Microcomputer End User Policy and Procedures

burpfancyΗλεκτρονική - Συσκευές

8 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

98 εμφανίσεις

Microcomputer End

User Policy and Procedures

POLICY STATEMENT

[
Insert the name of your bank
] has implemented basic security policies and controls that govern end user
computing operations, and management has the authority to evaluate the risks associated w
ith end user
computing. The purpose of this policy is to establish general guidelines for maintaining an end user
computing environment within the bank that is controlled, consistent, and secure and that will enhance the
productivity of end users. The boar
d intends that the bank adhere to the guidelines set forth by the Federal
Financial Institutions Examination Council (FFIEC), as updated from time to time in the FFIEC’s
Information Technology Examination Handbook. The board of directors adopts the follow
ing policies,
standards, and controls as the bank’s end user computing policy.

END USER COMPUTING P
OLICY AND PROCEDURE
RESPONSIBILITY

The board of directors delegates the day
-
to
-
day management of the use of microcomputers to the
functional managers. They
are responsible for ensuring that their employees adhere to the bank’s policies
and procedures. The mechanism the bank will use to control computer use at the bank is a computer
steering committee.

Computer Steering Committee

The board appoints the follow
ing staff members to the computer steering committee:



[
Insert name and title
]



[
Insert name and title
]



[
Insert name and title
]



[
Insert name and title
]

The purpose of the computer steering committee is to provide direction for and control of computer

usage
at this bank. Specifically, the computer steering committee will have the following responsibilities:



Keep this computer policy and procedures statement current.



Review all requests for purchases of computer hardware and software. The committe
e will
forward its recommendations to the president, who is the final approval authority for all computer
purchases.



Review and approve, before the fact, all movement of data between mainframe computers and
computers.



Review and approve, before the fac
t, all projects that will result in man
-
hours being spent on the
programming of computer software.



Keep a current inventory, to include location, of all computer hardware and software owned by
the bank.



Coordinate the maintenance and repair of computer

hardware.



Provide consultation and assistance to the rest of the bank.



Stay abreast of technological developments.



Recommend security procedures to each end user.

Information Technology Department

The information technology department is responsible

for supporting and coordinating the day
-
to
-
day
operation of the end user computing environment in a manner that is consistent and in compliance with
the approved policies and procedures. Additionally, the information technology department should
monitor
and review the activities of end users to ensure that they are adhering to the bank’s
microcomputing policies and procedures.

Internal Audit Department

The internal audit department is responsible for conducting periodic reviews of the end user computing
environment to ensure that policies and procedures are adequate to properly control the environment and
that all end users consistently follow these policies and procedures.

The internal audit department also has the responsibility to evaluate the level of

compliance with the
bank’s end user computing standards, policies, and procedures and to report any discrepancies to the
appropriate department manager for correction and enforcement and to the board of directors through the
audit committee in their regul
arly scheduled reports.

The internal audit department will be available to management, users, and the steering computing
committee to provide input and recommendations in certain circumstances, including, but not limited to,
the following:



Purchase of ne
w software



Automation of procedures



Access control issues



Termination of employees



Development and testing of systems/procedures



Suspicion of fraud or misuse of software and/or hardware



Implementation of new controls and/or testing

ACQUISITION
OF HARDWARE AND SOFT
WARE

The acquisition of all hardware, software, and peripherals must be properly justified and must comply
with [
insert the name of your bank
] capital expenditure policies.



All acquisitions, installations, and implementations requir
e review and coordination by the
information systems department and approval by the appropriate department executive(s).



Acquisitions of local area networks (LANs) or more complex systems may require a feasibility
study or evaluation prior to the appro
val of the acquisition. The steering computing committee
will determine any additional requirements needed for the acquisition of more complex systems.



The purchasing department will acquire all approved microcomputer (PC) hardware and software.



The i
nformation systems department will maintain a complete inventory of hardware, software,
and peripherals.



All department systems will be equipped with standardized hardware and software. (e.g., [
insert
your bank’s preferred standards
]). The steering compu
ting committee will be responsible for
reviewing and determining appropriate standardized hardware and software to be used by bank
personnel.

