TOPIC: Business Continuity

Is it worth your reputation?

At 10-D Security we see a fair number of organizations where the Risk and Vendor Management programs aren’t understood or don’t get the attention they deserve.  Combine those issues with weak BCP or incident response plans and training, and you have conditions for a perfect storm.  The whole point of these controls is to help the institution prepare for the day when things just go bad. Sometimes the guidance provided by regulators seems like mindless oversight and busy work to comply with regulations, but these areas of concern under the Information Security Program are not to be trivialized and can be as important as physical security.  The wealth is in the information, not in the cash drawer.  That’s not to say physical security is not important, but failure to implement and follow good vendor and risk management controls can increase potential harm to customers or reputational harm to the institution. A recent incident related to a large IT support vendor that was breached resulted in their customers being targeted by the attackers.  If this were to occur at one of your critical vendors, would they be contractually obligated to notify you, and if they did would your Incident Response Plan be useful in responding to the situation?  Review your Vendor Management Program to ensure critical vendors are contractually accountable for responding to and quickly communicating a security incident, and that your Incident Response Plan is similarly complete.  [For more info on the alleged breach, visit] If your institution needs some assistance in these areas, visit the 10-D Security website , including our Certified Banking ISO classes (  Our sister company, Applied Compliance Services, provides virtual Information Security Officer services or can provide a complete overhaul of your Information Security Program to match regulatory guidance and best practices. Let us know how we can assist you.

    Business Intelligence Department

    AVP at a bank ($459MUSA)

    Does anyone's institution have a Business Intelligence department currently? At what asset size did your institution add a Business Intelligence department to the team? What is your current asset size if you are looking to develop one? By Business Intelligence I mean a team that is dedicated to analyzing processes within your institution and gathering data to find ways to improve. Additionally they would be responsible for working with the department leads to explore new business opportunities. Specifically they would be responsible for gathering quantifiable data that would assist the department/senior management with making those decisions rather than relying simply on feelings and assumptions.