Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
Is there a periodic user access review for the user profiles by the
1 Access Control
system administrator? Mention the details of the sample evidence.

Is there a mechanism that informs the security personnel of the lost

2 Access Control access cards (if available) or termination of access rights to
personnel involved in "Company name" scope of work?
Is there a well-defined process for removing the user account and
3 Access Control access rights at the time of an employee leaving the vendor's
processing facility?
Is there a provision for automatic lockout of accounts after a
predefined number of unsuccessful attempts? If Yes, what is the
4 Access Control
count of the unsuccessful attempts after which the account
lockout?
Is there a password policy defining the framework for a strong
password?

Does the system prompt the change of user passwords at

predefined intervals? If Yes, what is the time line ?
Check for:
5 Access Control
- Password Complexity
- Password history
- Maximum password age
- Reversible encryption

Check for sample user IDs without password.

Is a "secure password distribution mechanism " in place? Specify the
6 Access Control
mechanism, if applicable.
Is Password masked on the screen during the log-in process.
7 Access Control Are the user access passwords displayed / stored / transmitted in
clear text over the network?
Are following actions performed on all systems used for "Company
name" operations-
-Internet access on need basis
-admin privileges restricted
8 Access Control -Restricted email access
-Disable access to printers
-Access to printers
-Is sharing of Local drives disabled across all the system?

9 Access Control Is Guest Account disabled ?

Are the end users provided with local admin rights?
Are the access to command prompt restricted to have admin rights
10 Access Control
and registry editing disabled on all the desktop across the
organization?

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
Are the ports blocked for floppy/CD/DVD drives & USB Ports?
11 Access Control Does the Vendor have any centralized mechanism in place to track
the same? Mention the details of the mechanism.
What are the different levels of administrator privileges for system
12 Access Control access on "Company name" specific servers?
Are these access rights periodically reviewed ?
Are the network access points (Wi-Fi) at Vendor's premises available
13 Access Control in public areas like reception, conference rooms etc.?
Can unauthorized personnel connect to Wi-Fi network?

Does the vendor have an Antivirus Signature Management System

in place for systems related to the "Company name" operations?
Antivirus & Patch
14 -Are the AV signatures are up to date?
Management
-Are records for the same maintained?
-Specify the frequency defined for signature Updation.

Is antivirus software deployed, updated and maintained for all

Antivirus & Patch
15 desktops, servers, firewalls, and Internet email gateways? Describe
Management
what anti-virus products are used with each platform.
Has the Anti-virus software been configured to log anti-virus
Antivirus & Patch
16 activities, such as weekly scans, virus detection, and signature file
Management
updates?
Antivirus & Patch Has Anti-Virus software been configured for real-time scanning
17
Management against all file write activity?
Antivirus & Patch Are controls in place to prevent end users from overriding or
18
Management disabling the antivirus software?
Do you have patch management policy?
Is there a defined and documented process for implementing
Antivirus & Patch
19 Security patches on systems for "Company name" operations?
Management
Are the roles & responsibilities are defined?
Specify the frequency defined.
Does the Vendor ensure that all system components and software
Antivirus & Patch
20 are protected from known vulnerabilities by having the latest
Management
vendor-supplied security patches installed?
Antivirus & Patch Are patches tested in a UAT instance before deployment on the
21
Management production server ?
Is Appsec performed for internet facing applications used for
22 Application Security
"Company name" operations?
23 Application Security What is inactivity timeout period specified for the applications?
Is approved hard drive encryption software deployed on portable
digital devices and systems (e.g. mobile phone, laptop, tablet etc.)
24 Asset management that hold sensitive data?
If yes, please specify the details of the solution being used for the
same.

