Comments for FFIEC Bank & Credit Union Compliance Help presented by Safe Systems – Compliance Guru http://www.complianceguru.com Keeping Financial Institutions Informed Wed, 09 Nov 2011 14:14:27 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on Access Rights a frequent finding by Education http://www.complianceguru.com/2011/11/access-rights-a-frequent-finding/#comment-186 Education Wed, 09 Nov 2011 14:14:27 +0000 http://www.complianceguru.com/?p=2225#comment-186 If you are a Safe Systems NetComply customer, we can send you some screen shots on how to set this up and execute within Active Directory and File Servers. Just shoot us an email at Education@safesystems.com. If you are a Safe Systems NetComply customer, we can send you some screen shots on how to set this up and execute within Active Directory and File Servers. Just shoot us an email at Education@safesystems.com.

]]> Comment on SSAE 16 replaces SAS 70 – UPDATE by Tom http://www.complianceguru.com/2010/08/ssae-16-replaces-sas-70/#comment-163 Tom Fri, 02 Sep 2011 19:00:14 +0000 http://www.complianceguru.com/?p=378#comment-163 True, the SSAE 16 is the functional replacement for the SAS 70 for ICFR. My (admittedly misleading) point is that since the SAS 70 had morphed into an all-purpose IT controls assessment, the IACPA was careful to position the SSAE 16 as an ICFR attestation ONLY. Good point, and thanks for the comment! True, the SSAE 16 is the functional replacement for the SAS 70 for ICFR. My (admittedly misleading) point is that since the SAS 70 had morphed into an all-purpose IT controls assessment, the IACPA was careful to position the SSAE 16 as an ICFR attestation ONLY.

Good point, and thanks for the comment!

]]> Comment on SSAE 16 replaces SAS 70 – UPDATE by HedgeHogCPA http://www.complianceguru.com/2010/08/ssae-16-replaces-sas-70/#comment-162 HedgeHogCPA Thu, 01 Sep 2011 20:37:07 +0000 http://www.complianceguru.com/?p=378#comment-162 "Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70. Stay tuned, we are expecting additional guidance from the AICPA later this fall." SSAE 16 is THE replacement for SAS 70. The standards are virtually the same as SAS 70 was the basis for the ISAE standard which served as the basis for SSAE 16. “Most importantly, the SSAE 16 will not be the de facto replacement for the SAS 70. Stay tuned, we are expecting additional guidance from the AICPA later this fall.”

SSAE 16 is THE replacement for SAS 70. The standards are virtually the same as SAS 70 was the basis for the ISAE standard which served as the basis for SSAE 16.

]]> Comment on Interpreting The New FFIEC Authentication Guidance – 5 Steps to Compliance by Tom http://www.complianceguru.com/2011/07/interpreting-the-new-ffiec-authentication-guidance/#comment-157 Tom Mon, 18 Jul 2011 15:57:18 +0000 http://www.complianceguru.com/?p=1925#comment-157 Hi Leesa! Yes, I'm sure they will have their interpretation of this as well. Problem is I hear many folks say that they will wait until the regulators tell them what to do, but that won't work because this is not just a "compliance response" type of regulation. The risks are real, and account takeover is happening every day. The regulators may indeed have a slightly different approach, but as long as you stick to the fundamentals of risk management you'll have fewer, and less severe, findings (and potential losses!). As you know, you don't have to be a mile ahead of the regulators...1/2 inch will do! Hi Leesa! Yes, I’m sure they will have their interpretation of this as well. Problem is I hear many folks say that they will wait until the regulators tell them what to do, but that won’t work because this is not just a “compliance response” type of regulation. The risks are real, and account takeover is happening every day. The regulators may indeed have a slightly different approach, but as long as you stick to the fundamentals of risk management you’ll have fewer, and less severe, findings (and potential losses!).

As you know, you don’t have to be a mile ahead of the regulators…1/2 inch will do!

