-
Incident response – to report or not?
For the purposes of regulator reporting and customer notification, it is critical that we first define an “incident”. Here is how an incident is defined by the FFIEC:
-
Archiving vs. retention of email and other electronic data
There is no specific FFIEC regulatory mandate for archiving, just retention1. However, there are three reasons why you might want to consider archiving, which I will address shortly. First though, the issue of retention. The key to complying with legal and regulatory guidelines regarding retention is to consider all electronic information (including email) exactly the…
-
DR Plans – Compliant or Recoverable?
When addressing the issue of your disaster recovery plan, the ultimate goal is both. But if you’re faced with limited resources (time, personnel, and money), and need to decide whether you’ll conduct a test or re-write your existing plan, what should you do? A successful test demonstrates that you can recover if you have to. …
-
The 5 trickiest FDIC IT examination questions (part 5).
In my last post, I asked you to weigh in on what question you wanted me to address in this final post of the series. This one came from a bank that was in the process of actually filling out the questionnaire, and it’s a good one. It’s found in the Vendor Management section: “Has…
-
The 5 trickiest FDIC IT examination questions (part 4).
Last time in Part 3 we discussed (at some length) the FDIC IT Exam question “Are project management techniques and system development life cycle processes used to guide efforts at acquiring and implementing technology (Y/N)?”. This time, we address a question from the Part 3 – Audit/Independent Review Program section titled: “Are the results of…
-
The 5 trickiest FDIC IT examination questions (part 3).
Last time in Part 2 we tackled “Does the bank’s strategic planning process incorporate information security (Y/N)?” from the FDIC IT Examination…
