SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS



Similar documents
White Paper on Financial Institution Vendor Management

VENDORINSIGHTU P D A T E

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

External Supplier Control Requirements

External Supplier Control Requirements

TABLE OF CONTENTS CHAPTER TITLE PAGE

Risk Management of Outsourced Technology Services. November 28, 2000

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Cyber security standard

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Any business relationship between a bank and another entity, by contract or otherwise

FFIEC Cybersecurity Assessment Tool

Vendor Management. Outsourcing Technology Services

Outsourcing Technology Services A Management Decision

Vendor Management Compliance Top 10 Things Regulators Expect

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Plan

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

Statement of Guidance: Outsourcing All Regulated Entities

Credit Union Liability with Third-Party Processors

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

CESG Certification of Cyber Security Training Courses

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

WHITE PAPER Third-Party Risk Management Lifecycle Guide

IT Governance Regulatory. P.K.Patel AGM, MoF

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

The PNC Financial Services Group, Inc. Business Continuity Program

Risks and uncertainties

Pharmaceutical and Biomedical Due Diligence Checklist

Business Resiliency Business Continuity Management - January 14, 2014

FIELDSTONE 120 West 45th Street, Suite 1400, New York, NY TEL: (212) FAX: (212)

LEMLEY, YARLING & CO. LEMLEY, YARLING MANAGEMENT CO. BUSINESS CONTINUITY PLAN

Regulations on Information Systems Security. I. General Provisions

Instructions for Completing the Information Technology Officer s Questionnaire

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, p i.

NexTrend Securities, Inc. Business Continuity Plan (BCP)

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Financial Services Guidance Note Outsourcing

HIPAA BUSINESS ASSOCIATE AGREEMENT

The PNC Financial Services Group, Inc. Business Continuity Program

Operational Risk Management Policy

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

GODADDY INC. CORPORATE GOVERNANCE GUIDELINES. Adopted as of February 3, 2015

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

(Instructor-led; 3 Days)

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Network & Information Security Policy

Information Technology

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Project Management Guidelines

Coping with a major business disruption. Some practical advice

Third Party Relationships

Virginia Commonwealth University School of Medicine Information Security Standard

Electronic Payment Schemes Guidelines

Business Associate Agreement

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

AUSTRACLEAR REGULATIONS Guidance Note 10

Third-Party Cybersecurity and Data Loss Prevention

Emergency Contact Person - Firm Policy And Operation

Mitigating and managing cyber risk: ten issues to consider

ELECTRONICS AND INFORMATION TECHNOLOGY ERRORS AND OMISSIONS, INTELLECTUAL PROPERTY RIGHTS APPLICATION (Claims made Coverage)

Cloud Computing: Legal Risks and Best Practices

Rogers Insurance Client Presentation

Mazzone & Associates, Inc.

Software as a Service: Guiding Principles

THIRD PARTY SUPPLIER RISK MANAGEMENT. Meeting Emerging Financial Services Regulatory Requirements. By Joseph Yacura, ISG Director.

Business Continuity Plan Template for Small Introducing Firms. [Firm Name] Business Continuity Plan (BCP)

How To Assess A Critical Service Provider

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

Vendor Management Compliance Top 10 Things Regulators Expect

INFORMATION TECHNOLOGY SECURITY STANDARDS

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Business Continuity Planning and Disaster Recovery Planning

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

SecureVest Financial Group, Inc. Argentis Advisors Business Continuity Plan (BCP)

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

Business Continuity Plan Template for Introducing Brokers. [Firm Name] Business Continuity Plan (BCP)

Business Continuity Plan (BCP)

Transcription:

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014 aligns with the Risk Management Guidance issued by the Office of the Comptroller of the Currency (OCC 2013-29) dated October 30, 2013 OCC 2013-29 GUIDANCE I. Strategies and Goals: Review of the third party s overall business strategy and goals to ensure no conflict with those of the organization Consider how the third party s current and proposed strategic business arrangements (such as mergers, acquisitions, divestitures, joint ventures, joint marketing initiatives) may affect the activity Consider reviewing the third party s service philosophies Consider reviewing the third party s quality initiatives Consider reviewing the third party s efficiency improvements e. Consider reviewing the third party s employment policies and practices II. Legal and Regulatory Compliance: Evaluate the third party s legal and regulatory compliance program Tab I: Information Systems Application Development and Maintenance Tab I: Information Systems Application Development and Maintenance (for employment policies and practices) Tab E: Human Resources Security 1

Determine whether the third party has the necessary licenses to operate Tab D: Asset Management (D.1.2 Software Licenses) Determine whether the third party has the necessary expertise, process, and controls to enable the bank to remain compliant with domestic and international laws and regulations Tab L: Compliance (L.4) Tab C: Organizational Security Check compliance status with regulators Tab L: Compliance (L.2) Check compliance status with self- regulatory organizations Tab L: Compliance (L.2) III. Financial Condition: Assess third party s financial condition Perform reviews of the third party s audited financial statements. Evaluate growth, earnings, unfunded liabilities, and other factors that may affect the third party s overall financial stability Review for any pending litigations Tab: Business Information (B.17- B.18) IV. Business Experience and Reputation: Evaluate third party s depth of resources and previous experience providing specific activity Assess the third party s reputation, including history of customer complaints Assess the third party s reputation, including history of litigation Tab B: Business Information (B.17- B.18) Determine how long the third party has been in business Tab B: Business Information (B.16) Determine the market share for the activities e. f. Determine whether there have been significant changes in activities offered or in its business model Reference checks with industry associations, Better Business Bureau, Federal Trade Commission, state attorneys general offices, state consumer affairs offices, and similar foreign authorities g. Check U.S. Securities and Exchange Commission (SEC) or other regulatory filings 2

