Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Annual Due Diligence

    Posted 03-22-2023 05:38 PM

    Hello:

    Curious as to what others are doing in the financial banking realm relating to a core processor for annual due diligence. Currently, my bank is collecting all due diligence for said core processor: (1) BCP (2) Insurance (3) Financials (4) IRP (5) ISP (6) Physical Security (7) Pen Tests (8) Vendor SOC's (9) Subcontractor's SOC's. 

    Thank you!



  • 2.  RE: Annual Due Diligence

    Posted 03-23-2023 06:42 AM

    Might also consider obtaining the Technology Service Provider (TSP) report through your regulator.  The regulatory exam covering a TSP is similar to an IT General Controls review, but often includes targeted reviews of other areas as well.  We've found that the TSP report often paints a different picture than the SOC report.  Get with your lead examiner to find out the instructions for obtaining these - they are very specific.




  • 3.  RE: Annual Due Diligence

    Posted 03-23-2023 08:02 AM

    Since our core processor is complicated, and we have several modules we utilize, we contract with our VM software provider to assist with the review. The software provider collects all the documents and performs the initial risk assessment. We then review the assessment and meet with them to answer the Risk Assessment questions and rate the vendor. As with any vendor, we are ultimately responsible for the overall assessment.

     

     

     

     

     

    Cheryl Turner, CRVPM II

    Vendor Manager