SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Size: px
Start display at page:

Download "SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS"

Transcription

1 SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014 aligns with the Risk Management Guidance issued by the Office of the Comptroller of the Currency (OCC ) dated October 30, 2013 OCC GUIDANCE I. Strategies and Goals: Review of the third party s overall business strategy and goals to ensure no conflict with those of the organization Consider how the third party s current and proposed strategic business arrangements (such as mergers, acquisitions, divestitures, joint ventures, joint marketing initiatives) may affect the activity Consider reviewing the third party s service philosophies Consider reviewing the third party s quality initiatives Consider reviewing the third party s efficiency improvements e. Consider reviewing the third party s employment policies and practices II. Legal and Regulatory Compliance: Evaluate the third party s legal and regulatory compliance program Tab I: Information Systems Application Development and Maintenance Tab I: Information Systems Application Development and Maintenance (for employment policies and practices) Tab E: Human Resources Security 1

2 Determine whether the third party has the necessary licenses to operate Tab D: Asset Management (D.1.2 Software Licenses) Determine whether the third party has the necessary expertise, process, and controls to enable the bank to remain compliant with domestic and international laws and regulations Tab L: Compliance (L.4) Tab C: Organizational Security Check compliance status with regulators Tab L: Compliance (L.2) Check compliance status with self- regulatory organizations Tab L: Compliance (L.2) III. Financial Condition: Assess third party s financial condition Perform reviews of the third party s audited financial statements. Evaluate growth, earnings, unfunded liabilities, and other factors that may affect the third party s overall financial stability Review for any pending litigations Tab: Business Information (B.17- B.18) IV. Business Experience and Reputation: Evaluate third party s depth of resources and previous experience providing specific activity Assess the third party s reputation, including history of customer complaints Assess the third party s reputation, including history of litigation Tab B: Business Information (B.17- B.18) Determine how long the third party has been in business Tab B: Business Information (B.16) Determine the market share for the activities e. f. Determine whether there have been significant changes in activities offered or in its business model Reference checks with industry associations, Better Business Bureau, Federal Trade Commission, state attorneys general offices, state consumer affairs offices, and similar foreign authorities g. Check U.S. Securities and Exchange Commission (SEC) or other regulatory filings 2

3 h. i. Review the third party s Websites and other marketing materials to ensure that statements and assertions are inline with the bank s expectations and do not overstate or misrepresent activities and capabilities Determine whether and how third party plans to use the bank s name and reputation in marketing efforts (Privacy Policies) V. Fee Structure and Incentives Evaluate the third party s normal fee structure and incentives for similar business arrangements and determine if fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank VI. Qualifications, Backgrounds, and Reputations of Company Principals Ensure the third party periodically conducts thorough background checks on its senior management Ensure the third party periodically conducts thorough background checks on its employees Ensure the third party periodically conducts thorough background checks on its subcontractors Ensure that third parties have policies and procedures in place for removing employees who do not meet minimum background check requirements 1 Not addressed in SIG Tab E: Human Resource Security (E.2 Background Checks Prior to Employment) 3 Not addressed in SIG Tab E: Human Resource Security (E.7 Constituent Termination Process) VII. Risk Management: Evaluate the effectiveness of the third party s risk management program, including policies, processes, and internal controls Performs internal audit function independently Tab L: Compliance (L.11) 1 SIG 2015 also address background checks of senior management 2 SIG 2015 will also include periodic background checks during employment tenure 3 SIG 2015 will include periodic background checks of subcontractors The new version of the Shared Assessments Program Tools, including SIG 2015, will be released January

4 Third party effectively tests and reports on internal controls Tab L: Compliance (L.3; L.4; L.7- L.13) e. Process for escalating, remediating, and holding management accountable for concerns identified during audits or independent tests Review any certification or assessments by independent third parties for compliance with risk control standards Certification by independent third parties for compliance with domestic or international internal control standards (e.g., the National Institute of Standards and Technology and the International Standards Organization) Tab L: Compliance (L.7; L.8; L.11; L.13) 4 Not addressed in SIG VIII. Information Security: Assess the third party s information security program A. B. Determine whether third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities When technology is necessary to support service delivery, assess third party s infrastructure and application security programs When technology is necessary to support service delivery, assess third party s software development lifecycle When technology is necessary to support service delivery, assess third party s results of vulnerability and penetration tests Tab B: Security Policy (B.1) Development & Maintenance (I.1, I.2, I.3, I.4, I.5) Tab B: Security Policy (B.1) Development & Maintenance Development & Maintenance (I.2.7) Tab G: Communications and Operations Management (G.10) Development & Maintenance (I.3.2) 4 SIG 2015 will include certifications by independent third parties in the Business Information and Documentation Tabs 4

