This message was posted by a user wishing to remain anonymous
Our organizations IT Security team is striving to mature within the FFIEC framework. In the framework it indicates to be "Advanced" we should do the following:
- "Third-party employee access to confidential data on third-party hosted systems is tracked actively via automated reports and alerts."
Our team has interpreted this to mean:
- "When sensitive data is housed with a third-party, how are we gaining assurance that any access to our sensitive data by the 3rd parties agents is appropriate?", and
- "Where/how are we tracking that we have reviewed this 3rd party agent access to our sensitive data on a periodic basis?"
Is this an appropriate interpretation? If not how are you interpreting it?
How are other institutions tracking this type of information?
Thanks for any advice or clarification!