-
Final FFIEC Authentication Guidance just released
Well, after much anticipation and speculation we finally have the updated FFIEC guidance, and there doesn’t appear to be anything radically new here that would justify waiting an additional 6 months. At the very least I thought we might see some changes in the Effectiveness of Certain Authentication Techniques section, or in the Appendix (Threat…
-
Audits vs. Examinations
As I speak with those in financial institutions responsible for responding to audit and examination requests, I find that there is considerable confusion over the differences between the two. And some of this confusion is understandable…there is certainly some overlap between them, but there are also considerable differences in the nature and scope of each…
-
SOC 2 vs. SAS 70 – 5 reasons to embrace the change
The SOC 2 and SOC 3 audit guides have recently been released by the AICPA, and the SAS 70 phase-out becomes effective tomorrow. The more I learn about these new reports the more I like them. First of all, as a service provider to financial institutions we will have to prepare for this engagement (just…
-
Vendor Management and the SAS 70 Replacement
I’ve written about the replacement for the SAS 70, which officially phases out on June 15th, previously. But because this one report is being replaced with 3 new reports, financial institutions have an additional challenge that they didn’t have before. Your vendor management program must now determine the most appropriate report to request based on…
-
“Concentration of duties”
It is not unusual for a community financial institution with limited personnel to have the Information Security Officer (ISO) act as a backup network administrator. In fact, this is a relatively common practice in an environment where key personnel will typically wear several hats. And there are practical reasons for this; the ISO is typically…