5 Evaluate the third party s ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing Development & Maintenance (I.5) IX. Management of Information Systems: Gain a clear understanding of the third party s business processes and technology that will be used to support the activity X. Resilience Review the third party s processes for maintaining accurate inventories of its technology and its subcontractors Assess change management process to ensure that clear roles, responsibilities, and segregation are in place Understand the third party s performance metrics for its information systems and ensure they meet the bank s expectations Tab D: Asset Management Tab C: Organizational Security (C ) Tab G: Communications and Operation Management (G.2) Assess the third party s ability to respond to service disruptions or degradations resulting from natural disasters, human error, or intentional physical or cyber attacks Determine whether the third parties maintains disaster recovery and business continuity plans that specify the timeframe to resume activities and recover data Review the third party s telecommunications redundancy and resilience plans Ensure third party s redundancy and resilience plans include preparations for known and emerging threats and vulnerabilities (wide scale natural disasters, distributed denial of service attaches or other intentional or unintentional events Review results of business continuity testing and performance during actual disruptions XI. Incident Reporting and Management Programs (K.3.2, K.3.3) (K ) (K.1.2.1) 5

6 Review the third party s incident reporting and management programs to ensure there are clearly documented processes and accountability for identifying, reporting, investigating, and escalating incidents XII. Physical Security Evaluate whether the third party has sufficient physical and environmental controls to ensure the safety and security of its facilities, technology systems, and employees XIII. Human Resources Management Review the third party s program to train and hold employees accountable for compliance with policies and procedures Review the third party s succession and redundancy planning for key management and support personnel Tab J: Incident Event and Communications Management Tab B: Security Policy (B.1.29) Tab F: Physical and Environmental Security Tab E: Human Resources Security (E.3- E.6) XIV. Reliance on Subcontractors Evaluate the volume and types of subcontracted activities Tab C: Organizational Security (C.2) Evaluate the subcontractor geographic locations Quality control - assessment, monitoring and mitigation of risk from use of subcontractors Tab C: Organizational Security (C.2) XV. Insurance Coverage Verify that the third party has fidelity bond coverage attributable to dishonest acts. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) Verify that the third party has Liability coverage for losses attributable to negligent acts. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) 6

7 OCC GUIDANCE Verify that the third party has hazard insurance covering fire, loss of data and protection of documents. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) Determine whether the third party has insurance coverage for its intellectual property rights, as such coverage may not be available under a general commercial policy. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) XVI. Conflicting Contractual Arrangements with Other Parties Obtain information regarding legally binding arrangements with subcontractors or other parties in cases where the third party has indemnified itself, as such arrangements may transfer risks to the bank Tab D: Asset Management (D.3 refers broadly to coverage for business interruption or general services interruption, and to products and services) Tab D: Asset Management (D.3 refers broadly to coverage for business interruption or general services interruption, and to products and services) Tab C: Organizational Security (C ) Evaluate the potential legal and financial implications to the bank of these contracts between the third party and its subcontractors or other parties Tab C: Organizational Security (C ) 7

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

VENDORINSIGHTU P D A T E

VENDORINSIGHTU P D A T E VENDORINSIGHTU P D A T E November 12, 2013 COMPLIANCE VendorINSIGHT is the industry-leading solution for financial institutions offering the most features and capabilities for vendor risk monitoring. Ask

More information

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information

TABLE OF CONTENTS CHAPTER TITLE PAGE

TABLE OF CONTENTS CHAPTER TITLE PAGE viii TABLE OF CONTENTS CHAPTER TITLE PAGE TITLE PAGE DECLARATION DEDICATION ACKNOWLEDGEMENT ABSTRACT ABSTRAK TABLE OF CONTENTS LIST OF TABLES LIST OF FIGURES LIST OF APPENDICES I II III IV VI VII VIII

