| Boilerplate |
Description |
Program |
Price |
| Access Management Procedure |
The Access Management Procedure is used to identify and restrict user access to system resources, to the minimum required for work to be performed. As per the Data Ownership Policy, this procedure identifies Data Owners, the procedure for an annual Access Authorization Review, details the procedures for a Data Classification Process, and details the procedures for a Data Flow Risk Assessment. |
Access Management |
|
| Background Check Procedure |
This document outlines the procedure that the organization follows to do initial pre-employment screening and background checks, as well as ongoing random tests. Could call for drug testing, etc. |
Access Management |
|
| Data Ownership Policy |
Technology permeates the operations of the entire organization and therefore defies departmentalization. However, business function managers within the organization must have authority over the data that flows through their business function. These business function managers need to be aware that they are responsible and accountable for the security of the data which they “own.” Therefore, a policy should be developed to grant proper authority to these “Data Owners.” |
Access Management |
|
Disposal of Electronic
Non-public Information Procedure |
This document is used to help ensure that the receipt and removal of hardware and electronic media containing non-public information complies with regulations and best practices. |
Access Management |
|
| New Employee Orientation Checklist |
This is the form used to ensure complete and proper orientation of new employees. |
Access Management |
|
| New Employee Orientation Procedure |
This document is used to define responsibilities and describes a program that is designed to ensure a consistent, thorough process throughout all the stages of orientation. |
Access Management |
|
| Termination Checklist |
This document provides a list of all things that must be done when an employee and/or contractor is terminated. Used as a control to ensure proper processing. |
Access Management |
|
| Termination Procedure |
Whenever the employment of someone with access to sensitive or confidential material is terminated for any reason, management should follow certain procedures. These procedures are intended to assist in limiting the vulnerability of the organization, and are outlined in this document. |
Access Management |
|
| Visitor Authentication Procedure |
This outlines a procedure that documents what actions employees should take when “visitors” request access to various areas of the financial institution. |
Access Management |
|
| Electronic Record Retention Procedure |
The main goal of this policy is to ensure that all documents are maintained and retained according to applicable state and federal laws and regulations.
This document includes also includes an Electronic Discovery Policy (eDiscovery) that may either be included in the Record Retention Policy or it may be put into its own policy document. |
Asset Management |
|
| Network Diagram and System Documentation Procedure |
This document provides a procedure for requiring the technical team to stay on top of basic documentation requirements (such as network diagram, system diagrams, etc.) |
Asset Management |
|
| Software License Management Procedure |
This document provides a procedure that assists departments in managing software assets. Proper software management includes establishing responsibility, maintaining an accurate inventory, ensuring license compliance, and effectively allocating the use of software applications. |
Asset Management |
|
| Agenda for Portable Device Configuration Standards |
This is a document that can be used to help “put the cat back in the bag” as you roll out BYOD to those who already have e-mail on their phones. |
Asset Management Branchless Banking |
|
| ATM Risk Assessment |
A drill-down risk assessment that can be used to roll out newer “smart ATMs”. |
Asset Management Branchless Banking |
|
| Down and Dirty BYOD Language |
This document provides language may be inserted into an AUP or other document to cover MOST of the concerns related to BYOD risk. We strongly urge you to consider a more deliberate approach! |
Asset Management Branchless Banking |
|
| Portable Device Risk Assessment |
A risk assessment meant to start off the BYOD process (and you can use it to update that process as well. |
Asset Management Branchless Banking |
|
| Portable Devices Audit Checklist |
A checklist that can be used to manually audit a users’ issued or authorized device as per the Portable Device Security Procedure. |
Asset Management Branchless Banking |
|
| Portable Devices Configuration Standards |
The purpose of this document is to establish standards for administration, encryption, endpoint security, and other processes that will mitigate such risk. |
Asset Management Branchless Banking |
|
| Portable Devices Procedure Signoff Page |
A form at the back of the Portable Devices Procedure that employees who are issued portable devices (laptops, PDAs, cell phones) sign signifying they understand the procedure. |
Asset Management Branchless Banking |
|
| Portable Devices Security Procedure |
A procedure that addresses the use of laptop computers, personal digital assistants, and portable electronic storage devices. Distribute to users who are issued portable devices. |
