Information Security

 View Only
  • 1.  Validating Vendor FFIEC Framework controls

    This message was posted by a user wishing to remain anonymous
    Posted 06-22-2022 03:47 PM
    This message was posted by a user wishing to remain anonymous

    Our organizations IT Security team is striving to mature within the FFIEC framework.  In the framework it indicates to be "Advanced" we should do the following:
    • "Third-party employee access to confidential data on third-party hosted systems is tracked actively via automated reports and alerts."

    Our team has interpreted this to mean:
    • "When sensitive data is housed with a third-party, how are we gaining assurance that any access to our sensitive data by the 3rd parties agents is appropriate?", and
    • "Where/how are we tracking that we have reviewed this 3rd party agent access to our sensitive data on a periodic basis?"

    Is this an appropriate interpretation? If not how are you interpreting it? 

    How are other institutions tracking this type of information?

    Thanks for any advice or clarification!


  • 2.  RE: Validating Vendor FFIEC Framework controls

    This message was posted by a user wishing to remain anonymous
    Posted 06-22-2022 04:12 PM
    This message was posted by a user wishing to remain anonymous

    Isn't this what one element of the FTC's amended GLBA Safeguards rule effective 12/9/2022 requires?