Vendor Management

What’s Missing from your SSAE-16 SOC Report?

It’s what’s NOT in the report that matters . . . Five Suggestions to Learn What Controls to Expect Another  one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .  We’ve discussed the difference between a SOC1 and a ...

Application Security Testing the Hard Way

Have you ever seen “Application Security Testing” in a SOC2? An interesting article about the dynamics of application security has been posted by Julie Bort of Business Insider Magazine.  You may have noticed the recent emergency security update by Microsoft for...

Quick Lesson on Your Auditors Wanting Remote Access!

Several of our Clients have been asking about whether they should allow their auditors to have remote access to their systems. That’s an awkward question to have to ask your auditor, so we thought we’d post a quick summary of our response. Start by asking questions. This is ...

SOC What? SOC1 v SOC2

The difference between SOC1 and SOC2 reports. One of the key concepts we will go over in our discussion about vendor management at the IBA Workshop on March 26th will be “third party assurance.”    Clients often ask me what the difference between a SOC1 and SOC2...

A Simplified Approach to Vendor Management

If we had to reduce all of vendor management down to two operations, we’d suggest a strong contract policy, and a sorting process. Business Associate Agreements Simplified For those of you who are wanting to come into lightening-speed compliance with Section 164.308(b...

Sharpening Your Vendor Management Tools

Mark your calendars! Dan Hadaway will be delivering a workshop with the Indiana Bankers Association to outline what makes an effective vendor management program. The workshop will be on September 10th starting at 9:00 AM and ending at 4:00 PM. For information on how to regis...

SSAE-16 Review Checklist

Quick and Easy Due Diligence Checklist! Our most popular tool! What should you look for when you review a SOC2 report? What if you get a SOC1 or SOC3 instead?  What type of paper trail should you leave, demonstrating an adequate review?  How do you track that all appropriat...

Vendor Management

Go here to learn more about our Vendor Management Program Kit! Dan Hadaway, CISA, CISM, CRISC Managing Partner Dan speaks regularly at various conferences, workshops, and webinars. He has delivered talks for the Community Bankers Association of Illinois, the...

Vendor Risk, The TSP Booklet, and the ROE

When you perform due diligence on technology service providers, do you ask them if they are in the FFIEC Examination Program?  If not, you are missing an important third-party assurance opportunity.  How many times have you wondered whether the SSAE-16 SOC1/SOC2 reports are ...

Analysis of the FFIEC’s Statement on Cloud Computing

On July 10th, 2012, the FFIEC published a “Statement on Cloud Computing” in a new section of the ffiec.gov resource library for guidelines related to information technology governance.  This statement served to declare that cloud computing providers are simply another form o...