Tag: Vendor Management

  • Interview with head of FDIC IT examinations

    In an interview with Don Saxinger at bankinfosecurity.com, the head of IT examiner oversight addresses vendor management.  Here is my summary of that interview:

  • SSAE 16 replaces SAS 70 (…sort of) – UPDATE 2

    In my last post I indicated that the AICPA would have additional guidance on this topic this fall.  It appears that we may now have to wait until early 2011.  According to this document from the AICPA, “The existing (AICPA Audit) guide is being overhauled and rewritten to reflect the requirements and guidance in SSAE…

  • SSAE 16 replaces SAS 70 – UPDATE

    Starting next year (or this year for Type II engagements that extend beyond 6/11), the traditional SAS 70 is being phased out in favor of the SSAE 16. The biggest difference is that the “A” no longer stand for “Audit”, but “Attestation”: Management of the service provider asserts that controls relative to security, availability, integrity,…

  • FFIEC Tier I and II Examination Procedures

    A complete listing of ALL FFIEC Tier I and Tier II examination procedures in one place, courtesy of the BITS Shared Assessments project. Very handy!

  • Vendor Management – BITS and Pieces

    The effective management of critical vendors is an essential risk control. The FFIEC mentions this several times in their Examination Handbooks, most recently in the “Information Security” Handbook from July, 2006. Although most financial institutions are accustomed to approaching this from their own perspective, i.e. from the serviced side, this white paper will take a…