In the previous post, I suggested that because mobile devices (smart phones and PDA’s) were not that functionally different in how they process, transmit, and store information than other mobile computing devices like laptops, a separate policy wasn’t necessary. Since data security, confidentiality and integrity concerns were the same as other devices, you should be […]
BYOD Redux – The Policy Dilemma (Part 1)
Employee-owned mobile devices are everywhere, and they’re being used for everything from email to document storage and editing. Proper risk management procedures are defined in your policies, but do you need a separate mobile device policy, or can you simply mention them in the same policy sections that address other portable devices? Or is there […]
Interpreting The New FFIEC Authentication Guidance – 5 Steps to Compliance
We’ve all now had a couple of weeks to digest the new guidance, and what has emerged is a clearer understanding of what the guidance requires…and what it doesn’t. But before we can begin to formulate the specific compliance requirements, we have to interpret what the guidance is actually saying…and what it isn’t. And along […]
SOC 2 vs. SAS 70 – 5 reasons to embrace the change
The SOC 2 and SOC 3 audit guides have recently been released by the AICPA, and the SAS 70 phase-out becomes effective tomorrow. The more I learn about these new reports the more I like them. First of all, as a service provider to financial institutions we will have to prepare for this engagement (just […]
Risk Managing Social Media – 4 Challenges
Twitter, LinkedIn, Facebook, Google+…the decision to establish an on-line presence is a very popular topic these days, and it is extremely easy to do, but effectively managing social media risk can be frustratingly complicated. In many ways. it just doesn’t lend itself to traditional risk management techniques, so the standard pre-entry justification process is much […]
FDIC issues new FIL…
…and pretty much confirms what most of us already knew; regulatory scrutiny has increased across the board. FIL-13-2011 entitled “Reminder on FDIC Examination Findings” was just released March 1st, and in spite of the title, is not so much a reminder but a response. Here is the one-line summary: “Recently, the FDIC has received some […]
Top 5 Compliance Trends for 2011 – Part 4
According to the FFIEC IT Examination Management Handbook, many institutions choose to delegate responsibility for monitoring IT activities to an IT Steering Committee. I also addressed this here. One of the most important roles of the IT Steering Committee is to ensure that the IT strategy is aligned with the overall business strategy. And the […]
New FDIC Survey Results and Third-Party Providers
The new FDIC Supervisory Insights Winter 2010 newsletter addresses several issues of interest to bankers, including Trust Preferred Securities, Managing Agricultural Credit, and Senior Life Settlements. But there was also a section that analyzed the results of a survey that was conducted by FDIC examiners over the past year. The more than 2,100 responses […]
5 Key Elements of Risk Management
As a financial institution, it sometimes seems that everything you do requires a risk assessment. Information security, disaster recovery, ID theft, remote deposit capture, outsourcing, in fact the term “risk assessment” appears 215 times in the FFIEC IT Examination Handbooks. But a risk assessment is only one step of a five step risk management process…and […]