Pub. 4 2015 Issue 2

15 S U MM E R | 2015 piece of equipment, or find ways to perform the process manu- ally until the equipment arrives. These kinds of discussions need to happen well in advance of your next disaster. Now, enter vendor relationships. Never before have we relied on vendors and outsourced services more. With the expansion of technological advances comes the expansion of our reliance on companies who understand how to use those advances. I’m sure you have all developed useful vendor management procedures to manage the risks involved with third-party relationships involving customer information and/ or access to your network. Appendix J reminds us all that while business continuity planning and vendor management are both great things to have individually, they really need to overlap more than most people think. Are your business continuity expectations reliant on any vendor service? Are you assuming that your vendor will be available immediately to come to your aid? I think we assume we are going to be our vendors’ only priority should disaster strike. It’s important to understand what kind of clientele your vendor services. Do they have many customers in your area who could potentially need their help as much as you would during or following a disaster? When looking at cyber attacks, have you planned for a scenario where you and your critical service provider fall victim to the same attack and are both working toward recovery simultaneously? Are your BCP recovery procedures all involving moving to another branch or are you also prepar- ing for the network or communications to your vendor to be down as well? Many people are very prepared to pick up and function at a branch location, but have no manual procedures in place in the event they can’t communicate with their core or that their network files are unavailable. Does your BCP testing involve your service providers? Do applicable vendors have their own incident response plans, and have you seen them? Like I said earlier, these questions should be answered now while you have time to look at and upgrade your BCP or vendor management procedures instead of finding out the answers during a disaster or cyber attack. I think the biggest thing I took away from Appendix J is the reminder that no part of our information security program should be compartmentalized. These areas of security all de- pend on each other, so collaboration and review are necessary for making them useful and successful. Happy planning! Stephanie Chaumont is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com. BANK BYTES Keith Barnett ( 717) 525-1324 • keith@protectmybank.com www.protectmybank.com Endorsed by: Get your Information Security Program on TRAC TRAC is a web-based automated information security tool suite which will guide the bank towards a sound information security program and a successful IT exam. Modules include: • IT Risk Assessment • Third Party Management • Enterprise Risk Management • & More! ADVERTISER’S INDEX Accountants | CPA Firms Design Consultants | Furnishings IT Financial Services Risk Management Cherry Bekaert & Holland 3 Elliott Davis 7 Fowler & Company 17 Smith Elliott Kearns & Company 11 BD & E 2 CoNetrix 4 Secure Banking Solutions 15 Terrapin Services LLC 20 Credit Risk Management 19