Due Diligence and Ongoing Monitoring

In a recent internal audit, GLBA was the focus. GLBA requires our Credit Union to have implemented programs to oversee and confirm that service providers are meeting the law. Our program needs to specifically address the requirements for all vendors to comply with GLBA, and all applicable laws, regulations and standards. It was noted that NYS has introduced the SHIELD Act which will require any organization with NYS residential data to meet additional guidelines.  

It was recommended that a checklist should be relied on to ensure that the controls covered within SOC reports provide sufficient comfort that the vendors are meeting the expectations of GLBA.

Does anyone have a GLBA checklist they could share, or ideas for constructing one?

It sounds like your Internal Audit team is asking for a plan to review SOC reports annually.  Which is certainly a best practice.  This is normally accomplished by establishing a document collection and review calendar for your credit union.

GLBA 501 (b) asks financial institutions to have type of assurance from their vendors that they are maintaining the Confidentiality, Integrity and Availability triangle when it comes to your customer's data.

That is normally handled with a soc report.  Personally, i look for a SSAE 18 soc 2 type 2.  Though a SOC type 3 is a good report to have from any vendor.  These reports look at the following criteria in detail to ensure your vendor is taking care of cybersecurity in a reasonable manner. Soc reports test controls around server security, network security, access controls, patch management (which assumes some form of vulnerability assessment), backup management, log file management, least privilege, and third party assessments (penetration testing, third party vulnerability scanning and third party security monitoring).

I go through all this to make this point.  You will need to identify someone with credentials in information security or information systems auditing to interpret the reports.  There are several credentials that attest to a person's ability to interpret these reports; two examples are the CISSP and the CISA certifications.

Has anyone established a document collection schedule/calendar and review schedule/calendar for SOC reports?

In a recent internal audit, GLBA was the focus. GLBA requires our Credit Union to have implemented programs to oversee and confirm that service providers are meeting the law. Our program needs to specifically address the requirements for all vendors to comply with GLBA, and all applicable laws, regulations and standards. It was noted that NYS has introduced the SHIELD Act which will require any organization with NYS residential data to meet additional guidelines.  

It was recommended that a checklist should be relied on to ensure that the controls covered within SOC reports provide sufficient comfort that the vendors are meeting the expectations of GLBA.

Does anyone have a GLBA checklist they could share, or ideas for constructing one?

It sounds like your Internal Audit team is asking for a plan to review SOC reports annually.  Which is certainly a best practice.  This is normally accomplished by establishing a document collection and review calendar for your credit union.

GLBA 501 (b) asks financial institutions to have type of assurance from their vendors that they are maintaining the Confidentiality, Integrity and Availability triangle when it comes to your customer's data.

That is normally handled with a soc report.  Personally, i look for a SSAE 18 soc 2 type 2.  Though a SOC type 3 is a good report to have from any vendor.  These reports look at the following criteria in detail to ensure your vendor is taking care of cybersecurity in a reasonable manner. Soc reports test controls around server security, network security, access controls, patch management (which assumes some form of vulnerability assessment), backup management, log file management, least privilege, and third party assessments (penetration testing, third party vulnerability scanning and third party security monitoring).

I go through all this to make this point.  You will need to identify someone with credentials in information security or information systems auditing to interpret the reports.  There are several credentials that attest to a person's ability to interpret these reports; two examples are the CISSP and the CISA certifications.

Has anyone established a document collection schedule/calendar and review schedule/calendar for SOC reports?

In a recent internal audit, GLBA was the focus. GLBA requires our Credit Union to have implemented programs to oversee and confirm that service providers are meeting the law. Our program needs to specifically address the requirements for all vendors to comply with GLBA, and all applicable laws, regulations and standards. It was noted that NYS has introduced the SHIELD Act which will require any organization with NYS residential data to meet additional guidelines.  

It was recommended that a checklist should be relied on to ensure that the controls covered within SOC reports provide sufficient comfort that the vendors are meeting the expectations of GLBA.

Does anyone have a GLBA checklist they could share, or ideas for constructing one?

It sounds like your Internal Audit team is asking for a plan to review SOC reports annually.  Which is certainly a best practice.  This is normally accomplished by establishing a document collection and review calendar for your credit union.

GLBA 501 (b) asks financial institutions to have type of assurance from their vendors that they are maintaining the Confidentiality, Integrity and Availability triangle when it comes to your customer's data.

That is normally handled with a soc report.  Personally, i look for a SSAE 18 soc 2 type 2.  Though a SOC type 3 is a good report to have from any vendor.  These reports look at the following criteria in detail to ensure your vendor is taking care of cybersecurity in a reasonable manner. Soc reports test controls around server security, network security, access controls, patch management (which assumes some form of vulnerability assessment), backup management, log file management, least privilege, and third party assessments (penetration testing, third party vulnerability scanning and third party security monitoring).

I go through all this to make this point.  You will need to identify someone with credentials in information security or information systems auditing to interpret the reports.  There are several credentials that attest to a person's ability to interpret these reports; two examples are the CISSP and the CISA certifications.

Has anyone established a document collection schedule/calendar and review schedule/calendar for SOC reports?

In a recent internal audit, GLBA was the focus. GLBA requires our Credit Union to have implemented programs to oversee and confirm that service providers are meeting the law. Our program needs to specifically address the requirements for all vendors to comply with GLBA, and all applicable laws, regulations and standards. It was noted that NYS has introduced the SHIELD Act which will require any organization with NYS residential data to meet additional guidelines.  

It was recommended that a checklist should be relied on to ensure that the controls covered within SOC reports provide sufficient comfort that the vendors are meeting the expectations of GLBA.

Does anyone have a GLBA checklist they could share, or ideas for constructing one?