Pub. 3 2013-2014 Issue 4

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S January • February 2014 17 A legal partner you can trust. Our advantage is simple—we understand the business. Stinson Leonard Street’s banking attorneys have broad experience in matters related to financial services, including commercial lending, mergers and acquisitions, regulations and compliance, litigation and payment systems. Bank on our reputation and knowledge. stinsonleonard.com Ernie Panasci Kristin Godfrey The choice of a lawyer is important and should not be based solely on advertisements. 5613 DTC Parkway, Ste. 970 | Greenwood Village, CO 80111 | 303.376.8400 Offices in Denver as well as Minneapolis, Mankato and St. Cloud, Minn.; Kansas City, St. Louis and Jefferson City, Mo.; Phoenix; Washington, D.C.; Wichita and Overland Park, Kan.; Omaha, Neb.; Bismarck, N.D.; and Decatur, Ill. Perry Glantz Deborah Bayles 20638 CO Banker Ad_Half pg 1/6/14 11:20 AM Page 1 The best way to do this is to think about what each document is and what it would tell you about a vendor…if the information would help you manage the risk associated with that relationship, then ask the vendor for that document. critical information, including your website. If a vendor has had a SSAE16 performed, external vulnerability test - ing might be covered, but you need to check the scope of the SSAE16 to verify. • BCP documentation/testing: there are two types of BCP testing that youmay or may not need froma vendor. One is from the vendor’s location to its backup site. This is the same kind of testing you would do if you were failing over to your backup location, and it lets you know how prepared your vendor is and how much downtime you would have if a disaster affected your vendor’s location. The other type of test is a backup connection between you and the vendor. If something happens to your con- nection to the vendor, how quickly can the alternate operating procedures be up and running? The types of testing, if any, you want to see from a vendor just depend on the nature of the relationship and how important the availability of this vendor is to your bank’s operations. Vendor relationships are not created equal, so a little orga- nization and understanding from the beginning can save you time each year as you save and review these due diligence documents. n Stephanie Chaumont is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem – a security and compliance software suite designed to help financial institutions create andmaintain their Information Security Program. Visit our website at www.conetrix.com.