I think not, because after conducting due diligence, we've decided to not go with them!
That's a total joke for any OCC examiner reading this.
Question, are external IT auditors telling you your examiner is you vendor and needs to be included in the vendor management process? OCC was here when we got this recommendation from an external auditor. The OCC seemed pretty clueless.
They do obviously have access to our information and it is stored somewhere. They must have information security procedures and protections. I definitely consider their possession of our information an additional threat to info security.
Bottom line, we've gotten no where with securing some sort of information regarding how they protect our information and we're sick of asking. Any thoughts, (I have plenty!!) or experience to share? I want to remove this item from my follow up report, unresolved but accepted as such.
Thanks!