ELECTRONIC BANKING QUESTIONNAIRE (02/03

spongehousesSecurity

Nov 3, 2013 (3 years and 11 months ago)

59 views


1


Date of Examination







City










ELECTRONIC BANKING QUESTIONNAIRE (02/03
)


This document is to be viewed as a
learning tool
. Constructive
commentary is welcome. If y
ou are already doing everything described in
the questionnaire, you probably have a sound e
-
banking platform. If not,
you should take into consideration the items not covered.


Please complete and
sign

the following questionnaire. These pages may be hand
written,
typewritten, or completed electronically.


For banks with telephone banking only, complete questions 1
-

2. For an informational
web site complete questions 1
-

43. An informational site that allows emails with sensitive
information complete qu
estions 79 and 80 also. For a transactional web site complete
questions 1
-

93. If you have started offering electronic banking services within the last
two years also answer questions 94
-

97.


Refer to the last page for some terminology explanations.



Name of Bank under examination
:








Bank's web site address
:








1.

Which of the following written plans and policies do you have (check the ones that you
have)?

If policies are available electronically
--

please provide electronically (if not, please
provide a pape
r copy).



Strategic or business plan


Security


Contingency and Business Resumption


Password (If no policy, provide actual procedures followed. If providing Internet banking refer
to

question #67)







Email/Internet usage (If no policy, provide actual procedures followed)







Privacy policy



For guidance with what should be included in some of the above plans or policies please
refer to the

Division of Banking web site under the E
-
banking tab at
www.idob.state.ia.us
.



2


TELEPHONE BANKING



2
. When did the bank begin offering telephone banking?









a. Who is it offered through?









b. How does the customer access it?








c. What is the customer able to do once they have accessed their accounts?








PC BANKING



3
. Do you offer?
Yes

No



4
. How many customers utilize it?








WEB SITE



5
. When did the bank’s web site become active?








6
. Is the web site address reported on the bank's quarterly call reports?


Yes

No




7
. Where is the bank's web site hosted?


In house


Off site
-

Who is the host (name and location)?








8
. Who is responsible for maintaining (updating and/or changing information) the bank's we
b
site?








9
. Does the bank have a contract with the web site host?


Yes
No

If yes, provide a copy.


If yes, does it include the following:


Yes
No

Liability for
data and confidential treatment of information.


Yes
No

Reasonable assurances for continuation of service through back up
arrangements in the event of a problem situation.


Yes
No

Secu
rity precautions on the part of the service provider.


Yes
No

Procedures to notify the bank of any unauthorized alteration and
malicious attacks.

Yes
No

Regular back up of web site inf
ormation.


10
. How does the bank connect to the Internet?



DSL



cable



56k dial up



ISDN



T1 line


frame relay



28.8 dial up



other










(describe)







11
. Is the bank's web site reviewed internally?


Yes
No

If yes, how often is it reviewed?









Who reviews it?









What do they look at?









3

12
. Does
the web site undergo periodic review by any of the following?


Yes
No

Legal Counsel
-

If yes, provide a copy.


Yes
No

CPA
-

If yes, provide a copy.


13
. Are links and interactive progr
ams checked for accuracy and functionality?


Yes
No

If yes, who checks them and how frequently?









14
. If links are included on the web page.



Yes

No

Has the bank taken steps to ensure that the customer understands they are
leaving the bank's web site?



Yes

No

Does the

bank provide some type of disclaimer of the bank’s liability for
transactions or information provided at these linked sites?




15
. Are security measures in place to prevent the web site information from being altered?


Yes
No

If yes, what are they?







16
.
a
. How often is virus protection software updated on servers and workstations?







How often is it run?






Who is responsible for doing the updates?








b
. Are procedures in place fo
r operating system updates?


Yes

No

If yes, what are the procedures?








Who is responsible for implementing the updates?








c
. Are procedures in place for receipt of software

updates/patches?


