May 16, 2019

Is it worth your reputation? – WST

At 10-D Security we see a fair number of organizations where the Risk and Vendor Management programs aren’t understood or don’t get the attention they deserve.  Combine those issues with weak BCP or incident response plans and training, and you have conditions for a perfect storm.  The whole point of these controls is to help the institution prepare for the day when things just go bad.

Sometimes the guidance provided by regulators seems like mindless oversight and busy work to comply with regulations, but these areas of concern under the Information Security Program are not to be trivialized and can be as important as physical security.  The wealth is in the information, not in the cash drawer.  That’s not to say physical security is not important, but failure to implement and follow good vendor and risk management controls can increase potential harm to customers or reputational harm to the institution.

A recent incident related to a large IT support vendor that was breached resulted in their customers being targeted by the attackers.  If this were to occur at one of your critical vendors, would they be contractually obligated to notify you, and if they did would your Incident Response Plan be useful in responding to the situation?  Review your Vendor Management Program to ensure critical vendors are contractually accountable for responding to and quickly communicating a security incident, and that your Incident Response Plan is similarly complete.  [For more info on the alleged breach, visit]

If your institution needs some assistance in these areas, visit the 10-D Security website , including our Certified Banking ISO classes (  Our sister company, Applied Compliance Services, provides virtual Information Security Officer services or can provide a complete overhaul of your Information Security Program to match regulatory guidance and best practices.

Let us know how we can assist you.

Past Weekly Security Tips – WST