This IT General Controls Catalogue contains a list of 98 controls (Excel format) with detailed descriptions which can be adjusted to fit any complex IT environment, for both Financial Services and Corporate domains. High quality of descriptions cover a range of new controls areas like Robotics and BOTs.
CONTENT
1 Authentication & Authorization – Password and PIN Policy
2 Authentication & Authorization – Authentication and Authorization at Runtime
3 Authentication & Authorization – Monitoring for Certificate Expiration
4 Authentication & Authorization – Authentication Strength
5 Authentication & Authorization – Application Messaging and Data Transfer Security
6 Backup – Backup Integrity
7 Backup – Data Backup Requirements
8 Backup – Backup Monitoring
9 Backup – Backup Encryption
10 Capacity Management – Infrastructure Capacity Monitoring
11 Change & Release Management – Source Code and Configuration Management
12 Change & Release Management – Impact Assessment
13 Change & Release Management – Approval Prior to Deployment
14 Change & Release Management – Version Control
15 Data Governance – Attestation of Investment Banking Reference Data sourcing for Tier 1 applications
16 Entity Level Controls – Information Technology
17 EUA Governance – EUA Inventory Completeness Validation
18 EUA Governance – EUA Controls Compliance Validation
19 EUA Governance – EUA Inventory Reporting
20 EUA Governance – Communication of EUA Governance Requirements
21 EUA Governance – Semi-Annual CID scanning of SOX material and critical EUAs
22 IT Asset Management – IT Asset Inventory Management
23 IT Asset Management – Technology Life Cycle Management / Technology Obsolescence
24 IT Disaster Recovery – BCM – DPR02 – Resilience for IT Applications
25 IT Disaster Recovery – BCM – CMP08 – Site Technical Recovery Plan
26 Logical Access Management – Credential Management
27 Logical Access Management – Access Rights Allocation
28 Logical Access Management – Disabling of Leaver Accounts
29 Logical Access Management – Mover Entitlement Removal
30 Logical Access Management – Temporary Elevated Access Deactivation
31 Logical Access Management – Emergency Access Usage
32 Logical Access Management – Access Rights and Roles Description
33 Logical Access Management – Unique Identification of Human User
34 Logical Access Management – Non-personalized Technical Accounts
35 Logical Access Management – Segregation of Duties in Change Management via Infrastructure Access
36 Logical Access Management – Segregation of Duties in Change Management via Application Access
37 Monitoring of Processes & Incident Management – Incident Management Process
38 Monitoring of Processes & Incident Management – Service Level Targets – Applications
39 Network Security – Bank Inter-Site Communication
40 Network Security – Remote Access to the Bank Network
41 Network Security – Lifecycle Management of Firewall Connectivity
42 Network Security – Network Perimeter Security
43 Network Security – Identification and Approval of External Connections
44 ONO – Business Function Supervision at the BSC
45 Physical Security – Secure Disposal or Reuse of Equipment
46 Physical Security – Physical Entry Controls
47 Physical Security – Protecting Against External and Environmental Threats
48 Platform Security – Unauthorized Software Identification
49 Platform Security – Security Compliance Monitoring
50 Platform Security – Configuration Management for Voice Recording
51 Platform Security – Logging Infrastructure Activities
52 Policy Management – Policy approval, publication and communication
53 Policy Management – Policy compliance and implementation status
54 Policy Management – Policy development and maintenance
55 Production and Delivery of Regulatory Reports – Collection and Delivery of Data Related to eDiscovery Cases
56 Records Management Control Framework – Active Management of Electronic Records in Custody
57 Records Management Control Framework – Legal Hold and Disposal for Archived Electronic Records
58 Robotics – Annual affirmation of the robot inventory data
59 Robotics – Adherence to RPA delivery model
60 SDLC – Usage of Production Data
61 SDLC – Implementation of Minimum Enterprise Requirements
62 SDLC – Testing of Changes
63 SDLC – Enterprise Architecture and Business Strategy Alignment
64 SDLC – Password Protection in Code
65 Security Monitoring – Monitoring for Data Leakage
66 Security Monitoring – Security Monitoring to Identify Security Incidents
67 Security Monitoring – Vulnerability Scanning
68 Security Monitoring – Penetration Testing
69 Security Monitoring – Threat Monitoring
70 Security Monitoring – Code Review
71 Security Monitoring – Unauthorized Hardware Devices
72 Security Monitoring – Security Patch Management
73 Security Monitoring – Network Security Monitoring
74 Security Monitoring – Mandatory Security Software
75 Service Change Supervision – Service Change Supervision
76 Service Charging Accuracy – Service Charging Accuracy
77 Static Data Amendment and Integrity – Reference Data Tables – Change Procedure Adherence
Controls performed by externals/outsourced:
78 End User Application Management – Completeness of EUA Inventory – Annual Affirmation
79 End User Application Management – Line Manager Annual Assessment of EUA Controls
80 End User Application Management – Completeness of EUA Inventory – Business Lead Review
81 IGCS static data validation – IGCS static data validation
82 IT Asset Management – License Inventory Management and Compliance Monitoring
83 IT Staff Management – Maintain Anti-Fraud Block Leave Controls
84 IT Staff Management – Completion of Mandatory Training
85 IT Staff Management – Workforce Capacity Planning
86 IT Staff Management – Workforce Turnover Monitoring
87 IT Vendor Management – Reconfirm Contract Management Roles
88 IT Vendor Management – CS11 ITVM – DAB Review-Structured Sourcing Process for all deals (ITO and products) where TCV >= 1M CHF
89 IT Vendor Management – Review of Tier 2 Vendor Performance & Compliance
90 IT Vendor Management – Annual Contract Compliance Review
91 IT Vendor Management – Contract Performance & Compliance Monitoring
92 IT Vendor Management – Oversight of IT Risk Assessments for Tier 1 & 2 Vendors
93 IT Vendor Management – Review of Exit Strategy for Tier 1 & 2 Vendors
94 IT Vendor Management – Review of Tier 1 Vendor Performance & Compliance
95 Policy Management – Policy Implementation
96 Production and Delivery of Regulatory Reports – RPM Report Inventory Review
97 Production and Delivery of Regulatory Reports – Regulatory Report Review
98 Records Management Control Framework – Records Owner Archiving Compliance (Electronic Records)
Adequate Capacity Management Policy must be defined and implemented at the Company, in order to be possible to correctly monitor the performance of the existing or future Company systems, to forecast their future evolution and identify possible bottlenecks.
The Cryptographic Control Policy intends to draw the general principles acceptable to the Company for the usage of cryptography. This policy applies to all employees and partners and to all electronic transactions wherein one or more of the abovementioned parties are involved. The Company will select appropriate cryptographic controls based on a risk assessment.
The objective of the Cryptographic Controls Standard is to outline the minimum information security controls which must be applied when cryptographic services and solutions are utilized by the Company. Specifically, this Standard focuses on key management requirements, acceptable algorithms, appropriate key lengths, and raises pertinent regulatory considerations relating to the use of cryptography. Cryptographic controls […]
Review IT Generals Controls Catalogue – Banking Client.
You must be logged in to post a review.