Asset Management Branchless Banking |
|
| Remote Access Security Procedure |
The Remote Access Security Procedure provides security directives for telecommuters using the company information computer systems as well as complies with established policies and other related information documents. It applies to all computer platforms and all application systems. |
Asset Management Branchless Banking |
|
| Social Media Development Policy |
This document provides an example framework for a policy that can manage the risk associated with the new marketing capabilities possible with the internet, in compliance with FFIEC guidance replaced in December 2013. |
Asset Management Branchless Banking |
|
| Social Media Development Standards |
This document provides a framework for establishing procedures for developing a social media presence within the constraints of FFIEC guidance and other risk management objectives. |
Asset Management Branchless Banking |
|
| Annual Information Security Report to the Board |
This is a template for compiling the annual report that is supposed to go directly from the Information Security Officer to the Board of Directors. |
Awareness: Board |
|
| Board Agenda |
An agenda for what needs to be covered in Annual Board Awareness Training |
Awareness: Board |
Could not load product information |
| CyberSecurity Awareness for the Board |
A PowerPoint meant to fulfill banks need for “cybersecurity training.” |
Awareness: Board |
|
| Commercial Customer Awareness Training Flyer |
A flyer that includes all required and suggested components of awareness training for commercial customers. |
Awareness: Customer |
|
| Consumer Awareness Training Flyer |
A flyer that includes all required and suggested components of awareness training for customers. |
Awareness: Customer |
|
| Consumer Awareness Training Puzzles |
Awareness Training puzzles that can be given to customers. |
Awareness: Customer |
|
| Customer Awareness Strategy |
A document detailing the financial institutions strategy to train not only the risks the customers face using Internet banking, but other non-traditional methods of performing banking transactions (e.g. hand-held devices). |
Awareness: Customer |
|
| Identity Theft Prevention |
Basis for an Identity Theft brochure that should be provided as a link off the financial institution’s Internet banking login page as well as, if appropriate, in hard-copy format to new internet banking customers. |
Awareness: Customer |
|
| Mobile Banking Tips and Trends |
Data sheet for mobile banking customers that provides tips and trends for using mobile banking. |
Awareness: Customer |
|
| Mobile Security Puzzle |
Mobile Security puzzles that can be given to customers. |
Awareness: Customer |
|
| Privacy Policy |
This is a template Privacy Policy to be used as a starting point for the sake of helping you develop your own Awareness Program for your customers. |
Awareness: Customer |
|
| Public Presence Content Checklist |
A checklist for critical elements that should be placed on the on-line banking login page for the sake of legal and reputational risk mitigation. Elements of concern go beyond the “typical terms and conditions” and include issues such as: ID Theft Prevention Tips, Phishing Warnings, etc. |
Awareness: Customer |
|
| Awareness Training Procedure |
An awareness training procedure for management. |
Awareness: Management |
|
| Awareness Training Strategy |
Information Security permeates the organization, and thus an extremely important step in mitigating Information Security risk is to make the entire team aware of key issues related to Information Security. Buy-in at the management level will ensure proper enforcement of policies and procedures, as well as a cohesive, cost-effective approach to risk mitigation. Therefore, it is imperative that the management team and employees undergo many different levels and layers of awareness training throughout the calendar year. This procedure documents the process used by the Information Security Officer to ensure appropriate information security awareness throughout the calendar year. |
Awareness: Management |
|
| Information Security Officer Job Description |
Job Description Template for the Information Security Officer role. |
Awareness: Management |
|
| Management Awareness Training Procedure |
A procedure that establishes an annual presentation that helps management become aware of Information Security Issues from a management perspective: risk management, policy development, incident response, etc. |
Awareness: Management |
|
| Management Guidelines for Social Media |
This is a guidelines document regarding how management team members presents themselves in the social media. It also contains information about proper disclosures, as well as guidelines on monitoring employee usage of social media. |
Awareness: Management |
|
| Technology Planning Policy Language |
A document used to provide a formal, structured approach towards ensuring that information technology appropriately aligns with overall bank business strategy. |
Awareness: Management |
|
| Banner Procedure |
Appropriate notification for authorized use is done through the use of banners. Banners are used at network login, with facsimile transmittal forms as a disclosure statement, and with e-mail signatures. This procedure indicates the appropriate banners with each system. |
Awareness: Technical |
|
