Due Diligence and Ongoing Monitoring

It sounds like your Internal Audit team is asking for a plan to review SOC reports annually.  Which is certainly a best practice.  This is normally accomplished by establishing a document collection and review calendar for your credit union.

GLBA 501 (b) asks financial institutions to have type of assurance from their vendors that they are maintaining the Confidentiality, Integrity and Availability triangle when it comes to your customer's data.

That is normally handled with a soc report.  Personally, i look for a SSAE 18 soc 2 type 2.  Though a SOC type 3 is a good report to have from any vendor.  These reports look at the following criteria in detail to ensure your vendor is taking care of cybersecurity in a reasonable manner. Soc reports test controls around server security, network security, access controls, patch management (which assumes some form of vulnerability assessment), backup management, log file management, least privilege, and third party assessments (penetration testing, third party vulnerability scanning and third party security monitoring).

I go through all this to make this point.  You will need to identify someone with credentials in information security or information systems auditing to interpret the reports.  There are several credentials that attest to a person's ability to interpret these reports; two examples are the CISSP and the CISA certifications.

Has anyone established a document collection schedule/calendar and review schedule/calendar for SOC reports?

It sounds like your Internal Audit team is asking for a plan to review SOC reports annually.  Which is certainly a best practice.  This is normally accomplished by establishing a document collection and review calendar for your credit union.

GLBA 501 (b) asks financial institutions to have type of assurance from their vendors that they are maintaining the Confidentiality, Integrity and Availability triangle when it comes to your customer's data.

That is normally handled with a soc report.  Personally, i look for a SSAE 18 soc 2 type 2.  Though a SOC type 3 is a good report to have from any vendor.  These reports look at the following criteria in detail to ensure your vendor is taking care of cybersecurity in a reasonable manner. Soc reports test controls around server security, network security, access controls, patch management (which assumes some form of vulnerability assessment), backup management, log file management, least privilege, and third party assessments (penetration testing, third party vulnerability scanning and third party security monitoring).

I go through all this to make this point.  You will need to identify someone with credentials in information security or information systems auditing to interpret the reports.  There are several credentials that attest to a person's ability to interpret these reports; two examples are the CISSP and the CISA certifications.

Has anyone established a document collection schedule/calendar and review schedule/calendar for SOC reports?

It sounds like your Internal Audit team is asking for a plan to review SOC reports annually.  Which is certainly a best practice.  This is normally accomplished by establishing a document collection and review calendar for your credit union.

GLBA 501 (b) asks financial institutions to have type of assurance from their vendors that they are maintaining the Confidentiality, Integrity and Availability triangle when it comes to your customer's data.

That is normally handled with a soc report.  Personally, i look for a SSAE 18 soc 2 type 2.  Though a SOC type 3 is a good report to have from any vendor.  These reports look at the following criteria in detail to ensure your vendor is taking care of cybersecurity in a reasonable manner. Soc reports test controls around server security, network security, access controls, patch management (which assumes some form of vulnerability assessment), backup management, log file management, least privilege, and third party assessments (penetration testing, third party vulnerability scanning and third party security monitoring).

I go through all this to make this point.  You will need to identify someone with credentials in information security or information systems auditing to interpret the reports.  There are several credentials that attest to a person's ability to interpret these reports; two examples are the CISSP and the CISA certifications.

Has anyone established a document collection schedule/calendar and review schedule/calendar for SOC reports?