Yes

No

If yes, describe the procedures.








Who is responsible for doing the implementation of the updates/patches?







Are they tested before putting into producti
on?
Yes

No


17
. Is penetration testing done?


Yes
No

If yes, how frequently is it done?








Who does it?








Are they bonded?
Yes

No



Who is responsible for reviewing the results?







18
. Is an intrusion detection system in place?


Yes
No

If yes, how frequently is it tested?







Who is res
ponsible for testing it?







Who is responsible for reviewing it and monitoring the activity?







19
. Are controls or procedures in place for any of the following?


Yes
No

Prevention
of hackers from accessing the system


Yes
No

Prevention of line tapping


Yes
No

Discovered intrusion attacks


Yes
No

Attacks after hours

If any are
yes, please explain.







20
. Does management keep up
-
to
-
date on addressing newly disclosed security threats to the
computer operating system and application software?


Yes
No


4


21
. Are firewalls in place? (For any that are yes, please li
st what type of firewall is in place at
that location.)


Yes
No

At the bank
-








Yes
No

At the web host
-








Yes
N
o

At the outsource vendor
-








22
. Firewalls

a.

Who is responsible for installing, configuring, and updating the firewalls?







b.

Who is responsible for monitoring firewall activity?







c.

How frequently ar
e the firewalls being monitored?







d.

What type of activity is being monitored?







e.

Are reports available on the activity?







f.

If someone other than the bank is monitoring the firewalls are there monitor
ing and
maintenance agreements in place?
Yes
No


23
. Are all unused services blocked at the firewall?


Yes
No

If yes, what ports are left open at the firewall?







24
.

Are controls in place restricting physical access to computer hardware, software, and
communication equipment?


Yes
No

If yes, explain.







25
. Are loan and certificate of deposit rates posted to the
bank's web site?


Yes
No

If yes, how often are they updated and who is responsible for updating?








26
. Are any application forms available on the web site?


Yes
No


If yes, provide copies.







27.
If applications are available on the web site, how does the customer submit them?


Fax

Online

Mail


In
-
person

Other (
explain)







28
. Does the bank verify the legitimacy of the customer who has submitted the application?


Yes
No

If yes, how is it verified?







29
. If accepting customers over the Int
ernet are OFAC restrictions being considered? (OFAC
stands for Office of Foreign Asset Control)


Yes

No


30
. List all personnel involved with electronic banking and their duties. (If available, provide an
organizational

chart.) Indicate the individual(s) responsible for the electronic banking area.








31
. Does the bank have an Electronic Banking Committee (or something similar)?


Yes
No

If yes, list the members and their responsibilities.








How often do they meet?







32
. What incentives does the bank provide for obtaining and retaining key IT personnel?









5

33
. What is discussed with the Board of Directors regarding the bank's web site and services
offered? (Provide copies if not already provided for
the examination.)








34
. Is the Board fully informed of the risks involved with electronic banking and do they
understand those risks? (strategic, reputation, transaction, compliance)


Yes
No


Yes
No

Is it noted in the minutes?


35
. Is a review of electronic banking included in the annual Directors’ exam (or a separate
exam)?


Yes
No


Yes
No

Wer
e any exceptions found?


Yes
No

Have they been addressed?



Provide a copy of exceptions noted and management’s response.


36
. Does the bank have legal counsel review literature distributed to the public?


Yes
No

If yes, provide a copy of any opinion received.


37
. Please provide a copy of the bank's topology map (schematic diagram)


38
. Electronic banking insurance policy
-

provide copy if separate from financial institution crime
bond


a. What company is it with?







b. What type of occurrence does the policy cover?







c. How many occurrences does it stipulate must take place before coverage applies?







d. What directors, officers, or employees are covered?







e. What is the dollar amount of coverage?







f. What is the deductible amount?







g. What is the expiration date?







h. Does it adequately cover the bank's capital?







i.

