Normal layout Medium Layout Large Layout Normal Text Medium Text Large Text
  Services > 3rd Party Vendor Information Security Review Search      
Third Party Vendor Information Security Review: Federal laws (Gramm-Leach-Bliley Act) and NCUA regulations 12 CFR Part 748.0, Appendix A and B
 Third Party Vendor Information Security Review
Federal laws (Gramm-Leach-Bliley Act) and NCUA regulations 12 CFR Part 748.0, Appendix A and B, require that credit unions exercise due diligence in the oversight of third party service providers who have access to member information and/or information systems. Documentation of due diligence will be reviewed during the credit union’s annual safety and soundness examination. The regulation requires that credit unions ensure that third party service providers have an Information Security Program designed to achieve four objectives:
  • Ensure the security and confidentiality of member information
  • Protect against any potential threats or hazards to the security or integrity of such information
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member
  • Ensure the proper disposal of member information and consumer information
CastleGarde will examine and evaluate items within three broad areas critical to effective information security management and regulatory compliance: 
  • Contract Provisions
  • Third Party Service Provider’s Information Security Program
  • Third Party Service Provider’s Risk Assessment
CastleGarde Third Party Vendor Information Security Review will evaluate existing contracts and other relevant agreements between the Credit Union and its third party vendors currently engaged in providing the Credit Union services that require access to member or consumer information and/or member information systems. The assessment will include examination of contract and agreement provisions against FFIEC guidelines, NCUA regulations, current industry standards, and CastleGarde best practices.