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,

More information

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner

More information

Cyber security standard

Cyber security standard Cyber security standard Brief description This *Standard specifies security standards that protect *ICT systems and data from unintended or unauthorized access, damage or destruction. Related policies

More information

Outsourcing has become a critical component of financial institutions management

Outsourcing has become a critical component of financial institutions management Skadden Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or call your regular Skadden

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

Any business relationship between a bank and another entity, by contract or otherwise

Any business relationship between a bank and another entity, by contract or otherwise An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Vendor Management. Outsourcing Technology Services

Vendor Management. Outsourcing Technology Services Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring

More information

Outsourcing Technology Services A Management Decision

Outsourcing Technology Services A Management Decision Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships

More information

INTRODUCTION I. CONSTITUTION

INTRODUCTION I. CONSTITUTION INTRODUCTION Enbridge Energy Partners, L.P.(the Partnership ) is a Delaware limited partnership whose Class A Common Units are registered under Section 12 of the Securities and Exchange Act of 1934, as

More information

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.

More information

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14

More information

FINANCIAL SERVICES FLASH REPORT

FINANCIAL SERVICES FLASH REPORT FINANCIAL SERVICES FLASH REPORT OCC Updates Guidance on Third-Party Relationships December 2, 2013 Introduction On November 4, 2013, the Office of the Comptroller of the Currency (OCC) released Bulletin

More information

Business Continuity Plan

Business Continuity Plan Business Continuity Plan Introduction This manual documents the business continuity plan for Eastwood Wealth Management, an LPL Financial branch office that conducts business in: equity, fixed income,

More information

HAROLD CAMPING i ii iii iv v vi vii viii ix x xi xii 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

More information

Statement of Guidance: Outsourcing All Regulated Entities

Statement of Guidance: Outsourcing All Regulated Entities Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

CESG Certification of Cyber Security Training Courses

CESG Certification of Cyber Security Training Courses CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security

More information

Credit Union Liability with Third-Party Processors

Credit Union Liability with Third-Party Processors World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT

PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT RESOURCES PROVIDED THROUGH APRIL 2001 Slides Narration In the last presentation, you learned about some of the general responsibilities

More information

CAYMAN ISLANDS. Supplement No. 5 published with Gazette No. 19 dated 14 September, STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES

CAYMAN ISLANDS. Supplement No. 5 published with Gazette No. 19 dated 14 September, STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES CAYMAN ISLANDS Supplement No. 5 published with Gazette No. 19 dated 14 September, 2015. STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES Statement of Guidance: Outsourcing Regulated Entities 1. STATEMENT

More information

I S O I E C 2 7 0 0 2 2 0 1 3 I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

I S O I E C 2 7 0 0 2 2 0 1 3 I N F O R M A T I O N S E C U R I T Y A U D I T T O O L 15.1 ESTABLISH SECURITY AGREEMENTS WITH SUPPLIERS 15.1.1 EXPECT SUPPLIERS TO COMPLY WITH RISK MITIGATION AGREEMENTS Do you clarify the information security risks that exist whenever your suppliers have

More information

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS DIRECTORATE OF BANKING SUPERVISION AUGUST 2009 TABLE OF CONTENTS PAGE 1.0 INTRODUCTION..3 1.1 Background...3 1.2 Citation...3

More information

IT Governance Regulatory. P.K.Patel AGM, MoF

IT Governance Regulatory. P.K.Patel AGM, MoF IT Governance Regulatory Perspective P.K.Patel AGM, MoF Agenda What is IT Governance? Aspects of IT Governance What banks should consider before implementing these aspects? What banks should do for implementation

More information

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction Contents Acknowledgments Introduction 1. Governance Overview How Do We Do It? What Do We 1 Get Out of It? 1.1 What Is It? 1 1.2 Back to Basics 2 1.3 Origins of Governance 3 1.4 Governance Definition 5

More information

WHITE PAPER Third-Party Risk Management Lifecycle Guide

WHITE PAPER Third-Party Risk Management Lifecycle Guide WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third

