Business Continuity
Discussion-based exercise where personnel meet to validate the components of a plan by discussing their roles and responsibilities.
Tabletop Exercise
Document where audit findings are listed with priorities for remediation
Issue tracking document
Controls network traffic based on predefined rules
Firewall
Organizations perform this process at onboarding to assess a vendor’s financial stability and security practices
Due diligence
This a key access control for customers who can submit online or high-risk payment requests
Multi-factor authentication
This exercise is the process of identifying the potential impact of disruptive events on an entity’s functions and processes.
Business Impact Analysis
This should be clearly defined in an audit engagement letter or proposal.
Audit scope/scope of work
Monitors traffic and actively blocks malicious network activity.
Intrusion Prevention System (IPS)
Organizations should conduct these periodically to measure performance and security.
Vendor assessments
These should be set and periodically reviewed for employees who process wire payments
Limits/Authority limits
A location partially equipped with info systems to support relocated operations in the event of a significant disruption.
Warm site
Used to set the scope and frequency of an audit
Risk assessment process
The process of dividing a network into smaller, isolated networks to limit the impact of a breach.
Network segmentation
Contractual agreement which defines expectations regarding response times or availability.
Service level agreement
Management should perform these to verify the authenticity of payment requests received via non-in person methods
Call backs
When two or more processes, functions, or entities rely on another to successfully complete a task.
Interdependence/Interdependency
Identifies the frequency of audits
Audit cycle/schedule
Security model that works on, “never trust, always verify”, requiring authentication and authorization for every access request.
Zero trust
Report that evaluates a company’s control design and effectiveness over a period of time.
SOC 2 Type 2
This is the primary governing body of the ACH network
NACHA
Overall length of time a system can be in the recovery phase before negatively impacting an org’s mission.
Recovery time objective (RTO)
This may be determined by analyzing the reporting process and verifying candor of findings and recommendations
Audit independence
Host-based technology that actively monitors endpoints for malicious activity and may provide real time detection, quarantining, and reporting.
Endpoint Detection and Response
According to the the Federal Information Security Standards banks shall require their service providers by contract to do what?
Implement appropriate measures designed to meet the objectives outlined in the Security Standards.
In ACH, this is a term for a client that provides ACH entry instructions
Originator