Appendix B: Focus areas

Following are some areas for consideration when analyzing the effectiveness of safeguards (this is not intended to be a comprehensive list).

Response history

  • Incident response documentation and audits

Enterprise operations

  • Management, organization, business strategy, or operational procedures
  • Information technology environment
  • Changes in key service providers

Departmental operations

  • Key operational metrics (system availability, etc.)
  • Operating environment aligned to business needs
  • Adequacy of operational technology

Risk management

  • Risk ledger
  • Controls aligned with identified risks
  • Coordination of operations risk

Technical documentation

  • Systems diagrams and topologies describing the interrelationship between architectural components
  • Documentation of processes and technical controls

Personnel management

  • Appropriate organizational structure
  • Background checks for employees
  • Sufficient segregation and rotation of duties
  • Retention policies and procedures
  • Separation/termination policies and controls

Backup and recovery

  • Enterprise data storage methodologies
  • Data backup strategies
  • Data and program file asset inventory
  • Back-up procedures that meet recovery time objectives
  • Off-site storage facility and inventory management procedures meet generally accepted standards
  • Adequate environmental monitoring and controls

Network and telecommunications

  • Architecture and process alignment with strategic goals
  • Operations monitoring for downtime, throughput, usage, and capacity utilization, etc.
  • Availability, speed, bandwidth/capacity, resiliency and continuity
  • Adequate security controls

Data at rest

  • Identity and access management
  • Encryption
  • Database administration
  • Network controls

Data in transit

  • Encryption
  • Least Access
  • Monitoring/exfiltration

Imaging systems

  • System data flow, topology and usage patterns
  • Confidentiality, availability, integrity
  • Destruction of source documents (e.g., shredded)
  • Compliance with regulations and other standards, including legal counsel review
  • Business continuity planning
  • Segregation of duties and least access

End-point management

  • Identity and access management
  • Vulnerabilities and patching
  • Images and customized configurations
  • High value workstations
  • Laptops and mobile devices

Incident and problem management

  • Identifying, analyzing, and resolving issues and events
  • Controlling data modifications or corruption
  • Forensic training and awareness

Corrective action and communication

  • Document effectiveness of controls
  • Violations of law, rulings, regulations
  • Significant issues warranting inclusion as matters requiring Board of Directors’ attention
  • Noncompliance with supervisory guidance