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
Is the movement of assets (used for "Company name" operations)
25 Asset Management
tracked / monitored and reconciled at the Vendor facility ?
Is there a mechanism to ensure that only licensed software /
26 Asset management applications are installed on the systems? Mention the details of the
mechanism.
Is there an alternate/BCP location facility & supporting facility to
continue "Company name" operations?
Business continuity
27 Is testing done for movement of "Company name" operations from
management
primary site to alternate site?
Check the testing report
Does the organization have a documented IT DR plan addressing
Business continuity
28 people, process & systems related to "Company name" operations?
management
Is it communicated to concerned employees?
Can the backed up data be restored and made available at the
Business continuity alternate site at any point in time?
29
management Can the critical data be restored in the time frame as agreed with
"Company name"?
Business continuity Is there secondary network link available which can be used in case
30
management of failure of primary network link?
Does the vendor store, process, transmit "Company name" data
over cloud from cloud service providers?
31 Cloud Security
Where is the data stored within India or overseas ? Please provide
details.

Does the Vendor have a mechanism in place to classify & protect

"Company name" related data. (Refer Information Classification
32 Data Security
Policy) E.g. Confidential/Restricted/Public
Mention the details of the sample evidence.

Does the vendor have data leakage prevention capability? (if

33 Data Security
applicable, provide details)
Doe the vendor have a database level segregation for "Company
34 Data Security
name" critical (SPDI, PII and Card data) data?
1. Does the Vendor have a defined retention period for "Company
name" data?
2. Does the Vendor have a process for secure removal / disposal /
35 Data Security
purging/ destruction of "Company name" data?
3. Is "Company name" notified after every deletion cycle.
Mention the details of the sample evidence.
Check the user e-mail ID creation process. Is there appropriate
36 Email Usage approvals from HR/ management for creating such email accounts
at the vendor processing facility?
Are e-mail /user ids created if the "Company name" related
37 Email Usage operations are outsourced / sub-contracted to other parties?
If yes, Are proper approvals are taken for the same.

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
Does the Vendor have a provision of shared email account.
38 Email Usage Verify and mention if there is a mechanism in place to ensure
accountability of shared email accounts, if any.
Does the Vendor have a defined Data Leakage Prevention(DLP)
mechanism in place to ensure that the "Company name" data is not
39 Email Usage sent via email to non-"Company name" IDs?
Does the vendor has Mail Authentication System (Like DMARC) in
place? (Based on applicability)

Are the email attachments sent/received for the "Company name"

40 Email Usage
process scanned for Virus and other malicious content?

Is the customer data shared over email?

Are the attachments sent to "Company name" being encrypted or

41 Email Usage
password protected before sending?(at least 128 bits)
Mention the details of the encryption mechanism, if applicable.

Does the e-mail communication from the vendor include a standard

42 Email Usage disclaimer as a part of the contents. ( Applicable in cases where
vendor sends email on behalf of "Company name")

Are roles & responsibilities defined for reporting suspected security

43 Incident Management incidents to "Company name"?
Are the root cause analysis performed for the security incidents.
Does the Vendor have a incident response plan in place to be
implemented in the event of system breach.
If yes, does the plan assess the following, at a minimum:

- Roles, responsibilities, and communication and contact strategies

in the event of a compromise including notification of the payment
brands, at a minimum
44 Incident Management
- Specific incident response procedures
- Business continuity procedures
- Data back-up processes
- Analysis of legal requirements for reporting compromises
- Coverage and responses of all critical system components
- Reference or inclusion of incident response procedures from the
payment brands
Is there a repository / database for logging past Security Incidents ?
45 Incident Management Describe the mechanism to establish learning from past incidents?

