Compliance Guru Blog

Keeping Financial Institutions Informed

6 days ago
FFIEC Replaces, and Expands, the Operations Handbook

Back in June of this year the FFIEC released an update to the 2004 Operations Handbook called Architecture, Infrastructure, and Operations (AIO). As the lengthier name implies, this was not simply...

Read More
about 1 month ago
New FFIEC Guidance for Access and Authentication

In response to an expanded cybersecurity threat landscape, the FFIEC just issued an update to agency expectations for access and authentication to financial institution products and systems. This...

Read More
2 months ago
New Proposed Cyber Incident Notification Rules

We first wrote about incident notification over ten years ago, and based on feedback from our cyber testing experience, financial institutions are still struggling with the issue of whether or not...

Read More
10 months ago
Hot Topic: Ransomware on the Radar (Updated)

Both the State banking regulators and the Treasury Department have issued recent advisories to financial institutions regarding the ransomware threat. Ransomware is defined as a form of malicious...

Read More
11 months ago
Compliance Quick Bites – Tests vs. Exercises, and the Resiliency Factor

One of several changes implemented in the 2019 FFIEC BCM Examination Handbook is a subtle but important differentiation between a BCMP “test” and an “exercise”. I discussed some of the more...

Read More
12 months ago
Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

Hey Guru! Are the Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) similar enough to apply the same or equivalent set of layered controls? My understanding is that...

Read More
about 1 year ago
Reading Between the Lines: The Interagency Examiner Guidance for Assessing Safety and Soundness During COVID-19

On June 23, 2020, the FDIC posted “The Interagency Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Institutions.” FIL-64-2020 This statement...

Read More
over 1 year ago
Reading Between the Lines: Recent Regulatory News

Federal Reserve Statement on Supervisory Activities Where did it come from, and where can I find it? The Federal Reserve Who needs to know about it?

Read More
over 1 year ago
Are You Required to Address Your COVID-19 Readiness with Your Customers?

Hey Guru! Are we required to post any kind of statement to the public or our customers as to our readiness for the COVID-19? If so, can you direct me to the kinds of things we need to say? We are...

Read More
over 1 year ago
FFIEC Issues Statement on Pandemic Planning

Background Similar to the Joint Statement on Destructive Malware issued in January in response to heightened geopolitical cyber risks from foreign actors, the FFIEC just released an Interagency...

Read More
over 1 year ago
FFIEC Rewrites Business Continuity Guidance

The all new IT Examination Handbook is more than an update, it’s a complete re-write, and represents a significant change in how the business continuity process is managed. It also has several new...

Read More
almost 2 years ago
Using Risk Scoring to Determine the Frequency of IT Audits

Hey Guru! In my last IT examination, one of the findings was that the scope and cycle of our IT audits should be more closely tied to risk. We have IT audits every 12 months, what else should we...

Read More
almost 2 years ago
FFIEC Issues Press Release on Cybersecurity Preparedness Assessments (and Muddies the Waters)

A Standardized Approach On August 28th, the FFIEC issued a press release entitled “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness”. The release “…emphasized the...

Read More
about 2 years ago
Pandemic Testing and the BCP

Hey Guru! We finished a FDIC exam earlier this year, and in the IT portion they hit us on our pandemic plan saying it “needed improvement.” Here is the actual finding: Management should improve...

Read More
about 2 years ago
Ask the Guru: Is it Legal to Share Exam Findings?

Hey Guru! We contracted with Safe Systems to help remediate exam findings, but we were told by the examiner that we are not allowed to share examination findings “under penalty of law”. How do we...

Read More
about 2 years ago
Ask the Guru: Addressing BCP and Incident Response in Vendor Contracts

Hey Guru! I’m looking at an FIL that came out recently (FIL-19-2019), and trying to figure out how to react to it. In your opinion, how do we “ensure that business continuity and incident response...

Read More
over 2 years ago
Misuse, Denied Access, and Incident Response

It may be a good time to review your Incident Response Plan and determine if additional clarification regarding the term “misuse” should be added to incorporate denial of access to information....

Read More
over 2 years ago
Asset Lifecycle Management

Since both Windows 7 and Server 2008 R2 will reach end-of-life support in January of 2020, many organizations have already made the jump to Windows 10 and Windows Server 2012, 2016, 2019, or...

Read More
over 2 years ago
Ask the Guru: Do We Need to Perform a review on a New Vendor in a Foreign Country?

Hey Guru! Our institution works with a third-party that has recently engaged with a company in a foreign county to begin assisting them in taking care of our institution’s IT matters. Do we need...

Read More
over 2 years ago
Ask the ISO: What Makes a Good Password?

Hey Chuck! Our auditor is telling us we need longer passwords. I’ve done some reading and asked around on this, and I’ve heard everything from 8 to 15 characters. How long should our passwords be?...

Read More
Loading More...