More information

Pharmaceutical and Biomedical Due Diligence Checklist

Pharmaceutical and Biomedical Due Diligence Checklist Pharmaceutical and Biomedical Due Diligence Checklist Pharmaceutical and Biomedical Due Diligence Checklist 2 This due diligence checklist template includes many of the key items that are required in M&A

More information

Risks and uncertainties

Risks and uncertainties Risks and uncertainties Our risk management approach We have a well-established risk management methodology which we use throughout the business to allow us to identify and manage the principal risks that

More information

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4 State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

More information

www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014

www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 Agenda Key Definitions Risks Business Continuity Management Program BCM Capability Assessment Process BCM Value Proposition

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis

More information

FIELDSTONE 120 West 45th Street, Suite 1400, New York, NY 10036 TEL: (212) 626-1400 FAX: (212) 626-1414

FIELDSTONE 120 West 45th Street, Suite 1400, New York, NY 10036 TEL: (212) 626-1400 FAX: (212) 626-1414 FIELDSTONE 120 West 45th Street, Suite 1400, New York, NY 10036 TEL: (212) 626-1400 FAX: (212) 626-1414 Fieldstone Services Corp. Business Continuity Plan (BCP) General guidance and background: Please

More information

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, 2013. p i.

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, 2013. p i. New York, NY, USA: Basic Books, 2013. p i. http://site.ebrary.com/lib/mcgill/doc?id=10665296&ppg=2 New York, NY, USA: Basic Books, 2013. p ii. http://site.ebrary.com/lib/mcgill/doc?id=10665296&ppg=3 New

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Vendor Risk Management in the New Regulatory Environment. kpmg.com Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators

More information

30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC)

30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC) 30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC) have issued extensive new guidance to financial institutions about the use of third parties to perform functions

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

LEMLEY, YARLING & CO. LEMLEY, YARLING MANAGEMENT CO. BUSINESS CONTINUITY PLAN

LEMLEY, YARLING & CO. LEMLEY, YARLING MANAGEMENT CO. BUSINESS CONTINUITY PLAN I. Emergency Contact Persons LEMLEY, YARLING & CO. LEMLEY, YARLING MANAGEMENT CO. BUSINESS CONTINUITY PLAN Our firm s two emergency contact persons are: Ralph J. Lemley, Budlemley@aol.com, (608) 624-5777

More information

Financial Services Guidance Note Outsourcing

Financial Services Guidance Note Outsourcing Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14

More information

NexTrend Securities, Inc. Business Continuity Plan (BCP)

NexTrend Securities, Inc. Business Continuity Plan (BCP) NexTrend Securities, Inc. Business Continuity Plan (BCP) I. Emergency Contact NexTrend Securities, Inc. (the firm ) emergency contact person: Name: Mark Cherlin Position: Executive Representative and Registered

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

Regulations on Information Systems Security. I. General Provisions

Regulations on Information Systems Security. I. General Provisions Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with

More information

Instructions for Completing the Information Technology Officer s Questionnaire

Instructions for Completing the Information Technology Officer s Questionnaire Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine

More information

FAR Clause 52.212-5 CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUTES OR EXECUTIVE ORDERS COMMERCIAL ITEMS (NOVEMBER 2015)

FAR Clause 52.212-5 CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUTES OR EXECUTIVE ORDERS COMMERCIAL ITEMS (NOVEMBER 2015) FAR Clause 52.212-5 CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUTES OR EXECUTIVE ORDERS COMMERCIAL ITEMS (NOVEMBER 2015) (a) The Contractor shall comply with the following Federal Acquisition

More information

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter Pennsylvania State System of Higher Education California University of Pennsylvania UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter Version [1.0] 1/29/2013 Revision History

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2015 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS) Information Technology Disaster Recovery Policy Policy Statement This policy defines acceptable methods for disaster recovery planning, preparedness, management and mitigation of IT systems and services

More information

Operational Risk Management Policy

Operational Risk Management Policy Operational Risk Management Policy Operational Risk Definition A bank, including a development bank, is influenced by the developments of the external environment in which it is called to operate, as well

More information

Information Technology

Information Technology Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level

More information

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management

More information

Business Continuity Plan Summary (Revised November 26, 2012)