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
1. Do you have a documented and approved Information Security
policy and procedures?
Information Security 2. Is there an owner specified, who is responsible for maintaining
46
Policy & Management the information security policy?
Specify the date (Enter in comments column) on which
management last approved the policy, if applicable.
Do you have an acceptable usage policy (for usage of corporate
computing resources including restriction on using email, USB,
Information Security
47 Internet browsing)?
Policy & Management
Is it mandated to all the employees?
Do you have Internet/Intranet access and Email usage policy?
Does the Vendor have a defined policy for data handling.
Information Security
48 Does the policy cover Data Privacy and Secure usage, storage and
Policy & Management
destruction of confidential data?
Information Security
49 Do you have Key Management or Encryption / Decryption Policy?
Policy & Management
Do you have Security incident management policy?
Does the policy cover the following:
Information Security - Security Incidents
50
Policy & Management - Security Weakness
- Software Malfunctions
- Malicious Software
Do you have Access Control, Physical security policy and
procedure?
Does the policy cover the following(if applicable):
Information Security -physical access, system/user access ( role based access control &
51
Policy & Management structured process for creation of new user account for "Company
name" operations)
-hardware, software, storage media, paper recorders, photo copiers,
mail, fax, facilities(access control)
Do you have Disaster recovery and business continuity plan / policy
Information Security
52 covering people, process & system related to "Company name"
Policy & Management
operation?
Do you have an Asset Management Policy?
Information Security
53 Does the policy includes classification & protection of sensitive IT
Policy & Management
assets covering "Company name" activities/processes?

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
Do you have a backup and recovery policy?(Covering "Company
name" Operations)
Does the Backup & Recovery Policy & Procedure document
considers the following -
- essential business information & software to be backed up?
Information Security
54 - servers to be backed up?
Policy & Management
- audit trail & logs?
- frequency of backup?
- Logging of Backup activity?
- Retention period for backup?
- Roles & responsibilities defined & assigned?
Information Security
55 Do you have Anti-Malware/Anti-Virus Policy?
Policy & Management
Are all the policies communicated to all the employees working for
Information Security
56 "Company name"? If yes, mention the method and frequency of
Policy & Management
communication?
1. Do you have a Risk Management Policy(Assets) ?
Information Security 2. Mention the frequency defined for conducting regular
57
Policy & Management Vulnerability & Risk Assessments.

Information Security What is the data retention and purging policy or procedure? Is it
58
Policy & Management same or different for encrypted, decrypted and un-encrypted data?
Does the vendor have a comprehensive Mobile Device and
Information Security Communications Policy covering use of Handheld devices, portable
59
Policy & Management devices, mobiles, laptops, tablets etc. for Operations including
"Company name".
Do you have repository of customer complaints reported to the
60 Miscellaneous Checks
bank?(if applicable)
61 Miscellaneous Checks Do you have appropriate mechanism to prevent & detect fraud ?
Does the vendor have a comprehensive network architecture
diagram covering infrastructure used for "Company name"
62 Network Management
operations? Mention the details for the same.(E.g. Design approval
details)
63 Network Management Are all internet facing servers placed in DMZ?

Are the inbound and outbound traffic restricted to that which is

64 Network Management
necessary for the "Company name" data environment?
Is the Documentation and business justification present for use of
all services, protocols, and ports allowed, including documentation
65 Network Management
of security features implemented for those protocols considered to
be insecure.
Is the internet access or internet usage restricted and controlled?
66 Network Management
Mention the details for the same. (E.g. IP address)

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
Is the firewall configured for the stateful inspection/dynamic packet
67 Network Management filtering? (That is, only “established” connections are allowed into
the network.)
Is VA / PT of network devices performed periodically? If yes, verify
68 Network Management
and specify the periodicity.
Is there a proactive mechanism to monitor unauthorized network
access attempts?(Internal /external )
69 Network Management External : Check if there IDS/IPS implemented in the environment ?
If yes, ask for make and model of device.
Mention the details for the same.
Has the vendor maintained redundancy for firewall & other network
70 Network Management components? Mention the details of the redundant major devices, if
applicable.
Are the modification in the firewall rule for "Company name"
71 Network Management operations follow the change management process. Mention the
details of the sample evidence.
What is the mechanism used for securing the connectivity between
the Vendor and the "Company name". Mention the details for the
72 Network Management same?
E.g. Lease line connectivity (with data sent in encrypted form) or
VPN.
Are the network devices and servers used for providing services to
73 Network Management the "Company name" are physically and logically segregated?

