-
Thankful for…Appendix A?!
When you were a kid, you hated the “pop quiz” right? But if the teacher allowed you to use your notes and textbooks, you felt like you at least had a fighting chance. I’ve taken both proctored and “open book” certification exams, and I’ve always felt that open-book exams more accurately reflected how most of…
-
SAS 70 vs. SSAE 16 from the service provider perspective
Although it’s unclear what, if anything, the FFIEC* will say about the new standard before it is officially adopted in June of next year, one thing is certain…both vendors and financial institutions will need to become familiar with the differences in the interim. And one of the most significant differences between the two reporting standards…
-
Incident response – to report or not?
For the purposes of regulator reporting and customer notification, it is critical that we first define an “incident”. Here is how an incident is defined by the FFIEC:
-
Mobile devices and information security
The key to addressing the risk of mobile devices is to think of them as functionally equivalent to a PC (with all the information security risks…
-
DR Plans – Compliant or Recoverable?
When addressing the issue of your disaster recovery plan, the ultimate goal is both. But if you’re faced with limited resources (time, personnel, and money), and need to decide whether you’ll conduct a test or re-write your existing plan, what should you do? A successful test demonstrates that you can recover if you have to. …
-
The FFIEC Handbooks and the SAS 70
I’ve written about the 6/15/2011 phase-out of the SAS 70 report in favor of the SSAE 16 series (SOC 1, SOC 2, SOC3) here and here. The AICPA isn’t expected to update their audit guide until sometime early next year, but financial institutions are anxious to get the FFIEC to comment, as the SAS 70…
