(Responding with the assumption that we're discussing GLBA)From a technology review perspective for those vendors in scope of GLBA, you'll want to reference the Interagency Guidelines Establishing Standards For Safeguarding Customer Information. Here is a link to a relevant guide:
https://www.federalreserve.gov/supervisionreg/interagencyguidelines.htm. Guidance says that "appropriate due diligence" needs to be performed on third parties, especially around information security. Guidance also notes ongoing monitoring as well, beyond initial due diligence, to ensure "appropriate security measures" are in place. My recommendations around what's appropriate would include reviewing vendor information such as, but not limited to:
- Information Security Program
- Logical and Physical Access Controls
- Encryption practices for at-rest and in-transit data
- Incident and Breach Management
- Penetration Testing
- Resiliency and Business Continuity
- That the vendor is doing their own appropriate third-party risk management
Always great to hear what others are doing as well for their vendors impacting GLBA, and vendors impacting privacy in general with the regulation list growing!
Original Message:
Sent: 01-31-2022 05:46 PM
From: Anonymous Member
Subject: Technology Risk Assessments
This message was posted by a user wishing to remain anonymous
My bank is in the process of building our technology risks assessments, especially technologies that use, transmit and store GBLI data. Can anyone share best practices and critical risk items they use in their risk assessments? Also, do you have different review frequencies depending upon the risk level?
Appreciate any guidance you can provide.