Regulatory Reality:

Vendor Management


April 23, 2010  10:14 PM

Compliance professionals need thick skins



Posted by: David Schneier
assessment, assessments, Audit, bcp, business continuity planning, controls, framework, general controls, GLBA, IT General Controls, NCUA, Regulatory Compliance, Security, security awareness, Vendor Management

I've often surprised people when it comes to conducting audit/assessment work or developing compliance programs.  Generally speaking I'm a reasonable person who typically exhibits an abundance of flexibility in my day-to-day life.  However when it comes to my career, I tend to be much more of a...

April 16, 2010  4:56 PM

Regulatory compliance is not optional



Posted by: David Schneier
Audit, bcp, business continuity planning, compliance, exam, examiner, FDIC, NCUA, Regulatory Compliance, vendor, Vendor Management

If I haven't already shared this with you, I'm a partner in a regulatory compliance advisory firm.  We offer services to the banking sector that pretty much cover the entirety of the information security spectrum.  And as you might imagine, there's a fair amount of sales and marketing that go...


February 23, 2010  4:17 AM

Rethinking compliance software



Posted by: David Schneier
Audit, bcp, disaster recovery, GLBA, PCI, Regulatory Compliance, risk assessment, SOX, Vendor Management

Here's me about to eat crow. After nearly a decade of railing against software as a solution to address the challenges of regulatory/industry compliance, I'm being forced to reconsider my position. I've long advocated that an institution or organization could just as easily develop manual...


December 29, 2009  5:30 PM

Was 2009 the year regulatory compliance became a good thing?



Posted by: David Schneier
Audit, business continuity planning, GLBA, information security, IT General Controls, red flags, red flags identity theft, Regulatory Compliance, Vendor Management

When I sat down to write my last blog post for 2009, I was planning to write either about my predictions for 2010 or a retrospective of 2009. But that’s just so clichéd; everyone does that or tries to. And as I’d wrote in a recent post about...


November 12, 2009  1:44 PM

Information security officers are a must



Posted by: David Schneier
Audit, business continuity planning, CISO, compliance, GLBA, information security, information security office, ISO, Regulatory Compliance, Vendor Management

I was talking with a client last week about a perceived gap in their organization.  Despite having to address multiple regulations cutting across several oversight bodies, they were lacking a single point of contact or central coordinator for all information security related activities.  Their...


April 13, 2009  9:36 PM

What vendor management is really all about



Posted by: David Schneier
FDIC, FFIEC, GLBA, Regulatory Compliance, shared assessment, Vendor Management

I received an email from a colleague last week in regards to my recent post about the BITS Shared Assessments Program.  In the entry I offered my high opinion of the framework but went out of my way to point out that by itself the assessment is not a vendor management program.  The subject line...


April 2, 2009  4:21 PM

Keep an eye on Shared Assessments.



Posted by: David Schneier
Audit, GLBA, Regulatory Compliance, SOX, Vendor Management

About thirty seconds after I posted my last blog an item on the


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: