based access.Inspect policy and validate itrequires quarterly accessreviews. Inspect the last accessreview performed.Ensure the policies andprocedures for terminatingemployees include removal ofphysical and systems accesswithin 1 business day. Select asample of recent terms andverify their access is removed.Validate that remote access isappropriately restricted andlogged.Inspect a screenshot of thepassword Policies for thesolutions provided to NCBAmember firms

incorrect attempts, and locksout until reset by anadministratorIS.13.1InformationSecurityPassword 0InformationSecurityShared rsion 1.0For the solution(s) providedto NCBA Member firms,passwords are encrypted atrest, or hashed using asecure one-way cipher andsaltedMultifactor authentication isused to strengthencommunication controls forthe solution(s) provided toNCBA Member firms, whereappropriate.The vendor does not allowshared accounts.Are passwords encrypted atrest for the in scopesolutions?Validate that passwords areencrypted or hashed andsalted.Is MFA required for accessto all in scope solutions forgeneral users?determine if MFA is in placeand document what is used.Are all user accountsunique?EmailRequirementsUsers access to email isrestricted based on jobfunction.Is access to email restrictedbased on business need?InformationSecurityEmail Data LossProtectionAppropriate DLP controlsare in place to restrictexfiltration of sensitive data.InformationSecurityRemovable MediaRestrictionsRemovable media isrestrictedDo you employ networkbased or host based DLP inthe productionenvironment?Is removable mediarestricted from all users?Validate that all accounts areunique and no shared accountsare used for in scope systems.Review group policy orequivalent to determine thatemail is restricted by jobfunction.Validate that DLP controls arein place for outgoing email,including encrypted andunencrypted attachments.Validate via Group Policy orEquivalent that Removablemedia is restricted.2/22/2019

IS.18.0InformationSecurityWeb ProxyAccess to high risk sites likepublic file sharing sites isrestrictedIs access to high risk sites,including public cloudsharing sites (dropbox, estrictionsInternet is restricted toappropriate ssUsers administrative rightshave been restricted unlessrequired for businesspurposesDo you restrict access tothe internet based onbusiness need?Have local administratorrights been removed fromall users accept forbusiness need?IS.21.0InformationSecurityFull ityManagementFull disk encryption isrequired for laptops andworkstationsThe vendor has adocumented vulnerabilitymanagement program inplace.Does you employ full diskencryption on allworkstations and LaptopsDo you have a documentedvulnerability managementprogram in place?IS.23.0InformationSecurityWeb ApplicationPenetrationTestingWeb Application PenetrationTesting has been performedon any web solutionprovided by the vendor.This includesunauthenticated andauthenticated testing,performed both by internalresources and independentprovider.Have you contracted withan independent third partyto perform Web ApplicationPenetration testing on the inscope applications?Version 1.02/22/2019Validate that a web contentfilter or web proxy is in placesrestricting access to sites likedropbox and box, personalemail, etc.Validate that all users withinternet access have abusiness need for it.Validate that admin privilegeshave been restricted and thatany users with admin accesshave been reviewed andapproved. Confirm that usersare restricted from changingconfiguration settings on theirworkstations, including AV andaccount lockout time.Inspect a screenshot showingfull disk encryption.Validate that there is adocumented vulnerabilitymanagement program andInspect the most recentvulnerability scans anddetermine if there are any openhigh risk issues.Inspect the most recent webapplication penetration testexecutive summary.

Penetration testingIS.25.0InformationSecurityMobile urityPatchManagementIS.27.0InformationSecurityAnti VirusVersion 1.0The vendor contracts with areputable third-party toperform independentnetwork penetration testing(internal and external) atleast annually on allnetworks that contain oraccess NCBA Member data.Mobile applicationpenetration testing has beenperformed on any mobileapplication provided by thevendor. This includesunauthenticated andauthenticated testing,performed by independentprovider.Servers are patched foroperating system and majorcomponent updates uponpatch release andevaluation. These practicesare governed by a formalpolicy and/or procedure.Patches are applied in atimely fashion based on thesignificance of thevulnerability. Patches areapplied in accordance withsystem change managementstandards.Anti-virus software is used toprotect all servers andworkstations, per Supplierpolicy. No exceptions applyto any systems housingNCBA member data. Emailand attachments arescanned by the mail serverand blocked as appropriateHave you contracted withan independent third partyto perform internal andexternal networkPenetration testing on theproduction environment?Inspect the most recentinternal, external penetrationtest executive summary.Have you contracted withan independent third partyto perform MobileApplication Penetrationtesting on the in scopeapplications?Inspect the most recent mobileapp penetration test executivesummary.Do you have a PatchManagement Policy inPlace?Review the patch managementpolicy and document therequirement on critical andsecurity patches. Validatepatches are current by lookingat the patch console.Is anti-virus installed on allworkstations and serverswith updated signatures?Sample a workstation to verifythat AV signatures are up todate.2/22/2019