Is it approved by the board of directors?
Yes

No


39
. Are the bank's hardware and phone lines protected from power surges, lightning strikes,
etc.?


Yes
No

If yes, how?







40
. Are there any pending lawsuits/contingent liabilities relating to electronic banking activities?


Yes
No

If yes, describe and provide an attorney's letter indicating the bank's liability
and potential for l
oss.







41
. Has the bank encountered any computer
-
related crime?

Yes
No

If yes, what was the nature of the crime and was a suspicious activity report
filed?








42
. Has the bank ch
ecked into similar domain names? (web addresses that are similar or could
be mistaken for the banks) Refer to FDIC Bank Technology Bulletin dated November 8, 2000.


Yes
No


43
. What future plans, changes or other servic
es are you contemplating offering on your web site
within the next twelve months? (i.e. IT personnel, additional services, new or change in vendors,
software, hardware, or operating procedures.)










6

TRANSACTIONAL WEB SITE


44
. What is included on your transactional web site?



Internet banking



Insurance services



Trust services



Brokerage services



Small business services


Bill payment



Commercial business services






Other (explain)



Portal services



Aggregation services








45
. When did
you start offering Internet banking?







46
. What options are available to the customer once they have accessed Internet banking?


Viewing of account balances


Transfer of funds between accounts


Bill payment


Bill presentment


24/7 customer service by phone or email


Online application for checking and savings
accounts


Online mortgage and CD applications


Viewing of loan status and credit card
account information


IRA and brokerage account information
access


Checkbook reconciliation


Viewing of account history


Viewing of digital

checks online


Ordering checks online


Issuing stop payment orders online




Other



47
. What vendor is used for Internet banking?







48
. What ongoing expenses are incurred
-

purpo
se and amount?







49
. Have letters of assurance been obtained as required by Section 524.218 of the Code of
Iowa?


Yes
No


50
. Has the FDIC been notified in relation to Section 7(c)(2) of the Bank Ser
vice Company Act?
(this form is not required if the bank is a Federal Reserve member)


Yes
No



51
. What services (if any) are customers being charged for and how much?







52
. Does the bank have a wr
itten contract with the vendor?
Yes

No


At a minimum, does it include the following:


Yes
No

Access, ownership and control of customer data and other confidential
information.


Yes
No

Liability for data and confidential treatment of information.


Yes
No

Reasonable assurances for continuation of service through back up
arrangements in the event of a problem situation.



Yes
No
Subcontractors and other supporting vendors, if applicable, including their
roles and responsibilities.


Yes
No

Privacy of information with subcontractors.


Yes
No

Reasonable control and update of content and capabilities in a timely
manner.


Yes
No

Opportunities to review financial information, independent annual audits and
similar reports. (SAS 70)


Yes
No

Security precautions on the part of the service provider.


Yes
No

Does it prohibit assignment?


Yes
No

Hardware and software upgrades


Yes
No

Price changes.


7


Yes
No

Reasonable penalty and cancellation provisions.


Yes
No

Training.


Yes
No

Problem resolu
tion.


Yes
No

The bank’s ability to monitor, store and retrieve electronic transmissions
(including messages and data) between the bank and its customers.


Yes
No

Initial pricing, incl
uding down payments, and continuing costs.


Yes
No

Description of the work to be performed or service to be provided.


Yes
No

Provisions for handling disputes.


Yes
No

Protection if the vendor exits the business


Yes
No

Specify insurance is to be maintained by the vendor.


53
. Did legal counsel review the vendor contract?


Yes
No


54
. Does the expiration date of the contract coincide with that of any subcontractors?


Yes
No


55
. Has management received assurance that the vendor has conducted due diligence reviews
of any subcontractors?


Yes
No


56
. Have you checked what insurance coverage the vendor has?


Yes
No

If yes, what do they have?







57
. Has the bank reviewed the vendor's contingency plan and procedure
s?


