Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the FFIEC IT Examination Handbook as a mechanism to prepare for a third-party-related audit. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.
The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body in the US empowered to establish guidelines and uniform principles and standards for the federal examination of financial institutions by five member agencies, including:
The FFIEC has created a set of handbooks or booklets to be used by examiners looking at an institution’s IT practices, and as such, provide guidelines for those practices. Of interest for many institutions is the guidance they provide on how to manage the risk associate with third-party providers. The Business Continuity booklet includes Appendix J, addressing the need to strengthen the resilience of outsourced technology services. The Information Security booklet includes a specific section on Oversight of Third-Party Service Providers.
These IT Booklets require robust management and tracking of third-party supplier business continuity planning (BCP) and IT security risk. They specify that a policy for managing risk should be in place, relevant due diligence should be applied in choosing third parties, and that policy should be codified in supplier agreements. Additionally, suppliers should be managed and audited according to the agreed requirements.
Prevalent can help address the third-party requirements recommended in both the Business Continuity booklet Appendix J, and the Information Security booklet Oversight of Third-Party Service Providers section.
To address FFIEC recommendations, Prevalent:
Even though not required by statute, FFIEC provides sound guidance to financial organizations facing a third-party risk management audit. Prevalent helps organizations address these recommendations with the framework to identify, measure, monitor, and mitigate the risks associated with outsourcing.
Next week’s blog examines the ISO Standards for Information Security.
The third-party service provider security policy requirements set forth in NYDFS Part 500 go a long...
NIST has two industry standards that deal with identifying, assessing & managing supply chain risk. Here's...