SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Transcription

1 SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014 aligns with the Risk Management Guidance issued by the Office of the Comptroller of the Currency (OCC ) dated October 30, 2013 OCC GUIDANCE I. Strategies and Goals: Review of the third party s overall business strategy and goals to ensure no conflict with those of the organization Consider how the third party s current and proposed strategic business arrangements (such as mergers, acquisitions, divestitures, joint ventures, joint marketing initiatives) may affect the activity Consider reviewing the third party s service philosophies Consider reviewing the third party s quality initiatives Consider reviewing the third party s efficiency improvements e. Consider reviewing the third party s employment policies and practices II. Legal and Regulatory Compliance: Evaluate the third party s legal and regulatory compliance program Tab I: Information Systems Application Development and Maintenance Tab I: Information Systems Application Development and Maintenance (for employment policies and practices) Tab E: Human Resources Security 1

2 Determine whether the third party has the necessary licenses to operate Tab D: Asset Management (D.1.2 Software Licenses) Determine whether the third party has the necessary expertise, process, and controls to enable the bank to remain compliant with domestic and international laws and regulations Tab L: Compliance (L.4) Tab C: Organizational Security Check compliance status with regulators Tab L: Compliance (L.2) Check compliance status with self- regulatory organizations Tab L: Compliance (L.2) III. Financial Condition: Assess third party s financial condition Perform reviews of the third party s audited financial statements. Evaluate growth, earnings, unfunded liabilities, and other factors that may affect the third party s overall financial stability Review for any pending litigations Tab: Business Information (B.17- B.18) IV. Business Experience and Reputation: Evaluate third party s depth of resources and previous experience providing specific activity Assess the third party s reputation, including history of customer complaints Assess the third party s reputation, including history of litigation Tab B: Business Information (B.17- B.18) Determine how long the third party has been in business Tab B: Business Information (B.16) Determine the market share for the activities e. f. Determine whether there have been significant changes in activities offered or in its business model Reference checks with industry associations, Better Business Bureau, Federal Trade Commission, state attorneys general offices, state consumer affairs offices, and similar foreign authorities g. Check U.S. Securities and Exchange Commission (SEC) or other regulatory filings 2

3 h. i. Review the third party s Websites and other marketing materials to ensure that statements and assertions are inline with the bank s expectations and do not overstate or misrepresent activities and capabilities Determine whether and how third party plans to use the bank s name and reputation in marketing efforts (Privacy Policies) V. Fee Structure and Incentives Evaluate the third party s normal fee structure and incentives for similar business arrangements and determine if fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank VI. Qualifications, Backgrounds, and Reputations of Company Principals Ensure the third party periodically conducts thorough background checks on its senior management Ensure the third party periodically conducts thorough background checks on its employees Ensure the third party periodically conducts thorough background checks on its subcontractors Ensure that third parties have policies and procedures in place for removing employees who do not meet minimum background check requirements 1 Not addressed in SIG Tab E: Human Resource Security (E.2 Background Checks Prior to Employment) 3 Not addressed in SIG Tab E: Human Resource Security (E.7 Constituent Termination Process) VII. Risk Management: Evaluate the effectiveness of the third party s risk management program, including policies, processes, and internal controls Performs internal audit function independently Tab L: Compliance (L.11) 1 SIG 2015 also address background checks of senior management 2 SIG 2015 will also include periodic background checks during employment tenure 3 SIG 2015 will include periodic background checks of subcontractors The new version of the Shared Assessments Program Tools, including SIG 2015, will be released January

4 Third party effectively tests and reports on internal controls Tab L: Compliance (L.3; L.4; L.7- L.13) e. Process for escalating, remediating, and holding management accountable for concerns identified during audits or independent tests Review any certification or assessments by independent third parties for compliance with risk control standards Certification by independent third parties for compliance with domestic or international internal control standards (e.g., the National Institute of Standards and Technology and the International Standards Organization) Tab L: Compliance (L.7; L.8; L.11; L.13) 4 Not addressed in SIG VIII. Information Security: Assess the third party s information security program A. B. Determine whether third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities When technology is necessary to support service delivery, assess third party s infrastructure and application security programs When technology is necessary to support service delivery, assess third party s software development lifecycle When technology is necessary to support service delivery, assess third party s results of vulnerability and penetration tests Tab B: Security Policy (B.1) Development & Maintenance (I.1, I.2, I.3, I.4, I.5) Tab B: Security Policy (B.1) Development & Maintenance Development & Maintenance (I.2.7) Tab G: Communications and Operations Management (G.10) Development & Maintenance (I.3.2) 4 SIG 2015 will include certifications by independent third parties in the Business Information and Documentation Tabs 4

5 Evaluate the third party s ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing Development & Maintenance (I.5) IX. Management of Information Systems: Gain a clear understanding of the third party s business processes and technology that will be used to support the activity X. Resilience Review the third party s processes for maintaining accurate inventories of its technology and its subcontractors Assess change management process to ensure that clear roles, responsibilities, and segregation are in place Understand the third party s performance metrics for its information systems and ensure they meet the bank s expectations Tab D: Asset Management Tab C: Organizational Security (C ) Tab G: Communications and Operation Management (G.2) Assess the third party s ability to respond to service disruptions or degradations resulting from natural disasters, human error, or intentional physical or cyber attacks Determine whether the third parties maintains disaster recovery and business continuity plans that specify the timeframe to resume activities and recover data Review the third party s telecommunications redundancy and resilience plans Ensure third party s redundancy and resilience plans include preparations for known and emerging threats and vulnerabilities (wide scale natural disasters, distributed denial of service attaches or other intentional or unintentional events Review results of business continuity testing and performance during actual disruptions XI. Incident Reporting and Management Programs (K.3.2, K.3.3) (K ) (K.1.2.1) 5

6 Review the third party s incident reporting and management programs to ensure there are clearly documented processes and accountability for identifying, reporting, investigating, and escalating incidents XII. Physical Security Evaluate whether the third party has sufficient physical and environmental controls to ensure the safety and security of its facilities, technology systems, and employees XIII. Human Resources Management Review the third party s program to train and hold employees accountable for compliance with policies and procedures Review the third party s succession and redundancy planning for key management and support personnel Tab J: Incident Event and Communications Management Tab B: Security Policy (B.1.29) Tab F: Physical and Environmental Security Tab E: Human Resources Security (E.3- E.6) XIV. Reliance on Subcontractors Evaluate the volume and types of subcontracted activities Tab C: Organizational Security (C.2) Evaluate the subcontractor geographic locations Quality control - assessment, monitoring and mitigation of risk from use of subcontractors Tab C: Organizational Security (C.2) XV. Insurance Coverage Verify that the third party has fidelity bond coverage attributable to dishonest acts. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) Verify that the third party has Liability coverage for losses attributable to negligent acts. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) 6

7 OCC GUIDANCE Verify that the third party has hazard insurance covering fire, loss of data and protection of documents. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) Determine whether the third party has insurance coverage for its intellectual property rights, as such coverage may not be available under a general commercial policy. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) XVI. Conflicting Contractual Arrangements with Other Parties Obtain information regarding legally binding arrangements with subcontractors or other parties in cases where the third party has indemnified itself, as such arrangements may transfer risks to the bank Tab D: Asset Management (D.3 refers broadly to coverage for business interruption or general services interruption, and to products and services) Tab D: Asset Management (D.3 refers broadly to coverage for business interruption or general services interruption, and to products and services) Tab C: Organizational Security (C ) Evaluate the potential legal and financial implications to the bank of these contracts between the third party and its subcontractors or other parties Tab C: Organizational Security (C ) 7