-
BCP plans continue to draw criticism
In a recent FDIC IT Examination, the examiner made the following criticism of the institutions’ DR/BCP: “Business continuity planing should focus on all critical business functions that need to be recovered to resume operations. Continuity planing for technology alone should no longer be the primary focus of a BCP, but rather viewed as one critical…
-
Interpreting The New FFIEC Authentication Guidance – 5 Steps to Compliance
We’ve all now had a couple of weeks to digest the new guidance, and what has emerged is a clearer understanding of what the guidance requires…and what it doesn’t. But before we can begin to formulate the specific compliance requirements, we have to interpret what the guidance is actually saying…and what it isn’t. And along…
-
Final FFIEC Authentication Guidance just released
Well, after much anticipation and speculation we finally have the updated FFIEC guidance, and there doesn’t appear to be anything radically new here that would justify waiting an additional 6 months. At the very least I thought we might see some changes in the Effectiveness of Certain Authentication Techniques section, or in the Appendix (Threat…
-
Audits vs. Examinations
As I speak with those in financial institutions responsible for responding to audit and examination requests, I find that there is considerable confusion over the differences between the two. And some of this confusion is understandable…there is certainly some overlap between them, but there are also considerable differences in the nature and scope of each…
-
SOC 2 vs. SAS 70 – 5 reasons to embrace the change
The SOC 2 and SOC 3 audit guides have recently been released by the AICPA, and the SAS 70 phase-out becomes effective tomorrow. The more I learn about these new reports the more I like them. First of all, as a service provider to financial institutions we will have to prepare for this engagement (just…
-
SAR Filings – Computer Intrusion vs. Identity Theft
The Financial Crimes Enforcement Network (FinCEN) publishes a statistical summary and review of all suspicious activity report (SAR) filings a couple of times per year. The latest one was just released in May covering the 10 year period from 1/1/2001 through 12/31/2010. I thought it might be interesting to see how the category of Computer…