]]> Comment on Interpreting The New FFIEC Authentication Guidance – 5 Steps to Compliance by Leesa http://www.complianceguru.com/2011/07/interpreting-the-new-ffiec-authentication-guidance/#comment-156 Leesa Mon, 18 Jul 2011 15:31:43 +0000 http://www.complianceguru.com/?p=1925#comment-156 Thanks for interpreting this for us, Tom! "Nothing to it'??? Well, it all depends on how ticky the examiners are! :) Thanks for interpreting this for us, Tom! “Nothing to it’??? Well, it all depends on how ticky the examiners are! :)

]]> Comment on Final FFIEC Authentication Guidance just released by Tom http://www.complianceguru.com/2011/06/final-ffiec-authentication-guidance-just-released/#comment-155 Tom Thu, 30 Jun 2011 13:29:03 +0000 http://www.complianceguru.com/?p=1875#comment-155 Absolutely correct Jackie. Personally I was hoping to see something like a stronger MFA + OOB (out-of-band) requirement, but there was nothing stronger than a recommendation to consider additional controls. Not only was there no major take-away from this update, but they seemed to water down the MFA requirement, which was the major take-away from 2005. Very odd. Absolutely correct Jackie. Personally I was hoping to see something like a stronger MFA + OOB (out-of-band) requirement, but there was nothing stronger than a recommendation to consider additional controls. Not only was there no major take-away from this update, but they seemed to water down the MFA requirement, which was the major take-away from 2005. Very odd.

]]> Comment on Final FFIEC Authentication Guidance just released by Jackie Marshall http://www.complianceguru.com/2011/06/final-ffiec-authentication-guidance-just-released/#comment-154 Jackie Marshall Wed, 29 Jun 2011 15:39:04 +0000 http://www.complianceguru.com/?p=1875#comment-154 Thanks for sharing excellent commentary on the supplemental guidance. I'd like to add another interesting observation in regard to the specific MFA references. I was really hoping to see a somewhat more descriptive and prescriptive reference to and acknowledgement of MFA (as this has been the most discussed aspect of FI's following short of the 2005 guidance). Instead, MFA appears to get only a "passing glance" and general reference on page 4...As you stated, removing MFA as a requirement with such lttle supporting detail, does not clarify (Bad and Odd!). Thanks for sharing excellent commentary on the supplemental guidance. I’d like to add another interesting observation in regard to the specific MFA references. I was really hoping to see a somewhat more descriptive and prescriptive reference to and acknowledgement of MFA (as this has been the most discussed aspect of FI’s following short of the 2005 guidance). Instead, MFA appears to get only a “passing glance” and general reference on page 4…As you stated, removing MFA as a requirement with such lttle supporting detail, does not clarify (Bad and Odd!).

]]> Comment on SOC 2 vs. SAS 70 – 5 reasons to embrace the change by Jackie Marshall http://www.complianceguru.com/2011/06/soc-2-vs-sas-70-5-reasons-to-embrace-the-change/#comment-124 Jackie Marshall Thu, 16 Jun 2011 16:12:56 +0000 http://www.complianceguru.com/?p=1833#comment-124 Excellent information! Thanks for the straight forward interpretation. The new reports (esp SOC 2, Type 2) appear to provide beneficial assurance and will increase the confidence level of FIs in third-party service providers relationships... Excellent information! Thanks for the straight forward interpretation. The new reports (esp SOC 2, Type 2) appear to provide beneficial assurance and will increase the confidence level of FIs in third-party service providers relationships…

]]> Comment on Management of IT reflects overall management by The IT Strategic Plan – Why, Who, & How : FFIEC Banking Compliance Help presented by Safe Systems – FFIEC Guru http://www.complianceguru.com/2011/02/management-of-it-reflects-overall-management/#comment-47 The IT Strategic Plan – Why, Who, & How : FFIEC Banking Compliance Help presented by Safe Systems – FFIEC Guru Tue, 17 May 2011 23:31:16 +0000 http://www.ffiecguru.com/?p=1169#comment-47 [...] has been the lack of an IT Strategic Plan. I’m not sure why the focus lately (perhaps the shift from the CAMELS “A” to the “M”?), but the concept is certainly not new. The [...] [...] has been the lack of an IT Strategic Plan. I’m not sure why the focus lately (perhaps the shift from the CAMELS “A” to the “M”?), but the concept is certainly not new. The [...]

]]> Comment on The FFIEC Handbooks and the SAS 70 by SAS 70 replacement…3 alternatives : FFIEC Banking Compliance Help presented by Safe Systems – FFIEC Guru http://www.complianceguru.com/2010/10/the-ffiec-handbooks-and-the-sas-70/#comment-22 SAS 70 replacement…3 alternatives : FFIEC Banking Compliance Help presented by Safe Systems – FFIEC Guru Fri, 29 Apr 2011 14:20:15 +0000 http://www.ffiecguru.com/?p=792#comment-22 [...] written about this  here, here and here, and we are still waiting on additional guidance from the AICPA, now expected March/April 2011.   [...] [...] written about this  here, here and here, and we are still waiting on additional guidance from the AICPA, now expected March/April 2011.   [...]

]]>