I'm actually auditing my bank on that right now, and we don't have anything substantial written out on it. All I could find on it in our Information Security Program was that we require service providers to sign contracts which state that they must uphold all standards relating to the security of customer information. We are also required by our own rules to use insured companies. I am asking around the bank though to see if we have any established guidlines for choosing an appropriate outside vendor. It isn't much information, but I hope it helps. I've read and re-read the Interagency Guidelines, and the good thing is and which will probably help you out quite a bit, is that they are just guidelines. So if your Security Program at least mentions that you take vendor management into consideration, that's probably good enough for your regulators, though you should check to see if your specific regulator has ay additional requirements regarding this issue.