Information Security

This message was posted by a user wishing to remain anonymous

Our organizations IT Security team is striving to mature within the FFIEC framework.  In the framework it indicates to be "Advanced" we should do the following:

• "Third-party employee access to confidential data on third-party hosted systems is tracked actively via automated reports and alerts."

• "When sensitive data is housed with a third-party, how are we gaining assurance that any access to our sensitive data by the 3^rd parties agents is appropriate?", and
• "Where/how are we tracking that we have reviewed this 3^rd party agent access to our sensitive data on a periodic basis?"

Is this an appropriate interpretation? If not how are you interpreting it? 

How are other institutions tracking this type of information?

Thanks for any advice or clarification!

This message was posted by a user wishing to remain anonymous

Isn't this what one element of the FTC's amended GLBA Safeguards rule effective 12/9/2022 requires?
Original Message:
Sent: 06-22-2022 12:08 PM
From: Anonymous Member
Subject: Validating Vendor FFIEC Framework controls

This message was posted by a user wishing to remain anonymous

Our organizations IT Security team is striving to mature within the FFIEC framework.  In the framework it indicates to be "Advanced" we should do the following:

• "Third-party employee access to confidential data on third-party hosted systems is tracked actively via automated reports and alerts."

Our team has interpreted this to mean:

• "When sensitive data is housed with a third-party, how are we gaining assurance that any access to our sensitive data by the 3^rd parties agents is appropriate?", and
• "Where/how are we tracking that we have reviewed this 3^rd party agent access to our sensitive data on a periodic basis?"

Is this an appropriate interpretation? If not how are you interpreting it? 

How are other institutions tracking this type of information?

Thanks for any advice or clarification!