Author: The Safe Systems Compliance Team

  • FFIEC Rewrites Business Continuity Guidance

    FFIEC Rewrites Business Continuity Guidance

    The all new IT Examination Handbook is more than an update, it’s a complete re-write, and represents a significant change in how the business continuity process is managed. It also has several new expectations regulators will be looking for from financial institutions1. In fact, that is one of the most interesting changes; the term “institution”…

  • Using Risk Scoring to Determine the Frequency of IT Audits

    Using Risk Scoring to Determine the Frequency of IT Audits

    Hey Guru! In my last IT examination, one of the findings was that the scope and cycle of our IT audits should be more closely tied to risk. We have IT audits every 12 months, what else should we be doing? By conducting Information Technology audits every 12 months, you’ve effectively (and correctly) determined that…

  • FFIEC Issues Press Release on Cybersecurity Preparedness Assessments (and Muddies the Waters)

    FFIEC Issues Press Release on Cybersecurity Preparedness Assessments (and Muddies the Waters)

    A Standardized Approach On August 28th, the FFIEC issued a press release entitled “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness”. The release “…emphasized the benefits of using a standardized approach to assess and improve cybersecurity preparedness.” On the surface the this seems very logical and straightforward, but in fact this may have provided more…

  • Pandemic Testing and the BCP

    Pandemic Testing and the BCP

    Hey Guru! We finished a FDIC exam earlier this year, and in the IT portion they hit us on our pandemic plan saying it “needed improvement.” Here is the actual finding: Management should improve the pandemic plan within the Business Continuity Plan. The pandemic plan has no defined action plan, nor has it been tested.…

  • Ask the Guru: Is it Legal to Share Exam Findings?

    Ask the Guru: Is it Legal to Share Exam Findings?

    Hey Guru! We contracted with Safe Systems to help remediate exam findings, but we were told by the examiner that we are not allowed to share examination findings “under penalty of law”. How do we share this critical information with you without getting into legal trouble? Thanks for the question, here is where this issue…

  • Ask the Guru: Addressing BCP and Incident Response in Vendor Contracts

    Ask the Guru: Addressing BCP and Incident Response in Vendor Contracts

    Hey Guru! I’m looking at an FIL that came out recently (FIL-19-2019), and trying to figure out how to react to it. In your opinion, how do we “ensure that business continuity and incident response risks are adequately addressed” in our contracts? We do get copies of their BCP/IRP plans and their insurance, and we…