I'm re-posting this from my prior post, prior thread - it provides a good start on your audit program, but your level of exposure needs to be incorporated within the areas to be audited.
Here are 'some' of the issues. Columns are: Item/Issue, Risk (level), Control (to be audited) and a column to note when tested and by who.
Item/Issue Risk Control Testing/Audit/Other
Internal Documents Medium Locked shredding bins in each facility, shredding delivered to bins at the end of each business day. • Tested by______
• On____________
Internal Communications High Are verbal communication activities between employees and employees and customers with the lobby and other public area of the bank conducted in a private manner? • Tested by______
• On____________
Documents on Desks Non-Business Hours Medium All documents to be locked away during non-business hours. • Tested by______
• On____________
Documents on Desks during business hours Medium Customers documents must be kept out of view of other customers during business hours. • Tested by______
• On____________
Visibility of workstation monitors to public Medium All workstations are required to be faced away form the bank lobby (public areas) – any exception is to be documented, subject to board approval. • Tested by______
• On____________
Retirement of equipment (PC’s) Low All hard drives are erased after retirement. • Tested by______
• On____________
Assess to data center High Electronic locks; authorized personnel only. • Tested by______
• On____________
Employee system access levels (primary system) Medium Employee access levels limited by assigned responsibility; Written policy (IS Security) • Tested by______
• On____________
Privacy Notice on Web Site Low Web site periodically reviewed to assure that privacy notice is posted. • Tested by______
• On____________
Hacking and other external threats to network High Firewall; password procedures; various other written policies (IS Security Policy). • Tested by______
• On____________
Information shared internally throughout the bank Medium Information sharing is limited to employees’ need to know. • Tested by______
• On____________
Training High Information Security (Privacy) training at least annually; document attendance and training material. • Tested by______
• On____________
Customer Telephone inquiries High Employees’ required to fully determine the identity of the caller. • Tested by______
• On____________
Bank adds new technology components, products, services High Procedures in place prior to implementation that address privacy issues. • Tested by______
• On____________
Bank adds new vendor High Vendors that require access to customer data must have an acceptable privacy policy in place; retain copy in files. • Tested by______
• On____________
Current vendors High Contracts must include privacy statements (primary DP vendor, ATM vendor, etc.). • Tested by______
• On____________
Annual Privacy Notice Low Annual privacy notice must be forwarded to customers. • Tested by______
• On____________
Privacy notice – new accounts Low All new account customers are given a copy of the bank’s privacy statement. • Tested by______
• On____________
Information Reporting opt-out High If the bank is providing customer information to a vendor other than a credit reporting agency, data processor of the bank, etc., are customers allowed to opt-out when a request is received? • Tested by______
• On____________
Garbage High In the bank’s garbage periodically checked to assure that no customer information, documents or other private data or documents are being placed in the garbage? • Tested by______
• On____________
Web Site E-Mail High Is there a privacy notice posted on the bank’s web site informing customers that email is not a private mode of communications? • Tested by______
• On____________