Business Continuity Plan Summary (Revised November 26, 2012) Business Continuity Plan Summary (Revised November 26, 2012) This document summarizes the business continuity plan (BCP ) of CIS Capital Markets LLC, dba Clarkson Capital Markets (the Firm ). The purpose

More information

(Instructor-led; 3 Days)

(Instructor-led; 3 Days) Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of

More information

GODADDY INC. CORPORATE GOVERNANCE GUIDELINES. Adopted as of February 3, 2015

GODADDY INC. CORPORATE GOVERNANCE GUIDELINES. Adopted as of February 3, 2015 GODADDY INC. CORPORATE GOVERNANCE GUIDELINES Adopted as of February 3, 2015 The following corporate governance guidelines have been adopted by the Board of Directors (the Board ) of GoDaddy Inc. (the Company

More information

Project Management Guidelines

Project Management Guidelines Project Management Guidelines 1. INTRODUCTION. This Appendix (Project Management Guidelines) sets forth the detailed Project Management Guidelines. 2. PROJECT MANAGEMENT PLAN POLICY AND GUIDELINES OVERVIEW.

More information

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Exercising Your Enterprise Cyber Response Crisis Management Capabilities Exercising Your Enterprise Cyber Response Crisis Management Capabilities Ray Abide, PricewaterhouseCoopers, LLP 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved.

More information

Coping with a major business disruption. Some practical advice

Coping with a major business disruption. Some practical advice Coping with a major business disruption Some practical advice Coping with a major business disruption What is business continuity? Business continuity planning (BCP) is a management process that helps

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

Team Financial Resources, Inc. Business Continuity Plan (BCP)

Team Financial Resources, Inc. Business Continuity Plan (BCP) Team Financial Resources, Inc. Business Continuity Plan (BCP) January 1, 2012 I. Emergency Contact Persons Our firm s two emergency contact persons are: Laura H. Strickland, President Office: 919-658-4997

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

Third Party Relationships

Third Party Relationships 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B D INTRODUCTION AND PURPOSE Background Yes/No Comments 1. Does the credit union maintain a list of the third party

More information

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES THIS POLICY SETS OUT THE REQUIREMENTS FOR SAFEGUARDING COMPANY ASSETS AND RESOURCES TO PROTECT PATIENTS, STAFF, PRODUCTS, PROPERTY AND

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine

More information

To: Our Clients and Friends March 25, 2014

To: Our Clients and Friends March 25, 2014 Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors

More information

FINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER

FINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER FINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER As a board-level discussion topic at all financial institutions (FI) today, operational risk is real and public disclosure of significant

More information

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed

More information

Electronic Payment Schemes Guidelines

Electronic Payment Schemes Guidelines BANK OF TANZANIA Electronic Payment Schemes Guidelines Bank of Tanzania May 2007 Bank of Tanzania- Electronic Payment Schemes and Products Guidleness page 1 Bank of Tanzania, 10 Mirambo Street, Dar es

More information

Rogers Insurance Client Presentation

Rogers Insurance Client Presentation Rogers Insurance Client Presentation Network Security and Privacy Breach Insurance Presented by Matthew Davies Director Professional, Media & Cyber Liability Chubb Insurance Company of Canada mdavies@chubb.com

More information

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012 GUIDANCE NOTE FOR DEPOSIT-TAKERS Operational Risk Management March 2012 Version 1.0 Contents Page No 1 Introduction 2 2 Overview 3 Operational risk - fundamental principles and governance 3 Fundamental

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

ELECTRONICS AND INFORMATION TECHNOLOGY ERRORS AND OMISSIONS, INTELLECTUAL PROPERTY RIGHTS APPLICATION (Claims made Coverage)

ELECTRONICS AND INFORMATION TECHNOLOGY ERRORS AND OMISSIONS, INTELLECTUAL PROPERTY RIGHTS APPLICATION (Claims made Coverage) ELECTRONICS AND INFORMATION TECHNOLOGY ERRORS AND OMISSIONS, INTELLECTUAL PROPERTY RIGHTS APPLICATION (Claims made Coverage) Some sections of the application will not apply to your firm. Where this is

