Click to return to BOL home page
Banker Store Read A Reg Vendor Connect Career Connect Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads Background Checks BOL Conferences CrimeDex FREE Briefings Banker Tools

   

















    Site Map

    Our Sponsors

    Home





Compliance Gurus
Lending Gurus
Operations Gurus
Security Gurus
Marketing Gurus
eBanking Gurus

Print Friendly! Email This Article! Discuss NOW!


Vendor Compliance With InfoSec Guidelines
by Michael Guard, BOL Guru
BIO AND CONTACT INFO

QUESTION: DirectPointe provides managed computing services that include remote PC and Network Management services. We are working with a community bank in Utah that is interested in our services, but is concerned with any regulatory issues that may not allow us to have remote access to their network and PCs (since their network is connected to a service bureau, which has confidential information). Can you provide any information/insight into this issue? Can we provide remote services and if so, does our company need to meet certain requirements? Please let me know if you have recommendations.

ANSWER: Unless DirectPointe is working under a preexisting contract (prior to the grandfather date of March 5, 2001), the bank must have a contract which requires the service provider to have an InfoSec Program which is designed to achieve the objectives of the InfoSec Guidelines for financial institutions. This is no small burden. If the service provider was a professional who already has a duty under a professional code of conduct to protect customer information, like attorneys and CPAs do, then the bank would have the discretion to decide whether you will oversee his program on a continuing basis. DirectPointe does not qualify for this exception, so the bank is responsible for monitoring DirectPointe's InfoSec program. A service provider's program does not have to meet the InfoSec Guidelines required of banks, but must be designed to achieve the same goals. This means it has to be an honest attempt at a comprehensive approach to information security. DirectPointe will want to make it as easy for the bank to monitor its program as possible, so it will be providing reports on a regular basis (quarterly is the very least I would consider).

In my opinion DirectPointe should also sign a confidentiality agreement and that can be a part of the contract. That would just be good practice, not essential but there is also no reason to leave it out of the contract.

First published on BankersOnline.com 12/3/01
Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives    Privacy Policy    Important Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.