Category: Ask the Guru

  • Ask the Guru: Is it Legal to Share Exam Findings?

    Ask the Guru: Is it Legal to Share Exam Findings?

    Hey Guru! We contracted with Safe Systems to help remediate exam findings, but we were told by the examiner that we are not allowed to share examination findings “under penalty of law”. How do we share this critical information with you without getting into legal trouble? Thanks for the question, here is where this issue…

  • Ask the Guru: Addressing BCP and Incident Response in Vendor Contracts

    Ask the Guru: Addressing BCP and Incident Response in Vendor Contracts

    Hey Guru! I’m looking at an FIL that came out recently (FIL-19-2019), and trying to figure out how to react to it. In your opinion, how do we “ensure that business continuity and incident response risks are adequately addressed” in our contracts? We do get copies of their BCP/IRP plans and their insurance, and we…

  • Ask the Guru: Do We Need to Perform a review on a New Vendor in a Foreign Country?

    Ask the Guru: Do We Need to Perform a review on a New Vendor in a Foreign Country?

    Hey Guru! Our institution works with a third-party that has recently engaged with a company in a foreign county to begin assisting them in taking care of our institution’s IT matters. Do we need to perform a review on this new foreign third-party? When evaluating this situation, the first step is to understand the parties…

  • Ask the Guru: GDPR

    Ask the Guru: GDPR

    Hey Guru! I have heard a lot about GDPR recently, but I am not terribly familiar with it. I already break my back to stay in compliance with FFIEC guidance. Do I have anything more to worry about here? GDPR has certainly been in the news for the past few months as implementation was required…

  • Ask the Guru: A Prospective Vendor Either Won’t or Can’t Provide the Documentation We Need. What Should We Do?

    Ask the Guru: A Prospective Vendor Either Won’t or Can’t Provide the Documentation We Need. What Should We Do?

    Hey Guru! We’re doing our due diligence on a new HR software package. We’ve requested the vendor’s financials and a SOC 2 report, but they told us they don’t provide financials (they are privately held), and their SOC 2 won’t be completed until the end of the year. They do have a SOC 1. What…

  • Ask the Guru: How Can I Best Determine My Cyber Risk Profile?

    Ask the Guru: How Can I Best Determine My Cyber Risk Profile?

    Hey Guru! We just completed the Cybersecurity Assessment, so now we have our current risk and control maturity levels identified.  Can we draw any conclusions about our average risk and control levels?  For example, most of our risks are in the Least and Minimal areas, but we do have a few Moderate as well.  Can we…