At a minimum, be sure you're reviewing every one of your significant service providers' financials and SAS 70's at least annually (and presented the the Board of Directors). Also, be sure you're addressing any/all client control considerations in all of your sig. svc. providers' SAS 70's in a formal document that is reviewed annually (and presented to the BOD). Be sure your policies/procedures spell out all of these annual reviews and presentations to the BOD explicitly. Also, review your vendors' business continuity plans/be sure they have addressed disaster planning, pandemic planning, etc. Review every contract you have with all vendors (not just your significant service providers). Document the review, document when the contract expires, document whether or not that vendor has access to any confidential information, document whether or not that vendor has a confidentiality clause/statement in their contract or as an addendum to the contract with your bank, to satisfy GLBA.
_________________________
"Gratitude makes sense of our past, brings peace for today, and creates a vision for tomorrow." - Melody Beattie