Pub. 3 2013-2014 Issue 4

16 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S One area where I see themost confusion is in the collection of vendor due diligence and oversight documents. These are things like financials, SSAE16 reports, confidentiality agreements, etc. Too often I see that the oversight requirements for vendors are just based on the documents the vendor chooses to give the bank. This works great for core vendors who already know what they should give you and automatically provide it. It doesn’t work so well when you work with other vendors who aren’t as familiar with GLBA requirements. It’s your responsibility to know what you want from each vendor. The best way to do this is to think about what each document is and what it would tell you about a vendor…if the information would help you manage the risk associated with that relationship, then ask the vendor for that document. If the information isn’t necessary, then you don’t need it. Here are a few of the more common vendor documents and what they tell you: • SSAE16 or other audit reports: test the controls the vendor has in place, much like what happens when your bank has an IT audit. This is needed for vendors who store any unencrypted customer information or if the vendor can access your network without your permis- sion. Make sure you check out the scope of the audit to ensure it was thorough. • Financials: show you the vendor’s financial health. You’ll want these from companies you couldn’t easily replace if they were to go out of business. • Confidentiality Agreement: If the vendor has access to or stores customer information, you want to know that they will use the same strict standards of confidentiality that your bank uses. If a security breach on the ven- dor’s network could potentially lead to a breach of your customer’s information, then you also want some kind of incident notification language (the vendor agrees to notify you if something happens). • External Security Testing: Just like the penetration test that you do annually, this will test howvisible and vulner- able a vendor’s network is from the outside (Internet). You want this for any vendor who is hosting sensitive or  MANAGING VENDOR – continued Core Bank Processing • Managed Services • Mobile & Internet Solutions Payments Processing • Electronic & Print Distribution • Regulatory Compliance 800.545.4274 csiweb.com Do you see opportunity from the inside out or the outside in? Technology is changing banking, right down to the core. You benefit from fully integrated services that simplify bank interactions from any touch point. CSI makes that option a reality. With our industry-leading core processing solutions and unparalleled customer service, we give you the ability to create opportunities that drive customer satisfaction and profitability from any angle. Leverage your core for every technology and service advantage. csiweb.com/TheAnswer