| Technical Awareness Training Procedure |
A document for the development, implementation, and maintenance of technical awareness training. |
Awareness: Technical |
|
| Acceptable Use Policy |
The Acceptable Use Policy is a key control for user awareness and administrative policing of system activities. It details the permitted system uses and user activities and the consequences of noncompliance. All employees should receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system. |
Awareness: User |
|
| Acceptable Use Policy Checklist |
A checklist that can be used to review your AUP and, on a risk-basis, determine what may need to be added to “shore it up.” |
Awareness: User |
|
| Commercial Customer Awareness Training Checklist |
A checklist covering commercial customer awareness training. |
Awareness: User |
|
| Conflict of Interest Policy |
Outlines the organization’s approach to identifying and evaluating potential conflicts of interest and assisting its employees in addressing conflict of interest issues. |
Awareness: User |
|
| Stand-alone User Level Social Media Policy |
This is a policy that governs employee usage of their OWN social media sites (like Facebook, Twitter, LinkedIn, etc.) It is a stand-alone policy in our library, but most banks are copying the language from it into their existing Acceptable Use Policy. |
Awareness: User |
|
| User Awareness Training Comprehension Test |
A quiz that documents that users not only have read the AUP, but they have received training on that AUP and understand at least the components of the AUP addressed in the test. |
Awareness: User |
|
| Business Continuity Policy |
This policy establishes the requirements for the development of a Business Continuity Plan that is devoted to the concept of keeping the financial institution’s information resources, assets, and essential functions operational in all foreseeable circumstances and will ensure the continued successful operations of essential functions in the following environments:
• Normal operation environment;
• Emergency operation environment; and,
• Return to normal operation environment. |
Business Continuity |
|
| Small Bank Business Continuity Plan |
Provides general procedures to be followed whenever situations occur adversely affecting the normal daily operations. |
Business Continuity |
|
| Incident Response Plan |
A boilerplate used to create an Incident Response Plan, a file describes the Incident Response Team’s plan for dealing with computer security incidents such as: virus, worm, Trojan horse detection, unauthorized use of computer accounts and systems, as well as handle Acceptable Use Policy compliance. Describes the IRT’s plan for dealing with computer security incidents. Security incidents include, but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of Information Resources as outlined in the [Acceptable Use Policy]. |
Incident Response |
|
| Incident Response Policy |
A template for helping an institution create its own IT Governance Program as well as all the roles needed to maintain one, such as an Incident Response Team. The policy also describes the Incident Response Team’s plan for dealing with computer security incidents such as: virus, worm, Trojan horse detection, unauthorized use of computer accounts and systems, as well as handle Acceptable Use Policy compliance. |
Incident Response |
|
| Intrusion Detection Procedure |
A template that is used to help an institution create an Incident Response Program for adequate detection and response to intrusions and other incidents that can be defined in the Incident Response Decision Tree. |
Incident Response |
|
| One Page Incident Response Policy |
A policy that reduces everything the board should know, require, and be accountable for . . . . related to incident response . . . to one page. |
Incident Response |
|
| Risk Monitoring Architecture |
A template to put forth the strategy that the Incident Response Team use when it comes to Risk Assessment. |
Incident Response |
|
| Scenario Response: CATO |
A template that can be customized to help in the procedure when dealing with a CATO attack incident. |
Incident Response |
|
| Scenario Response: DDOS |
A template that can be customized to help in the procedure when dealing with a DDOS attack incident. |
Incident Response |
|
| Scenario Response: Generic |
A template that can be customized to help in the procedure when dealing with any number of incidents. |
Incident Response |
|
| Simplified Incident Response Plan |
A generic incident response program that demonstrates how a small bank can whittle down our policy set to suit their needs. |
Incident Response |
|
| Third Party Information Request Procedure |
A procedure to control the release or distribution of confidential information to third parties. |
Incident Response |
|
| Assigned Security Responsibility Policy |
This policy covers the procedures for identifying the security official who is responsible for the development and implementation of the policies and procedures for managing the risk that arises from information technology. |
Risk Management |
|
| Audit Charter |
This charter describes the mission, independence and objectivity, scope and responsibilities, authority, accountability and standards of the Internal Audit function. |
Risk Management |
|
| Board Minutes CAT Mitigation Strategy |
This document is part of a set that provides a framework for a presentation to a board of directors regarding CAT Mitigation. |