Licensed Use of Packaged Software

Bank employees are required to read and comply with commercial software license
agreements.
Managers must be certain that employees understand that modifying, selling, or duplicating commercial
software packages is illegal and expressly against [
insert the name of your bank
] policy. The bank may
be held liable for anyone illegally o
btaining or copying commercial software. Civil damages for the
unauthorized copying or use of software can be $50,000 or more, and criminal penalties can include fines
and imprisonment. Duplicating software includes but may not be limited to the followin
g:



Making a copy of a software program from the employee’s hard drive or from a diskette



Using the master diskette on an employee’s home computer when the software is already installed
on one of the bank’s computers



Installing software that currently

resides on an employee’s home computer on a bank computer



Receiving an upgrade for a software package and installing the version on a different computer

The information systems department must review and audit any public domain software (e.g., Internet
software) prior to installation on any bank
-
owned microcomputer.

Physical Protection and Security of Hardware/Software

Managers in each user area are responsible for proper and adequate physical security and protection of the
hardware and software assigned

to their departments. Department managers are responsible for
developing and implementing appropriate physical security controls and protection of hardware and
software and for ensuring compliance with established physical security policies. In addition,

department
managers are responsible for the following:



Ensuring sensitive reports and information are properly safeguarded and disposed of in a proper
manner



Assessing their department’s physical control needs and implementing controls necessary to
en
sure proper security and protection



Monitoring and maintaining control over the use of laptop microcomputers



Maintaining inventories of hardware and software and periodically auditing these inventories



Securing the work areas housing microcomputers



Assessing the need for locks and keys



Establishing proper housekeeping rules



Maintaining adequate environmental controls



Training users on proper use and care of microcomputers

Although ultimate responsibility for the physical protection and securit
y of hardware and software rests
with the department manager, each user is responsible for the physical security and protection of his or
her own microcomputer. In addition, end users are responsible for the following:



Abiding by all housekeeping polici
es established by management



Keeping a maintenance list identifying all maintenance done to their equipment



Securing any laptop microcomputer while in their possession



Being aware of and reporting any suspicious individuals or activity to management



Ensuring that all software is backed up and maintained in a secure area

Restricted Access to Data and Software

It is the policy of [
insert the name of your bank
] to protect the processing, storage, and use of data on
microcomputers, LANs or wide area net
work (WAN) systems based on the level of the data’s sensitivity
and value to the bank. Each department manager will establish and implement proper and adequate
access controls to restrict access to data and software. This is to prevent unauthorized acces
s that could
result in confidential data being accessed, improper loading of software posing the risk of viruses and use
of unauthorized software, and improper downloading of programs and files that could result in
unauthorized copying.

Misuse of corporate

data will be reported to management and the board of directors through appropriate
channels.

BACKUP, CONTINGENCY
PLANNING, AND BUSINE
SS CONTINUITY PLAN

Each department is responsible for identifying and establishing the proper procedures to ensure that
ha
rdware, software, and documentation is adequately backed up to ensure timely recovery in the event of
a disaster. The department manager will perform a risk assessment of each department to determine the
impact that loss of data would have on the bank due

to the following reasons:



Incorrect management decision



Improper disclosure of information



Fraud



Financial loss



Competitive disadvantage

Based on the results of the risk assessment, each department manager will be responsible for ensuring that
a
ppropriate microcomputer backup procedures are included in each department’s respective section of the
business continuity plan for [
insert the name of your bank
].

Virus detection software will be installed on each microcomputer in the bank to help ensure
that no
viruses are introduced into the bank’s systems.

Program Development, Documentation, and Testing

All developed software, applications, and programs must be fully tested and adequately documented
before becoming part of a system that processes the ba
nk’s data.

Prior to the development of any new software application or program, the steering computing committee
will review the request for the new application or program and perform a cost/benefit analysis.

Managers are responsible for overseeing new pro
jects and ensuring management control of the
development process. Management control will encompass all phases including the initial development
phase, development of appropriate data editing controls, proper input/output controls, report design,
adequate

testing, and documentation.