More information

Third-Party Cybersecurity and Data Loss Prevention

Third-Party Cybersecurity and Data Loss Prevention Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management

More information

ATEL Securities Corporation Business Continuity Plan

ATEL Securities Corporation Business Continuity Plan Business Continuity Plan I. Emergency Contact Persons The Firm s emergency contact persons ( Executive Representatives ) are: Dean Cash Chairman and CEO () Pari Choksi Executive Vice President, CFO and

More information

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay

More information

Business Continuity Plan Template for Small Introducing Firms. [Firm Name] Business Continuity Plan (BCP)

Business Continuity Plan Template for Small Introducing Firms. [Firm Name] Business Continuity Plan (BCP) Business Continuity Plan Template for Small Introducing Firms [Firm Name] Business Continuity Plan (BCP) Updated May 12, 2010 This optional template is provided to assist small introducing firms in fulfilling

More information

Software as a Service: Guiding Principles

Software as a Service: Guiding Principles Software as a Service: Guiding Principles As the Office of Information Technology (OIT) works in partnership with colleges and business units across the University, its common goals are to: substantially

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

AUSTRACLEAR REGULATIONS Guidance Note 10

AUSTRACLEAR REGULATIONS Guidance Note 10 BUSINESS CONTINUITY AND DISASTER RECOVERY The purpose of this Guidance Note The main points it covers To assist participants to understand the disaster recovery and business continuity arrangements they

More information

Committee on Payments and Market Infrastructures. Board of the International Organization of Securities Commissions

Committee on Payments and Market Infrastructures. Board of the International Organization of Securities Commissions Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Principles for financial market infrastructures: Assessment methodology for the oversight

More information

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions Committee on Payment and Settlement Systems Board of the International Organization of Securities Commissions Consultative report Principles for financial market infrastructures: Assessment methodology

More information

BERNARD HEROLD & CO., INC. BUSINESS CONTINUITY PLAN

BERNARD HEROLD & CO., INC. BUSINESS CONTINUITY PLAN BERNARD HEROLD & CO., INC. BUSINESS CONTINUITY PLAN Revised May 2015 Reviewed and approved by Lawrence Herold TABLE OF CONTENTS I Emergency Contact Persons 3 II Firm Policy 3 III Business Description 4

More information

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015 Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,

More information

Mazzone & Associates, Inc.

Mazzone & Associates, Inc. Mazzone & Associates, Inc. Business Continuity Plan (BCP) Introduction. As a result of our ever-changing and evolving world, it has become necessary for firms in the financial services industry to take

More information

Business Continuity Plan (BCP)

Business Continuity Plan (BCP) Business Continuity Plan (BCP) I. Emergency Contact Persons Our firm s two emergency contact persons are: Jay McAnelly, jay.mcanelly@invpro.com, 210-386-5468 and Richard Dullnig, richard.dullnig@invpro.com

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary

More information

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning 4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business

More information

Business Continuity Planning for Risk Reduction

Business Continuity Planning for Risk Reduction Business Continuity Planning for Risk Reduction Ion PLUMB ionplumb@yahoo.com Andreea ZAMFIR zamfir_andreea_ileana@yahoo.com Delia TUDOR tudordelia@yahoo.com Faculty of Management Academy of Economic Studies

More information

SUPERVISORY AND REGULATORY GUIDELINES: PU48-0809 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

SUPERVISORY AND REGULATORY GUIDELINES: PU48-0809 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS SUPERVISORY AND REGULATORY GUIDELINES: PU48-0809 ISSUED: 4 th May 2004 REVISED: 27 th August 2009 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS I. INTRODUCTION The Central Bank

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault Anatomy of an IT Outsourcing Deal Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault 3656867 Agenda Key Considerations for IT Outsourcing Decision Anatomy of an Outsourcing

More information

SecureVest Financial Group, Inc. Argentis Advisors Business Continuity Plan (BCP)

SecureVest Financial Group, Inc. Argentis Advisors Business Continuity Plan (BCP) SecureVest Financial Group, Inc. Argentis Advisors Business Continuity Plan (BCP) I. Emergency Contact Persons August, 2015 Our firm s three (3) emergency contact persons are August Cellitti (973) 723-9078,

More information