Risk Management |
|
| Board Minutes Overview |
This is a template for the board minutes for handing out the CEO/Board Overview Document |
Risk Management |
|
| Board Minutes Risk Appetite |
This document is part of a set that provides a framework for a presentation to a board of directors regarding CAT Mitigation. |
Risk Management |
|
| CAT Mitigation Strategy |
This is a template for presenting the results of the Cybersecurity Assessment Tool 5th Step: Analysis and Interpretation. It is the document that the board minutes #3 refer to, and is used to convey where the financial institution is NOT at the required maturity level, and the institution’s plan to mitigate the gap(s). |
Risk Management |
|
| Commercial Customer Risk Assessment |
A drill-down risk assessment on commercial customers. |
Risk Management |
|
| Cybersecurity Assessment Tool Maturity Analysis and Interpretation Tool (CAT MAIT) |
Infotex tool that assists organizations in preparing for the FFIEC Cybersecurity Assessment. |
Risk Management |
|
| Drill-down Template |
A template for drill-down risk assessing. |
Risk Management |
|
| Information Technology (IT) Governance Policy |
Gives birth to other Board-level policies, establishes a governance team (IS Steering Committee per se). Establishes measures and policies the entity will take to mitigate risks identified in the risk analysis. Includes a policy for the creation, distribution, training, and updating of all policies and procedures. |
Risk Management |
|
| Information Technology Risk Analysis Procedure |
This document presents the procedure that the financial institution will use for the annual Information Technology Risk Analysis as required by the Board of Directors in the Risk Management Policy. The risk analysis is used to prioritize audit engagements and is used to design audit tests. |
Risk Management |
|
| Insurance Risk Assessment |
A list of questions for your insurance provider, with the ability to risk-rank the answers you receive. |
Risk Management |
|
| ISO Committee Charter |
This document provides an example framework for an ISO (or ERM) Committee Charter. |
Risk Management |
|
| IT Audit Program |
This document provides direction for vulnerability testing in terms of schedule and test performer. |
Risk Management |
|
| IT Strategy Plan |
The purpose of this plan is to provide an IT Strategy “roadmap” for management to implement and deliver services that support the strategic mission and goals set by the bank. |
Risk Management |
|
| IT Tactical Plan |
This document accompanies the IT Strategy plan. The purpose of this plan is to provide an IT Tactical “roadmap” for management to implement and deliver services that support the strategic mission and goals set by the bank. The tactical plan implements the strategic plan. |
Risk Management |
|
| MSSP Drill-down Risk Assessment |
A drill-down risk assessment for deploying a Managed Security Service Provider. |
Risk Management |
|
| Risk Analysis Executive Summary |
A summary of the top ten or so risks inherent in the Operational Risk Analysis which has been conducted by a GLBA task force or the IRT. |
Risk Management |
|
Risk Analysis Executive Summary
(for drill-down risk assessments) |
A summary of the top ten or so risks inherent in the risk assessment performed for various drill-down areas (e.g. social media, virtualized environment, wireless banking, etc.). |
Risk Management |
|
Risk Assessment
(Social Media) |
A table used to conduct a risk assessment specifically for social media. Lists vulnerabilities, impact severity, probability, and resulting risk ranking. |
Risk Management |
|
Risk Assessment
(Wireless Banking) |
A table used to conduct a risk assessment specifically for wireless banking. Lists vulnerabilities, impact severity, probability, and resulting risk ranking. This may take into consideration any non-traditional forms of accessing customer data (e.g. hand-held devices, Internet banking, etc.). |
Risk Management |
|
| Sample IT Audit Universe |
A sample IT Audit Universe that can be used to specify an audit RFP. |
Risk Management |
|
| Security Sanctions Policy |
This policy establishes policy, guidance, and standards for employee performance expectations in carrying out the provisions of policies and procedures, and the corrective action(s) that may be imposed to address violations. |
Risk Management |
|
| Automatic Logoff Procedure |
Hardware and software located in a user department are often less secure than those located in a computer room. Therefore, organizations should adopted this procedure to ensure that access to all servers and workstations that access, transmit, receive, or store nonpublic information is appropriately controlled. |
Security Standards |
|
| Change Control Standards |
A standards document that defines the requirements needed to document, communicate and control changes to the organization’s production IT environment (application, system software/hardware, database, etc.) while providing assistance to the change owner to help ensure secure, reliable and successful changes. MEANT FOR SMALL BANKS. |
Security Standards |
|
| Domain Controller Security Procedure |
A procedure for addressing the security of domain controllers. |
Security Standards |
|
| Encryption Standards |
