Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
REGULATORY HOT TOPIC Third Party IT Vendor Management
2
• Core Processing • Internet Banking • Mobile Banking • Managed Security Services • Managed Data Center Services • And More…
Todays Outsourced Technology Services
3
Implementing a Comprehensive Vendor Management Program
4
• Risk Assessment • Selection of the Service Provider • Contracting with the Service Provider • Monitoring • Business Continuity
Vendor Risk Management Program
5
• The Board and Senior Management retain the responsibility of the service
• You must manage the service as if it were completed internally by the bank – Maintain the same controls – Require the same information – Monitor the process
Vendor Management Responsibilities
6
Standard Risk Management Process
Identify the risks
Measure the risks
Mitigate the risks Monitor the risks
Report the risk status and updates
7
• Have an approved vendor management policy in place before you outsource a service.
• Complete and DOCUMENT your due diligence. • Understand what you need in the contract to
protect the interests of the bank. • Ensure board oversight of the vendor
management program.
Deciding to Outsource
8
• Updates for: – Service Level Agreements (SLAs) – Data Security – Audits and Attestations – Vendor Business Recovery and Continuity Testing Results – Financial Statements
• The degree of reporting should be increased based on risk to the bank.
• Regulatory reports should be obtained if available. • ANNUAL BOARD REPORTING IS REQUIRED by Appendix B
part 364- Also periodic reporting during vendor due diligence
What the Board Should Know
9
• Ensure the outsourced service provider is aligned with business and strategic plans and is appropriate for the size and complexity of the bank.
• Ensure the bank can properly oversee and manage the services.
• Ensure proper monitoring is in place based on the initial and current risk.
• Properly assign responsibilities for monitoring and reporting.
Management Requirements
10
Vendor Management Components
Risk Assessment
Selection
Contracts
Monitoring
11
Implementing a Comprehensive Vendor Management Program RISK ASSESSMENT
12
• To identify and make the board aware of inherent risk of the outsourced service like: – Fraud – Error – Inability to delver services
• These are operational risks that the board should understand.
• Some of the risks can be mitigated by the service provider.
• Some of the risks have to be mitigated by the bank.
The Risk Assessment
13
• Strategic Risk – Poor planning for implementation or scalability for growth
• Compliance Risk – Outsourcing to vendors that cannot provide the needed proof of compliance
• Reputational Risk – Breaches – Fraud – Errors – Service Level
• Interest Rate Risk – Errors that lead to inaccurate decisions
• Liquidity – Processing Delays or Errors
• Cyber Risk – Disruption – Malware
Other Risks to Consider
14
• Functional Risk Measurements – Volume of transactions – Sensitivity of the data involved – Criticality of the service
• Provider Risk Measurements – Financial Stability – Experience – Location
• Technology Risk Measurements – Security – Reliability – Scalability
Quantifying the Risk- What to Consider
15
• A team with the ability to assess the risk measurements
• Consider carefully who has the expertise to assess the risk based on the services – Internal Personnel – Auditors – Subject Matter Experts
• IT Security • Recovery • Cyber Security
Who Should Complete the Risk Assessment
16
• Controls in place that have been independently tested for – Security – Availability – Confidentiality – Processing Integrity – Privacy – Reporting
Risk Mitigations by the Service Provider
17
• What are the bank’s responsibilities – How are they defined
• Contracts? • SOC reports?
– Testing these requirements • Internal testing • External testing • Monitoring
Risk Mitigation by the Bank
18
Implementing a Comprehensive Vendor Management Program SELECTION AND DUE DILIGENCE
19
• Due Diligence Should be Based on Level of Risk to the Bank – High risk
• Very formalized – Low risk
• Minimal formalization • Key Points
– Financial Stability – Capabilities to Scale
• Technology and Infrastructure – Internal Controls and Audits – Use of Subcontractors – Qualifications and References – History of Legal or Regulatory Issues – Insurance – Ability to Recover – Physical and Environmental Controls
Selection and Due Diligence
20
Implementing a Comprehensive Vendor Management Program CONTRACTS
21
• Negotiating the Contract – Meets the Banks Needs and Requirements
• Identified during the risk assessment process • Some Common Contact Provisions
– Scope of Services • Activities • Implementation Plan • Defined Responsibilities
– The Service Providers Controls and Responsibility to: • Report incidents including time frames to report
– Notification provisions must be aligned with Appendix B Part 364 • Provide reports on security and confidentiality controls such as:
– Cybersecurity – Maintenance – Notifications
• Notification provisions must be aligned with Appendix B Part 364
Contracts
22
• Auditing – Right to Audit – Right to Receive Audits – Frequency of Audits – Types of Audits Completed
• Financial • IT Security • General Controls • Recovery • Funds Transfers
Key Contract Provisions (Cont.)