IS.28.0InformationSecurityDevice mentProgramIS.30.0InformationSecurityStatic and DynamicCode ScansIS.31.0InformationSecurityFormal ApprovalsVersion 1.0The Supplier's Informationsecurity program includesdefined standards foroperating system,application and networkdevice security andhardeningA defined systemsdevelopment methodologyhas been formallyimplemented with policies,procedures and standardscommunicated and followed.This methodology includesprogramming standards toconfirm that design andstructure standards arefollowed (confirm the correctimplementation of logic andalgorithms, removal ofunneeded content, as wellas standards to preventsecurity weaknesses, likeOWASP top tenvulnerabilities)Static and dynamic codevulnerability analysis isperformed on all code priorto implementation inproduction leveraging anindustry standard codescanner.Formal approvals arecaptured at each stage ofthe development lifecycle(Requirements, Design,Testing, User Acceptance,Production rollout, etc.).When approvals arecaptured, it is clear who isDo you have documentedhardening guides for alldevices?Inspect a sample of hardeningguides.Do you have a formallydocumented SDLCProgram in place?Inspect the SDLC Policy andcomment the methodology andapproach.Do you perform static anddynamic code scanning onthe entire code base?Validate static and dynamicscanning is occurring anddocument the tool namesDo you require formalapprovals at all stages ofthe development lifecycle?Inspect a ticket to determinethat approvals happen beforepushing code to production.2/22/2019

approving, the date they areapproving, and what theyare approving.CC.1.0CustomerContact Phone Calls(ONLY if phonecalls are made)RecordingsAll calls are recorded andstored securely for 3 yearsAre all calls recorded andstored for 3 years?CC.1.1CustomerContact Phone Calls(ONLY if phonecalls are made)CustomerContact Phone Calls(ONLY if phonecalls are made)CustomerContact Phone Calls(ONLY if phonecalls are made)CustomerContact Phone Calls(ONLY if phonecalls are made)CustomerContact Phone Calls(ONLY if phonecalls are made)IncidentReportingRecordingRetrievalAll call recordings can beobtained within 24 hours ofrequestCan all call recordings beobtained within 24 hours ofa request?Call auditingOrganization hasappropriate auditingprocedures in place toensure calls are audibleDo you have auditingprocedures in place toensure recordings areaudible?Inspect the most recent audit ofphone calls and determine ifany issues were identified.Recording PoliciesA process is in place tohandle customers that donot wish to be recordedDo you have a process inplace to handle customersthat do not wish to berecorded?Inspect the policy and validatethat it covers customers that donot want to be recorded.Call RecordingfailureA process is in place tohandle recording failures.Do you have a process inplace to handle recordingfailures?Validate that there is alerting inplace to identify if a recordingfailsIndependentassessment of callrecordingRequirementsA process is in place to auditcompliance with callrecording requirements.Do you have a process inplace to audit compliancewith call recordingrequirements?Inspect last audit of callrecording compliance.Fraudulent ActivityMonitoringAppropriate controls are inplace to monitor user activityDo you have controls inplace to monitor userValidate that technical controlsare in place to log and alert onmalicious activity and access.CC.2.0CC.3.0CC.4.0CC.5.0IR.1.0Version 1.02/22/2019Validate that all calls, bothinbound and outbound, arerecorded and stored securely.Document the retention andmake sure its 3 years bysampling 5 calls.Validate that all call recordingscan be obtained within 24 hoursof request