This standards document establishes when encryption is necessary, what situations are eligible for exception, and what specific protocols and encryption schemes are acceptable. |
Security Standards |
|
| Firewall Security Standards |
This standards document applies agreed upon firewall security standards |
Security Standards |
|
| Mainframe Data Encryption Standard |
The Mainframe Data Encryption Standard provides security rules for the security encryption between mainframe and other external devices. |
Security Standards |
|
| Microsoft Server Security Procedure |
This document establishes a procedure for ensuring a uniform approach to securing servers utilizing platforms provided by Microsoft. |
Security Standards |
|
| Network Devices Security Standards |
A document that provides security directives for all devices connecting to Network Services. |
Security Standards |
|
| Password Management Procedure |
A procedure that establishes a standard for the enforcement of strong passwords, the establishment of which applications and operating systems will require strong passwords, the protection of those passwords, and the frequency of maintenance. This procedure also addresses the storage of “shared passwords,” meaning those passwords in which it is best practice to have more than one person utilize the password. |
Security Standards |
|
| Server Build / Configuration Standards |
This Server Build / Configuration Standards document provides security directives for the financial institution’s Microsoft servers. The purpose of this document is to establish standards for access control, server hardening, and domain controllers. |
Security Standards |
|
| Contract Review Checklist |
A spreadsheet checklist used to check if all information is included in a contract. |
Vendor Management |
|
| One Page Vendor Management Policy |
A more succinct version of the basic Vendor Management Policy to provide the framework for management to identify, measure, monitor, and control the risks associated with vendors. |
Vendor Management |
|
| SSAE-16 Review Checklist |
A spreadsheet checklist used to check if all pertinent information and formatting is correct in a SSAE-16. |
Vendor Management |
|
| Vendor Document Request Letter |
A letter sent to vendors requesting documentation pertaining to Vendor Due Diligence. |
Vendor Management |
|
| Vendor Management Policy |
A policy document designed to address vendor relationships from an end-to-end perspective, including establishing servicing requirements and strategies; selecting a provider; negotiating the contract; and monitoring, changing, and discontinuing the vendor relationship. |
Vendor Management |
|
| Vendor Management Threshold Analysis |
A spreadsheet used as a means to decide if a vendor must comply with the Vendor Management Procedure |
Vendor Management |
|
| Vendor Nondisclosure Agreement Template |
A sample contract that addresses only the nondisclosure concerns of the Vendor Management Procedure |
Vendor Management |
|
| Vendor Owner List |
A list of all vendors, the person assigned as their owners, and where they fall on the “governing threshold scale.” |
Vendor Management |
|
| Vendor Review Board Report |
This report template could be used for both presenting results of due diligence reviews, but also to present the results of your overall vendor due diligence review to the board. |
Vendor Management |
|
| Vendor Risk Determination Table |
A spreadsheet used to “drill down” further in order to determine risk presented by a particular vendor. |
Vendor Management |
|
| Annual Vendor Review Questionnaire |
Questionnaire to determine if the Vendor Owner kept updated and reviewed Vendor information during the past year as well as reviewing the Vendor from an Owner standpoint. |
Vendor Management |
|
| Critical Vendor Review Checklist |
A checklist used to determine missing elements from the vendor files. |
Vendor Management |
|
| Generic Vendor Request for Proposal |
Outline for use to gain proposals from third party vendors requesting information on services available. |
Vendor Management |
|
| High Risk Vendor Review Checklist |
A checklist used to determine missing elements from the vendor files. |
Vendor Management |
|
| Precontract Vendor Due Diligence Checklist |
Precontract checklist to check the variability of a contract with a vendor. |
Vendor Management |
|
| SSAE-16 Review Report |
A report template used for both presenting results of SSAE-16 reviews, but also to present the results of your overall vendor due diligence review to the board. |
Vendor Management |
|
| Vendor Agreement Template |
A sample contract that addresses concerns of the Vendor Management Procedure. |
Vendor Management |
|
| Vendor Contract Addendum Template |
Template used to add things previously missing from a vendor contract. |
Vendor Management |
|
| Vendor Document Second Request Letter |
A second letter sent to vendors requesting documentation pertaining to Vendor Due Diligence. |
Vendor Management |
|
| Vendor Due Diligence Schedule |
This is a schedule starting 01/01/?? And going through completion of a typical “first review” so that vendor management team members can get a feel for how long a due diligence review would actually take. Two time frames: 90 day deliverables, 180 day deliverables. |
Vendor Management |
|
| Vendor Management Procedure |
A procedure for managing vendors, including pre-contract, contract, and ongoing due diligence requirements. |
Vendor Management |
|
|