23
• Reporting – Financial – Service Level – Regulatory Compliance
• Disaster Recovery – Maintenance and Testing – Availability of Test Results – Bank Participation
• Sub-contracting – Aware of ANY Sub-contracted Service
• Be careful of SOC “insertion” here – Responsibility Remains with the Service Provider
• Regulatory Adherence • Performance Standards (SLAs)
– Measurement and Remedies
Key Contract Provisions (Cont.)
24
• Banks shall notify their regulator within 30 days of entering the contract or performance of the services begin. Whichever occurs first.
Notification of Service Organization Contract
25
• SLAs can provide service level promises for: – Record Keeping – Security – Confidentiality – Availably – Processing Timeliness and Accuracy (Integrity of Data) – System Changes and Updates – Independent Testing – Business Continuity
A Word About SLAs
26
Implementing a Comprehensive Vendor Management Program VENDOR MONITORING
27
• Makes sure the vendor is meeting its obligations or has mitigated new risk – Reevaluate Active Service Providers at Least
Annually – Align Monitoring with Risk – Report Monitoring Information to the Board
Vendor Monitoring
28
• Similar to Due Diligence Documentation – Audit reports
• Type Scope and Frequency of Audits • Review of Corrective Actions
– Financial Condition (at least annually) – Compliance with SLAs
• GLBA and Incident Response Program – Any incidents reflecting non-compliance with SLAs or other security
standards should be reported to the board. – Continuity Plans and Testing
• Some regulatory reports are available for service providers. – Bank must be a client under contract – Request from FDIC regional office
• Ensure the right personnel are used to monitor the vendor.
What Should be Monitored
29
• Disruptive Events – Cybersecurity Attacks – Environmental Disasters
• Service Providers MUST be included in the continuity plans INCLUDING recovery time objectives.
• Management must review vendor continuity testing including: – Connectivity – Capacity or Alternate Facilities – Transaction Volume – Interdependences (internal and external)
• Revised Business Continuity Appendix J
Business Continuity for Vendors
30
• Service Organization Controls (SOC) Report – SOC 1 (formally SAS70)
• May not completely cover all controls • May not be the right report
– SOC 2- Uses Trust Principles – What’s important to you?
• Security • Availability • Processing Integrity • Confidentiality • Privacy
– SOC 3- Used as a marketing tool
Evaluating the Provider
31
• Does the report fit the services provided? – SOC 1 or 2 Type 1 or 2 – Does it address the correct services? – Is it from a sub-service provider? (SOC Insertion)
• What are the dates of the report? – Type 1- As of – Type 2- For the period of – Does the report cover the latest period?
• Is the opinion unqualified or qualified? • What kind of exceptions are noted and what are the
management responses.
Reviewing an SOC Report
32
Example of a Qualified Opinion Service Organization Controls (SOC)
33
Example of a Unqualified Opinion Service Organization Controls (SOC)
34
Exceptions Review for and SOC
35
• What are the client control considerations? – These are critical because they are what YOUR
responsibilities are. – Are you completing these items?
Reviewing an SOC Report
36
Example of User Control Considerations
37
• Agreed Upon Procedures – These can be custom tailored to the banks needs
• Agreed to by the bank, the vendor, and the auditor
• Specialized Reports – PCI (Payment Card Industry) – TR-39 Payment Card Processing
Other Reports to Consider
38
• Foreign Based Relationships – Unique Risks Can Occur
• All risks may be more difficulty to measure • Legal and Regulatory • See Appendix C of Outsourcing Booklet
Other Areas to Consider
39
David Mills, MBA, CISA, CISSP, CGEIT, CRISC, MCSE
IT Audit and Assurance Partner CRI Corporate Office
334.348.1436 [email protected]
Kathleen Zuniga, CPA
Audit and Assurance Partner CRI New Orleans Office
504.493.4711 [email protected]