Category: Ask the Guru

  • Have There Been Any Official Board Reporting Updates to the FFIEC InfoSec Handbook since 2016?

    Have There Been Any Official Board Reporting Updates to the FFIEC InfoSec Handbook since 2016?

    Hey Guru! Do you have any additional blogs about FDIC changing the annual IT report to the board? I saw the article from 2012 and was wondering if there are any updates to that. Has the FFIEC updated its Information Security IT Handbook after 2016 in regard to this subject?Thank you,Lynn Hi Lynn, and thanks…

  • Vlog: Are Bank Regulators Considered Vendors?

    Vlog: Are Bank Regulators Considered Vendors?

    In this special vlog installment of Ask the Guru, Tom Hinkel answers a question asked by an OCC bank examiner, “Are regulators considered vendors for banks?” Watch the video below to hear Tom’s thoughts on the matter.

  • Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

    Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

    Hey Guru! Are the Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) similar enough to apply the same or equivalent set of layered controls? My understanding is that GDPR has placed a higher premium on the protection of a narrower definition of data. So, my question is more about whether FFIEC requirements for…

  • Are You Required to Address Your COVID-19 Readiness with Your Customers?

    Are You Required to Address Your COVID-19 Readiness with Your Customers?

    Hey Guru! Are we required to post any kind of statement to the public or our customers as to our readiness for the COVID-19? If so, can you direct me to the kinds of things we need to say? We are working on an ad to educate our customers on how to use our online…

  • Using Risk Scoring to Determine the Frequency of IT Audits

    Using Risk Scoring to Determine the Frequency of IT Audits

    Hey Guru! In my last IT examination, one of the findings was that the scope and cycle of our IT audits should be more closely tied to risk. We have IT audits every 12 months, what else should we be doing? By conducting Information Technology audits every 12 months, you’ve effectively (and correctly) determined that…

  • Pandemic Testing and the BCP

    Pandemic Testing and the BCP

    Hey Guru! We finished a FDIC exam earlier this year, and in the IT portion they hit us on our pandemic plan saying it “needed improvement.” Here is the actual finding: Management should improve the pandemic plan within the Business Continuity Plan. The pandemic plan has no defined action plan, nor has it been tested.…