Does the Vendor have a mechanism to identify and authenticate the

user for external access (e.g., remote - VPN, wireless and third
74 Network Management
party) to the Vendor’s network. Mention the details of the
mechanism and sample evidence.
Is there a defined process for installing & encrypting wireless access
75 Network Management
points, if any used by vendor?
Is "Company name" data segregated from other clients data on SFTP
server or any where if stored ?
76 Network Management

77 Network Management Is 2-factor authentication used for every critical applications.

Is the firewall rule base reviewed at regular intervals? If yes, verify
78 Network Management
and specify the periodicity.
1. Do you have a documented procedure for identifying
-the changes to be notified to the "Company name",
-approval for the same, and
79 Operation Management - communication process , if needed?
2. Is there an established SPOC for notifying these changes to the
"Company name" and maintaining the documentation for the
same?

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
Is there a change management process, for activities of "Company
name" and related assets, approved by the vendor's management?
Does it include some of the following:
• Request, review and approval of proposed changes
• Review for potential security impact
• Security approval
80 Operation Management
• Review for potential operational impact
• Approval from "Company name" (when applicable)
• Documentation of changes
• Pre-implementation testing
• Post-implementation testing
• Rollback procedures

Does the vendor have a documented process for handling

emergency changes in the "Company name" operation to ensure if
81 Operation Management
such emergency changes are carried out in controlled & timely
manner? Mention the details of the sample evidence.
Does the Vendor have a mechanism to collect, analyse and store the
logs of system such as F/w, Application Servers, Web Servers, End
82 Operation Management Point systems, Databases etc.? If yes, Mention the details of the
mechanism.

Do systems and network devices utilize a common time

83 Operation Management
synchronization service?
Are the system audit trail files protected from the unauthorized
84 Operation Management modifications or access ?

Is there a process for taking secure back up of audit trail files to a

centralized log server or media to prevent unauthorized access or
alteration ?
85 Operation Management
Are the backup for the audit trail files maintained.

Are the "Company name" operations security logs reviewed?(Only

86 Operation Management
applicable for Very critical process)
Are the logs of Database activities and commands performed by the
87 Operation Management
DBA team collected and analysed in the log management system?

Does the vendor follow a maker-checker process for changes made

to
88 Operation Management
1. Systems/Servers (Database, application server, web server, etc.)
2. Data (Business/functional)
Does the vendor follow a maker-checker procedure for all the
89 Operation Management
critical activities pertaining to "Company name"?
Are capacity requirements monitored and regularly reviewed and
90 Operation Management
systems and networks scaled accordingly?

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
91 Operation Management Are backup media stored offsite?
Is there a secure process for onsite & offsite backup media
protection during storage pertaining to "Company name"
92 Operation Management
operations?
How is integrity assured for offsite backups?
Does vendor have media labeling procedure in place, with sufficient
93 Operation Management
information?
Does the organization reuse, test & restore backups on regular
94 Operation Management
basis?
Is the data downloaded from uniken/seclore/sftp is stored securely
95 Operation Management after being downloaded and decrypted?(for both automated spool
input files and the manual excel input files)
Does the vendor have a secure mechanism for destruction &
96 Operation Management disposal of media / hardware used for "Company name"
operations? Mention the details of the sample evidence.
Do you perform background verification for employees and
contractors/temporary staff related to "Company name" scope of
work?
97 Personnel Security - Academic & professional Qualification
- Police Verification
- Reference check
- Identification Check
The employment contract signed with the employees working on
"Company name" scope of work should contain
98 Personnel Security -Non-Disclosure Agreement;
-Information Security responsibilities

Is the code of conduct performed by the vendor for their employees

99 Personnel Security
& is it in line with The Bank's code of conduct.
a. Does the vendor organization conduct pre-joining & periodic
information security trainings & awareness programs to convey
criticality of "Company name" data?
100 Personnel Security
b. Mention if there is a structured mechanism for disciplinary action
against non-performers in trainings and otherwise.
Is there a structured process with defined responsibilities for
Physical &
101 removal of access rights & revoking of assets when person leaves
Environmental Security
"Company name" scope of work?
Are the critical servers related to "Company name" scope of work
Physical &
102 placed in secure area?
Environmental Security

