IT Examiner School eBook May 2025
Oversee Service Provider Arrangements. Each bank shall: Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines. Formal contracts that address relevant security and privacy requirements are in place for all third parties that process, store, or transmit confidential data or provide critical services. Contracts acknowledge that the third party is responsible for the security of the institution’s confidential data that it possesses, stores, processes, or transmits. Contracts stipulate that the third-party security controls are regularly reviewed and validated by an independent party. Contracts identify the recourse available to the institution should the third party fail to meet defined security requirements. Contracts establish responsibilities for responding to security incidents. Control Test Review a sample of critical vendor contracts entered into since the previous examination to determine whether they meet the criteria above. Click here to enter comment 4. Evaluate the process for identifying, documenting, and reporting service provider relationships (both domestic and foreign-based) to primary Federal and State regulators. Decision Factor 1 ▲ Control Test Obtain documentation verifying that regulators were notified of new service provider relationships entered into since the prior examination. Refer to the Bank Service Company Act. Click here to enter comment
Project and Change Management
5. Evaluate the institution’s program for managing significant projects (e.g., system conversions, product enhancements, infrastructure upgrades, system maintenance). Consider the following: Specifications and requirements
Risk assessments Feasibility studies Cost/benefit analyses Vendor reviews Contract reviews End-user involvement Project plans Project status reports
Test plans Test results Post-implementation reviews
Decision Factor 2 ▲
Made with FlippingBook - Online magazine maker