I have been asked a question about something I know nothing about. The question was "Does GLB require banks to have their security audit done by non-affiliated 3rd party providers to prevent any type of conflict of interest?"

OK, first I am not even sure this falls under GLB, but I am aware that the regulatory agencies expect banks to perform, I believe, two types of tests to make sure their security systems are safe.

Is this review/test/audit required to be done by anyone in particular? Can the bank do it themself if the proper procedures are followed and it is well documented. Or, even if NOT required, does having a reputable 3rd party provider perform the review/test/audit give the bank a positive edge when the regulatory agencies come in?

I believe there are some guidelines that the FFIEC put out, but if someone can either answer this for me, or point me to where I might find the answer myself, I would be indebted to BOL for the rest of my days...

Well, actually I already am after the FACT Act...but that's beside the point! Thanks in advance for any help/advice/suggestions! I luv you guys!!!

FFIEC Reference

http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf

From Table of Contents go to the “Security Testing” section.

---
My summary: You should strive for periodic, qualified, independent diagnostic testing of the controls (electronic and otherwise) over non-public customer and sensitive corporate information.