IT Examiner School

 (2) Requiring your service providers by contract to implement and maintain such safeguards.

Through a review of the vendor contracts provided by management, we noted confidentiality agreements within the contracts were signed and executed with critical vendors. We also found a vendor contract and agreement review process in the Information Security Program which includes general reference to taking measures to ensure vendors have processes in place to meet regulatory guidelines. Reviews of key described in the Information Security Program could be further expanded to include the specific due diligence activities to perform when evaluating key providers’ performance. This section of the Information Security Program should focus on overall management sand oversight of vendors, not simply outline the general items to consider when contracting with a new vendor. (Reference: FIL 81-2000) o (e) evaluate and adjust your information security program as necessary. The Information Security Officer and management are adequately assessing the effectiveness of the Bank’s information security program on an annual basis, however reporting the status of the program to the Board should be improved and noted in Board meeting minutes. Overall, we found Friendly Commerce Bank’s Information Technology systems and procedures to be reasonably sound and secure. However, certain elements of the GLBA program need additional attention from the Board, especially hiring an ISO to regularly provide written reports to the Board As with any computing environment, areas of improvement inevitably exist, with some being more critical than others. Management should address as soon as possible these areas. IT is Contingent Technologies’ recommendation that this report be reviewed carefully by the Bank staff and management to determine what necessary changes or corrections should be made while at the same time balancing those decisions with the institution’s risk management policy. Our staff appreciates Friendly Commerce Bank’s eagerness to assist in the review process, and we look forward to assisting the staff and management with implementation of our recommendations should you require it. Summary

The Cyber Assessment Review was provided separately from this report.