Skip to content

Vendor Compliance With InfoSec Guidelines

Answered by: 

DirectPointe provides managed computing services that include remote PC and Network Management services. We are working with a community bank in Utah that is interested in our services, but is concerned with any regulatory issues that may not allow us to have remote access to their network and PCs (since their network is connected to a service bureau, which has confidential information). Can you provide any information/insight into this issue? Can we provide remote services and if so, does our company need to meet certain requirements? Please let me know if you have recommendations.

Unless DirectPointe is working under a preexisting contract (prior to the grandfather date of March 5, 2001), the bank must have a contract which requires the service provider to have an InfoSec Program which is designed to achieve the objectives of the InfoSec Guidelines for financial institutions. This is no small burden. If the service provider was a professional who already has a duty under a professional code of conduct to protect customer information, like attorneys and CPAs do, then the bank would have the discretion to decide whether you will oversee his program on a continuing basis. DirectPointe does not qualify for this exception, so the bank is responsible for monitoring DirectPointe's InfoSec program. A service provider's program does not have to meet the InfoSec Guidelines required of banks, but must be designed to achieve the same goals. This means it has to be an honest attempt at a comprehensive approach to information security. DirectPointe will want to make it as easy for the bank to monitor its program as possible, so it will be providing reports on a regular basis (quarterly is the very least I would consider).

In my opinion DirectPointe should also sign a confidentiality agreement and that can be a part of the contract. That would just be good practice, not essential but there is also no reason to leave it out of the contract.

First published on 12/3/01

First published on 12/03/2001

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics