We had a few specific questions which we posed to Erik Petersen, VP of Professional Services:

Q: Do you have any recommendations on where we can find guidelines/policies that we may be missing from Question B.
A: I’d go back to the FFIEC information security handbook

Q: Does ACH risk seem to have any higher emphasis in this exam than in the past?
A: Nothing would lead us to believe that it is more or less emphasized – although NACHA is called out specifically under the vendor management section.

Q: Does the questionnaire specifically address integrated logging or outsourced log monitoring?
A: The specifics behind the guidance are focused on capabilities. There is not any focus on how you realize these capabilities. Of course, if you use an outsource partner it brings the vendor management components into play.

Q: We were told during an OCC exam last year, that service providers that are regulated by FDIC, etc. (for example correspondent banks and debit card processing vendor) need not be scrutinized so closely. However, I’m wondering if I should ask for audit results even for those service providers.
A: Yes, you should ask for IT examination results from the supervisory agency. Additionally, you should take a risk-based approach to ensure any other controls that you need are in place and working. For example, if someone is hosting your web application, in addition to getting their agency examination results you may want to seek additional validation about their web controls.

Q: Is reviewing of financials for vendors required as part of Vendor Oversight requirements? If so, is it just required for vendors with access to confidential info?
A: It is required for any critical vendor. Criticality does not just follow GLB data but also continuity of the institution, risk to reputation, etc.

This entry was posted on Tuesday, January 29th, 2008 at 6:13 pm and is filed under General.