with systems containingsensitive data.A policy is in place thatcovers incident logging,roles, client communication.activity within systemscontaining sensitive data?Do you have a documentedincident managementpolicy?IR.2.0IncidentReportingIncident ResponsePolicyIR.3.0IncidentReportingIncident LoggingOrganization has an up todate log of all incidentsDo you have a formal log ofall incidents?BCDR.1.0BusinessContinuity(BCP) andDisasterRecovery (DR)BusinessContinuity and DRPlan/PolicyDo you have a documentedBCP and DR plan?BCDR.2.0BusinessContinuity(BCP) andDisasterRecovery (DR)BusinessContinuity(BCP) andDisasterRecovery (DR)BusinessContinuity(BCP) andDisasterRecovery (DR)BCP/DR PlanA BCP and DR plan is inplace that includes, but isnot limited to:- Weather- Events / Natural Disaster- Technical Failure (IT),- Power Outages,- Cyber Events,- Unavailability of Workforce,Physical Site or TelecomfunctionalityOrganization has adedicated team in place torespond to BCP/DR events.RTO/RPOThe RTO/RPO isdocumented for each criticalsystemWhat is the RTO/RPO forall in scope applications?Critical FailureThe BCP/DR plan includes aprocess for critical failure ofa subcontractorDoes your BCP Planinclude a process to dealwith critical failure of asubcontractor or vendor?BCDR.3.0BCDR.4.0Version 1.0Do you have a dedicatedteam in place to handleBCP/DR events?2/22/2019Inspect the IncidentManagement Policy andvalidate it includes Roles,Logging of Incidents, and clientcommunication.Review the incident log andverify that the organization iscentrally tracking incidentsInspect the BCP/DR plan andverify the below is covered:- Weather- Events / Natural Disaster- Technical Failure (IT),- Power Outages,- Cyber Events,- Unavailability of Workforce,Physical Site or TelecomfunctionalityConfirm that there is a call treeand pick 3 names from toconfirm the persons are stillemployed by the company andcontact information is correct.Request the latest DR test andvalidate that Rto and RPO hasbeen documented and meetsthe documented requirements.Inspect the Policy an validatethat it includes a process forcritical failure of a subcontractoror vendor.

BCDR.5.0BusinessContinuity(BCP) andDisasterRecovery (DR)BCP/DR TestingBCP/DR testing occursannually, has appropriatecoverage and iscommunicated tomanagementIs your DR plan testedannually?PS.1.0PhysicalSecurityFront DeskOrganization has areceptionist present thatissues name tags/IDs to allvisitors.PS.2.0PhysicalSecurityVisitor LogThe organization keepsappropriate records ofvisitors.Does your organizationhave a receptionist or lobbyattendant responsible forissuing name tags/visitorIDs at all locations?Does your organizationrequire visitors to sign alog?PS.3.0PhysicalSecurityBadge AccessThe organization employsappropriate access controlson doors to secure areas.Does your organizationhave appropriate accesscontrols in place on doors(badge readers)?PS.4.0PhysicalSecurityDoor AlarmsAre alarms installed on allentry and exit points tosensitive rityPrintingThe organization employsalarms at all doors; exterior,interior, secured rooms andfire doors activate alarmsafter no less than 90secondsFacilities and datacentershave appropriate CCTVsthroughout and monitoringsensitive areas.Organization hasappropriate security controlsaround printersVersion 1.0Do you have CCTVsmonitoring sensitive areas?Do you have controlsaround leaving sensitiveinformation in printers?2/22/2019Inspect the latest BCP/DR testand validate that there were noissues. Validate that it includes:power backupor call recording back up (ifrequired)Validate that the results weredocumented and remediatedand tracked.Validate that the results wereshared with leadership.Walkthrough the facility andverify that there is a front deskwith appropriate coverage andIDs provided to visitors.Validate that all visitors arerequires to sign into a visitor logupon entry and that theinformation is archived per bestpractices.Ensure that all sensitive areas(IR Room/Data Center) withinthe facility are secured andrequire restricted badgeaccess.Review console to verify alarmsare in place on access points.Through a walk through verifythat CCTVs are in appropriateareas and document theretention period of the tapes.Observe printers within thefacility and validate that there isno sensitive data being left in

the printer or that access cardsare required for printing.PS.7.0PhysicalSecurityShred BinsOrganization requires cleandesk, clear screen and hasshred bins within the facilityDO you have a clean desk,clear screen policy sVendor has appropriateinsurance in place whererequired. General Liability,A&O, Cyber, UmbrellaPlease select all insurancepolicies that yourorganizations has:General Liability, A&O,Cyber, UmbrellaVersion 1.02/22/2019Validate that locked Shred Binsare on premise and inspect acertificate of destruction fromthe provider.If they say yes, lets ask a followup question asking them toattach the certificate, anddefining the limits peroccurrence and aggregate foreach coverage type. For cyberliability, we should ask if theirpolicy covers 1)CreditMonitoring for impacted parties2)First Party Liability –Damages sustained by themdirectly 3) Third Party Liability –Damages sustained by theirclients. We should provide anotes field for them to furtherdescribe their cyber coveragesince this varies.

Appendix B - RSA Archer RSA General Archer Information Each Third Party will be sent an email providing your username and temporary password for accessing RSA Archer. This password will be changed at first log-in. Expect a system-generated email from the RSA Archer system requiring response with a link to the applicable questionnaires.