Yes
No

If yes, are you comfortable with the plan and/or procedures?
Yes

No


58
. Are there stress (volume) testing procedures in place to determine the capacity of the
vendor's syste
m?


Yes
No

If yes, give details.







59
. Have you had any problems with the vendor?


Yes
No

If yes, give details.







60
. Do you obtain financial information on the vendor?


Yes
No

If yes, how f
requently do you receive it and when did you last get it?










Who reviews it?







61
. Did you receive a copy of the most recent audit report on the vendor (SAS 70)?


Yes
No

If yes
, please provide the report.


Yes

No

Was the management letter also requested and received? If yes, please
provide a copy.


62
. Does the bank belong to any vendor user groups?


Yes
No


63
. How is the bank's internal network connected to the outsourcing vendor?



DSL



Cable



56k dial up



ISDN



T1 line


Frame relay



28.8 dial up



Other











(describe)







64
. What type of environment does the Internet banking site operate in?



real time (is the
main frame

updated immediately?)


batch proces
sing



memo post



8

65
. If using batch processing, how and when is information transferred between the vendor and
the bank?







66
. List personnel authorized to access the management side of the bank's Internet banking
s
ystem and their levels of access. Who reviews this for appropriateness and how often is it
reviewed?








67
. Provide password procedures on the following:


EXTERNAL

(customers)


a. Authentication of user







b. Custom
er locked out of account







c. Initially issuing password







d. Frequency of password change and is it required








e. Automatic log
-
off controls for user inactivity







f. Do exce
ssive failed access attempts disable access and how many failed attempts is
excessive







g. Requirement for make
-
up of password







h. Customer loses or forgets password








i. Any other procedure no
t listed above:







INTERNAL

(bank personnel)


a. Frequency of password change and is it required?







b. Log off procedure when leaving station







c. Do excessive failed access attempts disable access

and how many failed attempts is
excessive







d. Requirement for make
-
up of password







e. Any other procedure not listed above:







68
. Do employees have access to customer passwords?


Yes
No


69
. Other than applications, are any types of lending or loan advances done over the Internet?


Yes
No

If yes, provide procedures followed.







70
. Are procedures in place
to prevent transfers of uncollected funds?


Yes
No

If yes, describe procedures.







71
. Are safeguards in place to detect and prevent duplicate transactions?


Yes
No

I
f yes, describe.







72
. Are there procedures for verifying the legitimacy of customer requests for changes to their
accounts or customer information?


Yes
No

If yes, describe the procedures.







73
. What vendor(s) is utilized for the bill payment function?







74
. How many customers are signed up for Internet banking and/or bill payment?







75
. Does the bank provide a guarantee or warranty when

a payment is not properly made
through the bill payment system?


Yes
No

NA

If yes, what is the guarantee or warranty?







Yes
No

NA

Ha
s it been reviewed by legal counsel?







76
. Other than Internet banking or bill payment, has the bank contracted with any other vendors
for services on the web site? (list vendor name, location, and service)







9


77
. W
hat exception reports are received for any transactional functions on the bank's web site?
(provide a sample of reports received)








a. How often are they reviewed and by who?







78
. What activity reports are receiv
ed? (provide a sample of reports received)








a. How often are they reviewed and by who?








b. Do they track the nature, volume, speed, and trends?








c. How do the results compare to bank proj
ections?







79
. Is the bank using digital signatures and/or digital certificates?


Yes
No
Digital signatures

Yes
No
Digital certificates (or ID)


80
. At what level is
sensitive data encrypted?



40
-
bit



128
-
bit



other (describe)







81
. Does the bank have procedures in place for when there is an interruption in service of
Internet banking for the cus
tomer (contingency plan)?


Yes
No

Due to disaster (natural, human, technological) at the bank level.


Yes
No

Due to disaster (natural, human, technological) or lack of capacity at the
vendor level.


82
. Do IT personnel participate in training programs?


