Vendor Management. Donald Cristan, VP ISO First United Bank Lubbock, TX

Transcription

1 Vendor Management Donald Cristan, VP ISO First United Bank Lubbock, TX

2 About Me Donald Cristan Broad Background - Experience Banking Industry since 2002 Information Technology since 1996 CISSP since 2007 Now VP ISO at First United Bank, Lubbock, TX since 2013 Sr. IT Auditor Houston IT Auditing/ Consulting Firm VP ISO for $3.5 billion bank in Lubbock, TX from IT Client Services Manager

3 Overview of Topics Synopsis Presentation Purpose, Caveats and Disclaimers Preface Vendor Management Program Vendor Selection Risk Assessing Vendors Ongoing Monitoring

4 Synopsis Vendor management is a hot topic in the banking industry and receives high exposure during audits and exams Banks are challenged in managing their vendor management program Laws and Regulations Current Environment Banks want to learn and understand how other banks are: Handling their vendor management process Where the opportunities are to improving their program

5 Purpose, Caveats, and Disclaimers This presentation is merely a representation of the work that has provided success in managing our vendor management program at First United Bank I am not an attorney or an expert in banking laws or regulations Some of the views and opinions expressed in this presentation are mine and do not necessarily reflect the views of First United Bank Please consult with your legal team, compliance department, bank executives or external consultants before adopting any of the practices discussed in this presentation

6 Preface Know and understand your banking regulations and laws pertaining to Vendor Management Implement a strong Vendor Management Program that involves key personnel, executives and BOD If possible, bank should centralize their Vendor Management Program to a department or person(s) The challenge is that multiple departments and personnel handle various vendor relations, contracts, and agreements FUB IT Dept currently tracks 300+ vendors (200 IT Vendors and 100+ non-it Vendors)

7 Preface Use a commercial software application for Vendor Management Repository for vendor information, contract information, contract storage, security reports, financials Assists with vendor risk ratings, due diligence reports, risk assessments, performance monitoring, notifications, customer complaint monitoring, OFAC screenings Cost $$ to $$$$ Many vendors to choose from

8 Preface Depending on the application the bank is using and/or the level of reporting the bank requires there may be some manual processes for: Risk Ratings Vendor Due Diligence Ongoing Vendor Monitoring Depending on bank resources (budget and personnel) the vendor management program can be a lengthy process to have a fully centralized vendor management program Vendor Management Program will continuously evolve and change over time

9 Vendor Management Program at First United Bank Recently revamped the current Vendor Management Program Communicated to all Department Managers that IT is centralizing the Vendor Management Program Departments still have the vendor relation All contracts and service agreements tracked by the IT Department Any new projects involving technology must involve the IT Department.

10 Vendor Management Program at First United Bank IT documented all applications, systems, vendor web sites accessed by employees, and data transfer arrangements Matched current vendor information, contracts, and service agreements Contacted the vendor if contracts or agreements were not found or current Contract and agreement renewals (regardless of $, length of term) discussed during monthly IT Committee meeting All other non-it vendor contracts and agreements were collected and added

11 Vendor Management Program at First United Bank Made changes in technical environment not allowing non- IT personnel to: Install SW on PCs or servers Connecting to FTP sites for data transfers Accessing their USB devices or DVD drives to write data to send to vendor Allowing vendors to initiate remote sessions to PCs or servers without the knowledge of IT (current NDA, Confidentiality agreements?)

12 Vendor Management Program at First United Bank Utilize a Project Binder or Project Document to track projects for critical products and services Utilize a Vendor Risk Rating Matrix Risk rating vendors is not a complete science Subjectivity in risk rating computations, criteria, and format Explain / Defend risk ratings Utilize a Vendor Document Matrix Tracks all vendor documents Combination of SW application and manual processes

13 Vendor Selection Current Challenge: Not engaging the IT Dept in the vendor management process early in the selection of vendor product and services causing a dismay of decisions for: Data security Technical infrastructure Vendor relations Contract structuring Risk reviews Lack of executive support Disappointing to find out that a department has acquired a vendor service, hardware, or application after the fact without sufficient due diligence efforts

14 Vendor Selection Critical applications e.g. online banking platforms, mobile banking platforms, web sites, deposit/lending platforms, core systems, mortgage applications Outsourcing arrangements Hosted solutions SW applications HW Managed Services Regardless of the size of the project, ensure good documentation Next, Project Binder or Project Document

15 Project Checklist Critical Product/Services

16 Project Checklist Critical Product/Services

17 Project Checklist Critical Product/Services

18 Project Checklist Critical Product/Services

19 Project Checklist Critical Product/Services

20 Risk Assessing Vendors

21 Vendor Risk Assessment Project Information Vendor Information

22 Vendor Risk Assessment Hardware and Software Information

23 Vendor Risk Assessment IT Support / Vendor Support Information

24 Vendor Risk Assessment Data and Communication

25 Vendor Risk Assessment Documents to be Updated

26 Ongoing Monitoring

27 Vendor Risk Ratings Ongoing Monitoring Automated or Manual process Software Application Depends on available resources SW application probably works best because it will give you a risk rate of your vendor based on predetermined questions Work with the SW vendor to determine the criteria or to understand the criteria for the risk ratings

28 Ongoing Monitoring Manual Ratings Vendor Risk Matrix If resources are available, then manual risk rate Formulas and Calculations are subjective Be prepared to explain or defend your chosen criteria, formulas and overall risk rating score Develop using spreadsheets or database apps What are the key components for ratings?

29 Risk Rate Vendors Type of Service Critical Function Hard-to-Replace Cloud Based Calculate Critical Score

30 Risk Rate Vendors Data Type Data Volume Sensitivity of Data Breach Loss Calculate Critical Score

31 Risk Rate Vendors Calculate the Scores Determine the Risk Rating Critical High Medium Low

32 Vendor Document Collection Collect documentation for Critical and High Risk Rated Vendors Financials Security Reports Information Security Policy / Program Red Flag Compliant Customer Disputes BCP / DR Testing Regulatory Exams Software Application or Spreadsheet / Database

33 Vendor Document Collection Be persistent with your vendors Don t settle for watered down documents Vendors are now providing Vendor Management packets CFO reviews vendor financials and provide a memo documenting review Perform quarterly financial reviews for sub-performing vendors

34 Vendor Documentation

35 Thank you for your time! Contact Information