Physical & Is there appropriate segregation between "Company name" work

103
Environmental Security area & other facility ?

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
Is the physical entry / exit from the premises to "Company name"
data processing facility & critical site monitored? If yes, specify the
mechanism.
Physical &
104
Environmental Security

What type of Access control Mechanism is implemented for

Physical &
105 controlling access to "Company name" data processing facility ?
Environmental Security
(e.g.. Biometric / Access cards / Manual Registers)
a. In case of manual registers, is a log maintained to track / monitor
the visit of other personnel in "Company name" data processing
Physical &
106 facility ?
Environmental Security
B. Are visitors accompanied by responsible escort personnel?
Are there procedures developed to easily distinguish between
Physical &
107 onsite personnel and visitors, especially in areas where "Company
Environmental Security
name" data is accessible.
Physical & Are Visitors asked to surrender the physical token before leaving the
108
Environmental Security facility or at the date of expiration ?
Is there a defined policy or process to restrict the usage of personal
Physical &
109 storage device? If yes, mention the process to check for personal
Environmental Security
storage devices
Is there a process to restrict the usage of digital devices(mobile
Physical & phone/tablets) or non digital materials (like paper, pen etc.) in Data
110
Environmental Security Entry Area and other critical areas? (Critical for Call center setup,
Card Processing but not limited to specified activities)

Physical & Are CCTV footages recorded and stored? What is the retention
111
Environmental Security period defined for storing Access\CCTV logs?

Physical & Is there a role based access control for accessing critical facilities
112
Environmental Security used for "Company name" operations?
What are the fire protection & detection mechanisms placed in
critical IT locations including Data Center/ Server Room pertaining
to "Company name" operations?
Physical & Are environmental protection equipment's (heat detection, smoke
113
Environmental Security detection, fire suppression, fireproofing, water flooding, heat,
humidity, air conditioning, power supply) installed, tested, and
monitored?

Physical & Is there an UPS mechanism / Power Generator in place at the

114
Environmental Security Vendor site?

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
Physical &
115 Are the network and the power cable lines segregated physically?
Environmental Security

Is vendor sub-contracting part of its services provided to "Company

name"?
Are contracts, Confidentiality Clause & SLA defined for the same?
116 Service Delivery
Does the contract refers to information security requirements for
"Company name" data?
Has the vendor obtained approval from bank for sub contracting?

How does vendor monitor the sub-contracting operations for

117 Service Delivery "Company name" scope of work?
-Onsite reviews
Does the contractual document with "Company name" include
following at the minimum-
-Scope
-Performance standards
-Access to books, records
-Right to inspect & audit
-Confidentiality & Security
-Termination clause
118 Service Delivery - Business Continuity
-Dispute resolution
-Applicable laws & regulatory guidelines
-Subcontracting?
-Information security clauses
- Indemnity clause
- obligation of the service provider
- Publicity & proprietary rights
- Insurance
119 Service Delivery Are you compliant with the Labour Law?
Are the confidentiality and non-disclosure agreements reflecting the
120 Service Delivery organization's needs for the protection of information / data
identified and reviewed?
Does the vendor have defined escalation mechanism for service
121 Service Delivery
outages & other issues?
How frequently is the review of compliance with SLA done for
122 Service Delivery
"Company name" operations?
SCD: Are Security configuration standards for networks, operating
123 System Security
systems, databases, applications and desktops defined?
Are the systems used for "Company name" operations hardened
124 System Security according to hardening document/ technical specification
document?

For more such checklist - Follow @sachin-hissaria

 Sachin Hissaria

Sr.
Control Area Control Activity Auditor's Remark Auditee's Remark
no.
Are the vendor-supplied default passwords changed before
installing a system on the network?
125 System Security Are unnecessary accounts deleted on the network devices, servers
and database etc. ?
Mention the details of the sample evidence.
Is there only one primary function per server implemented to
prevent functions that require different security levels from co-
existing on the same server? (For example, web servers, database
126 System Security
servers, and DNS should be implemented on separate servers) for
critical process/activities

For more such checklist - Follow @sachin-hissaria