Compliance Guru • FFIEC Guidance
  • Ask the Guru
  • The Guru Speaks
  • About
  • Ask the Guru
  • The Guru Speaks
  • About
The Compliance Guru Pictogram

Are You Ready for the New BCM Handbook?

Take the Quiz

Moving Beyond the ACET: Next Steps

Get a Copy

Role of the Information Security Officer

Get a Copy

Ask the Guru – Can We Apply Similar Controls to Satisfy Both GLBA and GDPR
By The Safe Systems Compliance Team  |  In Ask the Guru

Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

Hey Guru! Are the Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) similar enough to apply the same or equivalent set of layered controls? My understanding is that GDPR has placed a higher premium on the protection of a narrower definition of data. So, my question is more about whether FFIEC requirements for […]

Read Post 0
Are Banks and Credit Unions Required to Address Your COVID-19 Readiness with Your Customers?
By The Safe Systems Compliance Team  |  In Ask the Guru

Are You Required to Address Your COVID-19 Readiness with Your Customers?

Hey Guru! Are we required to post any kind of statement to the public or our customers as to our readiness for the COVID-19? If so, can you direct me to the kinds of things we need to say? We are working on an ad to educate our customers on how to use our online […]

Read Post 0
Scheduling IT Audits Using Risk Scoring
By The Safe Systems Compliance Team  |  In Ask the Guru

Using Risk Scoring to Determine the Frequency of IT Audits

Hey Guru! In my last IT examination, one of the findings was that the scope and cycle of our IT audits should be more closely tied to risk. We have IT audits every 12 months, what else should we be doing? By conducting Information Technology audits every 12 months, you’ve effectively (and correctly) determined that […]

Read Post 0
Pandemic testing and the Business Continuity Plan
By The Safe Systems Compliance Team  |  In Ask the Guru

Pandemic Testing and the BCP

Hey Guru! We finished a FDIC exam earlier this year, and in the IT portion they hit us on our pandemic plan saying it “needed improvement.” Here is the actual finding: Management should improve the pandemic plan within the Business Continuity Plan. The pandemic plan has no defined action plan, nor has it been tested. […]

Read Post 0
Passing along exam findings
By The Safe Systems Compliance Team  |  In Ask the Guru

Ask the Guru: Is it Legal to Share Exam Findings?

Hey Guru! We contracted with Safe Systems to help remediate exam findings, but we were told by the examiner that we are not allowed to share examination findings “under penalty of law”. How do we share this critical information with you without getting into legal trouble? Thanks for the question, here is where this issue […]

Read Post 0
Addressing BCP and Incident Response in a Vendor Contract
By The Safe Systems Compliance Team  |  In Ask the Guru

Ask the Guru: Addressing BCP and Incident Response in Vendor Contracts

Hey Guru! I’m looking at an FIL that came out recently (FIL-19-2019), and trying to figure out how to react to it. In your opinion, how do we “ensure that business continuity and incident response risks are adequately addressed” in our contracts? We do get copies of their BCP/IRP plans and their insurance, and we […]

Read Post 0
Waiting traveller
By Holly Hooks  |  In Ask the Guru

Ask the Guru: Do We Need to Perform a review on a New Vendor in a Foreign Country?

Hey Guru! Our institution works with a third-party that has recently engaged with a company in a foreign county to begin assisting them in taking care of our institution’s IT matters. Do we need to perform a review on this new foreign third-party? When evaluating this situation, the first step is to understand the parties […]

Read Post 0
Best GDPR Practices for Financial Institutions
By The Safe Systems Compliance Team  |  In Ask the Guru

Ask the Guru: GDPR

Hey Guru! I have heard a lot about GDPR recently, but I am not terribly familiar with it. I already break my back to stay in compliance with FFIEC guidance. Do I have anything more to worry about here? GDPR has certainly been in the news for the past few months as implementation was required […]

Read Post 0
Digital Files
By The Safe Systems Compliance Team  |  In Ask the Guru

Ask the Guru: A Prospective Vendor Either Won’t or Can’t Provide the Documentation We Need. What Should We Do?

Hey Guru! We’re doing our due diligence on a new HR software package. We’ve requested the vendor’s financials and a SOC 2 report, but they told us they don’t provide financials (they are privately held), and their SOC 2 won’t be completed until the end of the year. They do have a SOC 1. What […]

Read Post 0
Late Night Exam Questions
By Tom Hinkel  |  In Ask the Guru

Ask the Guru: How Can I Best Determine My Cyber Risk Profile?

Hey Guru! We just completed the Cybersecurity Assessment, so now we have our current risk and control maturity levels identified.  Can we draw any conclusions about our average risk and control levels?  For example, most of our risks are in the Least and Minimal areas, but we do have a few Moderate as well.  Can we […]

Read Post 0
Do we have to complete the FFIEC's CAT?
By Holly Hooks  |  In Ask the Guru

Ask the Guru: “The Cybersecurity Assessment Tool… Do we have to?”

Hey Guru! Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC […]

Read Post 1
Newer
12
Older

Join Our Community

Browse Posts

  • Ask the Guru
  • Ask the ISO
  • From the Field
  • Hot Topics
  • Reading Between the Lines
  • Resources

Copyright © Compliance Guru®.
All Rights Reserved.

Powered by Safe Systems. Privacy Policy

Stay up to date with these pandemic resources for community banking.See COVID-19 Resources
+