Yes
No

If yes, what types of programs?







83
. Is electronic banking training provided to other officers and employees of the bank?


Yes
No


84
. Does the bank or outsource vendor have a software escrow agreement in place?


Yes
No

If yes, how often is the escrowed software independently verified as being
current and complete?







85
. Does the bank have a target market or trade area for the Internet?


Yes
No

Target

market
-

If yes, what is it?







Yes
No

Trade area
-

If yes, what is it?







86
. Are any policies and procedures in place to address activities beyond the traditional trade
area?


Yes
No
If yes, what are they?







87
. Did the bank do a cost analysis specifically on electronic banking?


Yes
No

If yes, provide a copy.


88
. Are income and expense
items, related to electronic banking, included in the annual budget?


Yes
No


89
. Are guidelines for retention of source documents supporting electronic banking activities in
place?


Yes
No



10

90
. Has management established programs and/or procedures for the following?


Yes
No

Customer service, support, and education
-

If yes, describe.







Yes
No

Customer demands, problems, and complaints
-

If yes, describe.







91
. Where nondeposit investment products are offered or promoted on the bank's web site are
the following disclosures i
ncluded (at a minimum)?


Yes
No

Not FDIC insured


Yes
No

Not a bank deposit, bank obligation, or guaranteed by the bank


Yes
No

Subject to investmen
t risk, including potential loss of principal


Yes
No


NA

If required, was approval received from the Superintendent of
Banking?


92
. Are you allowing customers to advertise on the bank's web site?


Yes
No

If yes, what disclosures are included on the page?







93.
Have steps been taken to safeguard information in regards to Graham
-
Leach
-
Bliley (GLBA)
501(b)?


Yes

No




I
F THE BANK BEGAN OFFERING ELECTRONIC BANKING SERVICES WITHIN THE LAST
TWO YEARS
-

PLEASE ANSWER THE QUESTIONS BELOW:



94
. What was your reasoning for offering Internet banking and/or any other electronic banking
services?


Profit



Convenience



Retain customers


Competition


New customers


Customers' request


Other (explain)







95
. How did you choose which vendor to use?







96
. What was the initial set
-
up cost?







97
. Was testing done with employees before offering to customers?


Yes
No

If yes, w
hat date did testing with employees start?









What date did you start offering to customers?














Signature of person in charge of electronic banking:



______________________________________________________



Da
te signed
: _________________




11

DEFINITIONS:



Web site

-

The bank's home page and other proprietary pages located on the World Wide Web


Three types of web sites:

LEVEL 1
-

site is informational only and may allow nonsensitive emails (
informational
).

LEV
EL 2
-

level one with the addition of allowing sensitive information emails (
interactive
).

LEVEL 3
-

fully transactional, including facilitating electronic funds transfer and other financial
transactions
(If you offer Internet banking, you are a transacti
onal site)
(
transactional
)



Electronic banking

-

Delivery of banking services through the use of electronic communications,
primarily the Internet. Electronic banking may include: Internet banking, ATM's, wire transfer,
telephone banking, EFT, and debit
cards.



Internet banking

-

Banking services available through the bank's web site



Security administrator

-

Person directly responsible for the security controls.



System administrator

-

Individual responsible for managing a multi
-
user computer system.



Software escrow agreement

-

Many vendors do not release the source code to the purchaser.
This is intended to protect their system's integrity and copyright. The application system is
installed in object code. An alternative to receiving the source pr
ograms is to establish an escrow
agreement. In this agreement, which should be part of the service contract or exist as a separate
document, the financial institution would be allowed to access source programs under certain
conditions, such as discontinue
d product support or financial insolvency by the vendor. Adequate
programming and system documentation should also be required. A third party would retain
these programs and documents in "escrow". Financial institutions should determine periodically
tha
t the source code maintained in escrow is up
-
to
-
date. This can be done by a third party
independently verifying the version number of the software.