Baseline Nonbank Cybersecurity Exam Program

Question 39

Does the institution maintain an inventory of all approved hardware and software assets? If yes, request a copy of the inventory list and verify it generally matches the topography diagram. Are documented security configuration standards maintained for all authorized operating systems and software?

9

Question 40

Does the institution have an up ‐ to ‐ date network topology (diagram) available for review? Are the following physical devices identified? • Locations of servers or clusters. If clusters or VM hosts are identified, do they specify the virtual machines associated with the host? • Security devices such as firewalls and IDS/IPS devices • Network connections to the internet • User devices, either individually or as a group • Devices or servers that provide key network services such as DNS and DHCP, or core applications • DMZ areas

10