I've read a ton of SSAE 18 analyses ranging from comic book style infographics with inadequate, lightweight, poorly explained content to others that are very detailed, well written analyses targeting auditors. I particularly like Ryan Buckner's concise, practical analysis in ACCOUNTING TODAY. In any case, I've had many requests from our Certified Regulatory Vendor Program Managers [...]
I've recently been asked whether a financial institution has Breach Notification responsibility in the case where the institution refers customers to vendors such as financial service providers where the institution merely vetted several vendors as a convenience for its customers, has no contract with the vendors, passes no PII/NPPI to the vendor, receives no referral fees [...]
As many of you begin to expand your vendor management programs and elevate their maturity levels, tracking KPI's and KRI's becomes an area of focus. Some of you might even go so far as to track KCI's (Key Controls Indicators). However, in looking at Key Performance Indicators (KPI's) and whether your vendors are meeting their SLA's, [...]
Classic risk management employs 3 lines of defense. But there's also a possible 4th line when it comes to regulatory issues, specifically vendor management. Please note that I have seen multiple titles that fit the roles below so don't get hung up on the titles. If you're a smaller institution and you wear multiple hats, you [...]
Alright, so I'm going out on a limb to get some feedback and I hope that those of you reading this will do so. In our advanced Certified Regulatory Vendor Program Manager (CRVPM Level II) course, I note that there has been a great deal of focus in the industry on Vendor Risk/Third Party Risk but... [...]
How do you measure your vendor's value? s vendor management programs mature, we need to understand the value a vendor delivers beyond meeting its Service Level Agreements. While we frequently outsource significant functions (critical and high risk) because a vendor can help us meet our strategic goals, including doing something better/faster/cheaper, what else are we obtaining [...]
When outsourcing services to vendors where sensitive/confidential data or critical services are involved, most of us request some combination of Business Continuity Plan, DR Plan, DR test results and Incident Response Plan. That's only half the battle. Of particular interest is the Incident Response Plan. The IRP is certainly something you'd want to review but all [...]
You have HOW MANY critical vendors?!?!?!?!? I always find the perception of CRITICAL VENDOR to be very interesting. As Certified Regulatory Vendor Program Managers (CRVPM) know, when reviewing vendor management programs we typically see way too many vendors listed as critical, usually for a couple of reasons; 1) either the business unit thinks that their vendors [...]
Crash course here: http://bit.ly/1Oobnan Everyone is heavily overburdened with the demands of trying to comply with regulations. So if your IT or Info Security team doesn't have enough staff to review all SOC reports (or possibly just reviews those with exceptions) yet your internal audit dept wants proof that reviews of all SOC reports are conducted, [...]
So you've done your initial INHERENT risk rating of your vendor and then conducted your due diligence to determine the RESIDUAL risk and you're comfortable doing business with the vendor so you sign a contract. A year from now you plan to conduct the periodic review. But a number of things might have occurred from the [...]