SOFTWARE DOCUMENTATI
ON

The bank defines documentation as written material that describes the function of a software program, the
input the program requires, the output that the program will produce, the internal calculations u
sed by the
program, and operational procedures to run the program.

All software, whether developed in
-
house or purchased, must be documented. When the bank develops
software or overlays in
-
house, it always develops the documentation as a part of the proces
s. A bank
employee that develops a program and then does not adequately document it will be subject to
disciplinary action.

When developing a spreadsheet overlay, the documentation required will include the following:



The purpose and a brief description
of the program



An explanation of how the spreadsheet program is used



A description of the contents of each cell in the spreadsheet (if macros are used, each macro must
be fully described)



A copy of a sample input



A copy of an output that goes with
the sample input



Any other information needed for someone else to understand how to use the program

This documentation will be kept with the software in the department where it is used.

COMPUTER/MAINFRAME D
ATA TRANSFERS

The bank allows the transfer of da
ta between a computer and the bank’s mainframe computer, but only
under the following circumstances and controls:



The computer steering committee must approve all computer/mainframe transfers before the fact.
This approval will not be granted until the p
rocedure has also been approved by the data
processing department.



Data files downloaded from the mainframe must be segregated files. No live files will be
accessible for downloading purposes.



Uploaded files will be stored in a segregated area of the m
ainframe. The uploaded data cannot be
used in a mainframe application until an edit program and a virus detector have been run to
validate the data. Unless adequate edit programs and virus detectors have been developed and
verified, no data uploaded from a

computer will be processed by the mainframe.

TRAINING AND SUPPORT

The board of directors understands that the increase in microcomputer use requires that employees are
properly trained and informed on the policies and procedures endorsed by [
insert the n
ame of your bank
]
with regard to end user computing. The ability of employees to enter, move around, and leave the bank
with ease increases the risk to the bank. Therefore, management and the board plan to address these issues
through policies, education
, and training of users on security and use of microcomputers.

[
Insert the name of your bank
] will provide end user computer training to all employees. All users will be
trained before they use bank
-
owned hardware and software. The training department of t
he bank is
responsible for developing end user training materials and providing information and classes for all
employees. Training will cover the bank’s policies and procedures relating to end user computing. The
programs developed will increase employees
’ awareness about microcomputer security risks and
vulnerabilities and the appropriate preventive controls. The training department will maintain
documentation concerning training of all employees for review by department managers, internal audit,
the boa
rd of directors, and regulators.

[
Optional


Insert the following if your bank uses a "Help Desk" support system for end users.
]

Help Desk

The information technology department will create and maintain a user support and help desk function
that is appropri
ate to the size and complexity of the bank's computer systems.

The IT manager will ensure that the end users continuously have the resources and services needed to
perform their job functions in an efficient and effective manner.

The IT manager may use a

variety of technology solutions to assist in the effective management and
operation of a help desk function. For example, the bank may use dedicated internal and toll
-
free phone
numbers to support problem screening, call routing, and issue recording.

T
he help desk should record and track incoming problem reports, whether handled by live operators or
automated systems. Documentation in the tracking system should include such data as user, problem
description, affected system (platform, application, or o
ther), prioritization code, current status toward
resolution, party responsible for resolution, root cause (when identified), target resolution time, and a
comment field for recording user contacts and other pertinent information. The tracking system help
s
prioritize issues, track problems through resolution, analyze the problem database for systemic concerns,
and analyze help desk performace and management. Some tracking systems support Internet and intranet
access so users can monitor problem resolution
.

The help desk should evaluate and prioritize issues to ensure the most critical problems receive prompt
attention. Key factors the help desk should consider when establishing priority include the number of
users or customers affected, revenue losses,
expenses incurred, or the number of critical systems affected,
impacted, or breached.

Proper authentication of users is critical to risk management within the user support function. Therefore,
the bank will implement a user authentication based on the p
roblem reported, the type of action requested,
or the platform, system, or data involved.

The board of directors approved and adopted this policy on _____________________ .