JHA_HeaderImage_Blog_v2.png

Jennifer Roland-Vlach

Recent Posts

2 Big Changes That Will Impact Your Vendor Management

Posted by Jennifer Roland-Vlach

Jun 28, 2017 11:45:00 AM

Vendor management has always been a key part of financial institution (FI) compliance and risk management efforts. And recently, FIs have witnessed the importance of proper vendor management begin to receive even more emphasis. One area in particular that is contributing to this emphasis is the Statement on Standards for Attestation Engagements (SSAE) No. 18 (SSAE 18) report. That’s right, SSAE 18, not 16. Effective May 1st, 2017, the SSAE 18 became the new standard report for vendors to provide to financial institutions.

Now, in my opinion, there has not been a lot of hype regarding this change. At least not like what we saw when the SAS70 report became the SSAE 16. The reason for this is due largely to the fact that the SSAE 18 does not appear to be drastically different from the SSAE 16. Which is definitely good news for community FIs.

While the changes between the SSAE 16 and 18 will not completely change an FI’s approach to vendor management, there are some changes that will impact the due diligence efforts of FIs, especially in regard to more critical vendors.

Read More

Topics: Financial Services Industry, Regulatory Compliance

The New Reality of Incident Response Plans

Posted by Jennifer Roland-Vlach

Jan 4, 2017 11:15:00 AM

You may have noticed 2016 was quite the busy year for IT regulatory compliance. OK, that’s probably a bit of an understatement.

Last year saw the release of Appendix E on Mobile Financial Services, the new InTrex exam format, the updated Information Security Handbook, and the promise of more to come in 2017. With this plethora of information being directed at financial institutions (FIs), I wanted to take this opportunity to highlight one particular factor that is already coming under examiner scrutiny-incident response. I have written about incident response a couple of times in the past. In fact, in my previous blog I provided some best practice items for FIs to consider in their Incident Response Plans. But with increasing attention on this subject, I think it is necessary we re-visit a couple of established incident response standards and acknowledge a new best practice.

Read More

Topics: Risk Mitigation, Data Management

How Can I Improve My Incident Response Plan?

Posted by Jennifer Roland-Vlach

Jul 6, 2016 10:05:00 AM

Incident Response Plans have been a critical component for financial institutions (FIs) for quite some time now.

The foundation was outlined as part of GLBA and guidance was later issued on the requirements for these response programs where customer information had been accessed. So this raises the question, if Incident Response Plans have been a necessity for so long, why do so many FIs continue to have ineffective plans in place? I can only speculate as to the reasons why; however, I do know that the expectations for Incident Response Plans are beginning to change. I have spoken with a number of institutions who have shared that their examiners are honing in on Incident Response Plans. With this increasing focus on plans, I want to share with you a few of the most critical pieces that I often see missing from Incident Response Plans.

Read More

Topics: Information Security, Risk Mitigation

Compliance, the Missing Piece to a Managed IT Service Puzzle

Posted by Jennifer Roland-Vlach

Sep 1, 2015 9:26:00 AM

As IT environments are becoming increasingly complex, more community financial institutions are looking to outsource monitoring and management of some of their entire IT infrastructure. As anyone who has ever been part of a new product or service implementation knows, there are times when certain items seem to fall off the radar. Of course, this does not always happen intentionally. Given the complexity of implementing new products and services, especially a managed IT service, it is likely that steps to address risk/compliance will either be overlooked or postponed to be dealt with at a more convenient time.

Read More

Topics: Information Technology, Risk Mitigation

April 2014: A Busy Month for Fraud Alerts!

Posted by Jennifer Roland-Vlach

Aug 13, 2015 9:10:46 AM


Here we are at the end of April and my Inbox has had quite a few email alerts from various regulatory entities. These alerts have covered an array of topics with the most prevalent being an apparent current uptick in cyber-related risk. So, in case you may have missed one of these, among the multitude of emails you probably receive each day, I thought I would use this opportunity to provide a brief overview of this recent flurry of activity plus suggested steps to address outlined objectives.

Read More

Topics: Information Security, Cybersecurity

Incident Response Plans & Vendor Mgmt: Lost in the Cybersecurity Mix

Posted by Jennifer Roland-Vlach

Aug 11, 2015 12:45:20 PM

 

If you find yourself in need of a stark reminder on how quickly time passes by, consider this: May marks one year since the FFIEC officially announced their focus on cybersecurity for financial institutions. Even though official guidance is still pending, the FFIEC has been using the past year to continue underscoring the importance of cybersecurity. In addition to periodic updates being provided by the FFIEC, there have been a multitude of articles on the topic of cybersecurity. While there has been an emphasis on areas such as C-Suite training and information sharing, I have noticed two items in particular that seem to be getting lost in the mix of cybersecurity discussions. Those items are Incident Response Plans (including testing plans) and critical vendor management. Let’s look at Incident Response Plans first.

Read More

Topics: Cybersecurity

The Financial Institution Website: Where Community Meets Cyber Crime?

Posted by Jennifer Roland-Vlach

Aug 11, 2015 9:29:04 AM


I have developed a bit of a habit over the years in my role as a Compliance Analyst: I like to regularly check out my FI client’s website.  I have found that it gives me a great visual representation of what that institution is all about. This helps me understand the FI’s products/services, business culture, and face to the community. I also like to check for staff pictures on the chance that I can put a face with a name for the particular employee that I am working with on IT regulatory compliance and risk management efforts.

Read More

Topics: Websites, Cybersecurity

April 2014: A Busy Month for Fraud Alerts and Cybersecurity!

Posted by Jennifer Roland-Vlach

Aug 11, 2015 9:20:09 AM


Here we are at the end of April and my Inbox has had quite a few email alerts from various regulatory entities. These alerts have covered an array of topics with the most prevalent being an apparent current uptick in cyber-related risk. So, in case you may have missed one of these, among the multitude of emails you probably receive each day, I thought I would use this opportunity to provide a brief overview of this recent flurry of activity plus suggested steps to address outlined objectives.

Read More

Topics: Information Security, Cybersecurity

What Do You Mean, You’re Not Testing Your Incident Response Plan?

Posted by Jennifer Roland-Vlach

Jul 24, 2015 11:29:48 AM


As part of the ProfitStars Gladiator IT Regulatory Compliance group, I have had the opportunity to have some interesting conversations with customers, and I have noticed there is one topic in particular that seems to keep popping up: Incident Response Plan testing. The questions that I am most often asked regarding testing are the following: “We don’t test our Incident Response Plan, can we remove the section on how to test it?”,” Is testing something that we are supposed to be doing, since we already test our Disaster Recovery Plan?” and “The Senior Management personnel of my institution just asked me how we plan to respond to a particular attack, what do I tell them?”

Read More

Topics: Business Continuity

Subscribe to Email Updates

Untitled Document Untitled Document

Recent Posts