Technology IT Generals Controls Catalogue – Banking Client

CONTENT

1 Authentication & Authorization – Password and PIN Policy
2 Authentication & Authorization – Authentication and Authorization at Runtime
3 Authentication & Authorization – Monitoring for Certificate Expiration
4 Authentication & Authorization – Authentication Strength
5 Authentication & Authorization – Application Messaging and Data Transfer Security
6 Backup – Backup Integrity
7 Backup – Data Backup Requirements
8 Backup – Backup Monitoring
9 Backup – Backup Encryption
10 Capacity Management – Infrastructure Capacity Monitoring
11 Change & Release Management – Source Code and Configuration Management
12 Change & Release Management – Impact Assessment
13 Change & Release Management – Approval Prior to Deployment
14 Change & Release Management – Version Control
15 Data Governance – Attestation of Investment Banking Reference Data sourcing for Tier 1 applications
16 Entity Level Controls – Information Technology
17 EUA Governance – EUA Inventory Completeness Validation
18 EUA Governance – EUA Controls Compliance Validation
19 EUA Governance – EUA Inventory Reporting
20 EUA Governance – Communication of EUA Governance Requirements
21 EUA Governance – Semi-Annual CID scanning of SOX material and critical EUAs
22 IT Asset Management – IT Asset Inventory Management
23 IT Asset Management – Technology Life Cycle Management / Technology Obsolescence
24 IT Disaster Recovery – BCM – DPR02 – Resilience for IT Applications
25 IT Disaster Recovery – BCM – CMP08 – Site Technical Recovery Plan
26 Logical Access Management – Credential Management
27 Logical Access Management – Access Rights Allocation
28 Logical Access Management – Disabling of Leaver Accounts
29 Logical Access Management – Mover Entitlement Removal
30 Logical Access Management – Temporary Elevated Access Deactivation
31 Logical Access Management – Emergency Access Usage
32 Logical Access Management – Access Rights and Roles Description
33 Logical Access Management – Unique Identification of Human User
34 Logical Access Management – Non-personalized Technical Accounts
35 Logical Access Management – Segregation of Duties in Change Management via Infrastructure Access
36 Logical Access Management – Segregation of Duties in Change Management via Application Access
37 Monitoring of Processes & Incident Management – Incident Management Process
38 Monitoring of Processes & Incident Management – Service Level Targets – Applications
39 Network Security – Bank Inter-Site Communication
40 Network Security – Remote Access to the Bank Network
41 Network Security – Lifecycle Management of Firewall Connectivity
42 Network Security – Network Perimeter Security
43 Network Security – Identification and Approval of External Connections
44 ONO – Business Function Supervision at the BSC
45 Physical Security – Secure Disposal or Reuse of Equipment
46 Physical Security – Physical Entry Controls
47 Physical Security – Protecting Against External and Environmental Threats
48 Platform Security – Unauthorized Software Identification
49 Platform Security – Security Compliance Monitoring
50 Platform Security – Configuration Management for Voice Recording
51 Platform Security – Logging Infrastructure Activities
52 Policy Management – Policy approval, publication and communication
53 Policy Management – Policy compliance and implementation status
54 Policy Management – Policy development and maintenance
55 Production and Delivery of Regulatory Reports – Collection and Delivery of Data Related to eDiscovery Cases
56 Records Management Control Framework – Active Management of Electronic Records in Custody
57 Records Management Control Framework – Legal Hold and Disposal for Archived Electronic Records
58 Robotics – Annual affirmation of the robot inventory data
59 Robotics – Adherence to RPA delivery model
60 SDLC – Usage of Production Data
61 SDLC – Implementation of Minimum Enterprise Requirements
62 SDLC – Testing of Changes
63 SDLC – Enterprise Architecture and Business Strategy Alignment
64 SDLC – Password Protection in Code
65 Security Monitoring – Monitoring for Data Leakage
66 Security Monitoring – Security Monitoring to Identify Security Incidents
67 Security Monitoring – Vulnerability Scanning
68 Security Monitoring – Penetration Testing
69 Security Monitoring – Threat Monitoring
70 Security Monitoring – Code Review
71 Security Monitoring – Unauthorized Hardware Devices
72 Security Monitoring – Security Patch Management
73 Security Monitoring – Network Security Monitoring
74 Security Monitoring – Mandatory Security Software
75 Service Change Supervision – Service Change Supervision
76 Service Charging Accuracy – Service Charging Accuracy
77 Static Data Amendment and Integrity – Reference Data Tables – Change Procedure Adherence

Controls performed by externals/outsourced:

78 End User Application Management – Completeness of EUA Inventory – Annual Affirmation
79 End User Application Management – Line Manager Annual Assessment of EUA Controls
80 End User Application Management – Completeness of EUA Inventory – Business Lead Review
81 IGCS static data validation – IGCS static data validation
82 IT Asset Management – License Inventory Management and Compliance Monitoring
83 IT Staff Management – Maintain Anti-Fraud Block Leave Controls
84 IT Staff Management – Completion of Mandatory Training
85 IT Staff Management – Workforce Capacity Planning
86 IT Staff Management – Workforce Turnover Monitoring
87 IT Vendor Management – Reconfirm Contract Management Roles
88 IT Vendor Management – CS11 ITVM – DAB Review-Structured Sourcing Process for all deals (ITO and products) where TCV >= 1M CHF
89 IT Vendor Management – Review of Tier 2 Vendor Performance & Compliance
90 IT Vendor Management – Annual Contract Compliance Review
91 IT Vendor Management – Contract Performance & Compliance Monitoring
92 IT Vendor Management – Oversight of IT Risk Assessments for Tier 1 & 2 Vendors
93 IT Vendor Management – Review of Exit Strategy for Tier 1 & 2 Vendors
94 IT Vendor Management – Review of Tier 1 Vendor Performance & Compliance
95 Policy Management – Policy Implementation
96 Production and Delivery of Regulatory Reports – RPM Report Inventory Review
97 Production and Delivery of Regulatory Reports – Regulatory Report Review
98 Records Management Control Framework – Records Owner Archiving Compliance (Electronic Records)