Tag: Vendor Management

  • FFIEC Updates Technology Service Provider Guidance

    Just posted, the new Booklet rescinds and replaces the previous one issued in March 2003, and is the first Booklet replacement since Retail Payment Systems in 2010.  In general this is not so much a complete re-write as a reinforcement of the importance the agency places on strong vendor management, which is a concept that…

  • 7 Cloud Vendor Deal Breakers for Financial Institutions

    With all the recent focus on vendor management in general, and cloud vendors in particular, there has been a lot of discussion about changing regulatory requirements and best practices.  For the most part, cloud vendors must adhere to the same due diligence, contract, and monitoring guidelines as any other vendor  However there are a few…

  • Risk Assessing iCloud (and other online backups) – UPDATE 2, DropBox

    Update 2 (8/2012) – Cloud-based storage vendor DropBox confirmed recently that a stolen employee password led to the theft of a “project document” that contained user e-mail addresses. Those addresses were then used to SPAM DropBox users.  The password itself was not stolen directly from the DropBox site, but from another site the employee used. …

  • FFIEC issues Cloud Computing Guidance

    Actually the document is classified as “for informational purposes only”, which is to say that it is not a change or update to any specific Handbook and presumably does not carry the weight of regulatory guidance.  However, it is worth a read by all financial institutions outsourcing services because it provides reinforcement for, and references…

  • 5 Keys to Understanding a SOC 2 Report

    Although I have written about these relatively new reports frequently, and for some time now, it still remains a topic of great interest to financial institutions.  Fully 20% of all searches on this site over the past 6 months include the terms “SOC” or “SOC 2”, or “SAS 70”.  Some of this increased interest comes…

  • FDIC Supervisory Letter Issued on Critical Service Provider

    (NOTE:  Although the vendor in question has been publicized by the NCUA, I will not name it here because it is not relevant.  If you currently contract with the vendor you know who it is, and you need to know how to respond to the letter.  If you don’t, you’ll need to know how to…