Tag: Vendor Management

  • FFIEC Handbook Update – Outsourcing

    The FFIEC has just added a section to the Outsourcing Technology Services IT Examination Handbook, and it should be required reading for financial institutions as well as any managed service providers.  The new section is Appendix D: Managed Security Service Providers, and it is the first significant change to the Handbook since it was released in…

  • FFIEC Handbook Update – SAS 70 Transition

    The FFIEC has just updated their online IT Examination InfoBase to address the AICPA phase-out of the SAS 70 reporting format.  All references to “SAS 70” have now been replaced, and the SAS 70 sections of the Audit and Information Security Handbooks have been completely removed.  Previously there were a total of 31 references to…

  • The single most important vendor management control

    Pop quiz…according to the FFIEC Handbook on Outsourcing Technology Services… “The ________ is the single most important control in the outsourcing process”: Initial due diligence process Review of third-party audit reports Contract Risk Assessment Vendor’s financial stability I’ve written before about the importance of the third-party review in the ongoing vendor management process (and how…

  • NIST releases new Cloud Computing Guidelines

    Although not specific to the financial industry, the new guidelines provide a comprehensive overview of the privacy and security challenges of this increasingly popular computing model.  It’s worth a look by both financial institutions considering cloud-based services, as well as service providers, because NIST guidelines often wind up as the basis for new or updated…

  • FDIC offers “Insight” on Mobile Banking

    Although not considered official supervisory guidance, the most recent FDIC Supervisory Insights newsletter offers an instructive early look into how the agency might examine this emerging electronic banking delivery method in the future.  (Before you tune out and decide to wait for the formal guidance, remember it was the Winter 2009 issue that first introduced…

  • 2012 Compliance Trends, Part 2 – Vendor Management

    In my first post in this series I discussed training (employee and customer) as a good candidate for increased regulatory scrutiny in 2012.  Although these posts are in no particular order, I had initially intended to list “Management” as the next trend.  However a comment made to me by a banker at a recent conference…