h. i. Review the third party s Websites and other marketing materials to ensure that statements and assertions are inline with the bank s expectations and do not overstate or misrepresent activities and capabilities Determine whether and how third party plans to use the bank s name and reputation in marketing efforts (Privacy Policies) V. Fee Structure and Incentives Evaluate the third party s normal fee structure and incentives for similar business arrangements and determine if fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank VI. Qualifications, Backgrounds, and Reputations of Company Principals Ensure the third party periodically conducts thorough background checks on its senior management Ensure the third party periodically conducts thorough background checks on its employees Ensure the third party periodically conducts thorough background checks on its subcontractors Ensure that third parties have policies and procedures in place for removing employees who do not meet minimum background check requirements 1 Not addressed in SIG 2014 2 Tab E: Human Resource Security (E.2 Background Checks Prior to Employment) 3 Not addressed in SIG 2014. Tab E: Human Resource Security (E.7 Constituent Termination Process) VII. Risk Management: Evaluate the effectiveness of the third party s risk management program, including policies, processes, and internal controls Performs internal audit function independently Tab L: Compliance (L.11) 1 SIG 2015 also address background checks of senior management 2 SIG 2015 will also include periodic background checks during employment tenure 3 SIG 2015 will include periodic background checks of subcontractors The new version of the Shared Assessments Program Tools, including SIG 2015, will be released January 2015 3

Third party effectively tests and reports on internal controls Tab L: Compliance (L.3; L.4; L.7- L.13) e. Process for escalating, remediating, and holding management accountable for concerns identified during audits or independent tests Review any certification or assessments by independent third parties for compliance with risk control standards Certification by independent third parties for compliance with domestic or international internal control standards (e.g., the National Institute of Standards and Technology and the International Standards Organization) Tab L: Compliance (L.7; L.8; L.11; L.13) 4 Not addressed in SIG 2014. VIII. Information Security: Assess the third party s information security program A. B. Determine whether third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities When technology is necessary to support service delivery, assess third party s infrastructure and application security programs When technology is necessary to support service delivery, assess third party s software development lifecycle When technology is necessary to support service delivery, assess third party s results of vulnerability and penetration tests Tab B: Security Policy (B.1) Development & Maintenance (I.1, I.2, I.3, I.4, I.5) Tab B: Security Policy (B.1) Development & Maintenance Development & Maintenance (I.2.7) Tab G: Communications and Operations Management (G.10) Development & Maintenance (I.3.2) 4 SIG 2015 will include certifications by independent third parties in the Business Information and Documentation Tabs 4

Evaluate the third party s ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing Development & Maintenance (I.5) IX. Management of Information Systems: Gain a clear understanding of the third party s business processes and technology that will be used to support the activity X. Resilience Review the third party s processes for maintaining accurate inventories of its technology and its subcontractors Assess change management process to ensure that clear roles, responsibilities, and segregation are in place Understand the third party s performance metrics for its information systems and ensure they meet the bank s expectations Tab D: Asset Management Tab C: Organizational Security (C.2.6.34) Tab G: Communications and Operation Management (G.2) Assess the third party s ability to respond to service disruptions or degradations resulting from natural disasters, human error, or intentional physical or cyber attacks Determine whether the third parties maintains disaster recovery and business continuity plans that specify the timeframe to resume activities and recover data Review the third party s telecommunications redundancy and resilience plans Ensure third party s redundancy and resilience plans include preparations for known and emerging threats and vulnerabilities (wide scale natural disasters, distributed denial of service attaches or other intentional or unintentional events Review results of business continuity testing and performance during actual disruptions XI. Incident Reporting and Management Programs (K.3.2, K.3.3) (K.1.2.11) (K.1.2.1) 5

Review the third party s incident reporting and management programs to ensure there are clearly documented processes and accountability for identifying, reporting, investigating, and escalating incidents XII. Physical Security Evaluate whether the third party has sufficient physical and environmental controls to ensure the safety and security of its facilities, technology systems, and employees XIII. Human Resources Management Review the third party s program to train and hold employees accountable for compliance with policies and procedures Review the third party s succession and redundancy planning for key management and support personnel Tab J: Incident Event and Communications Management Tab B: Security Policy (B.1.29) Tab F: Physical and Environmental Security Tab E: Human Resources Security (E.3- E.6) XIV. Reliance on Subcontractors Evaluate the volume and types of subcontracted activities Tab C: Organizational Security (C.2) Evaluate the subcontractor geographic locations Quality control - assessment, monitoring and mitigation of risk from use of subcontractors Tab C: Organizational Security (C.2) XV. Insurance Coverage Verify that the third party has fidelity bond coverage attributable to dishonest acts. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) Verify that the third party has Liability coverage for losses attributable to negligent acts. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) 6

OCC 2013-29 GUIDANCE Verify that the third party has hazard insurance covering fire, loss of data and protection of documents. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) Determine whether the third party has insurance coverage for its intellectual property rights, as such coverage may not be available under a general commercial policy. (The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided) XVI. Conflicting Contractual Arrangements with Other Parties Obtain information regarding legally binding arrangements with subcontractors or other parties in cases where the third party has indemnified itself, as such arrangements may transfer risks to the bank Tab D: Asset Management (D.3 refers broadly to coverage for business interruption or general services interruption, and to products and services) Tab D: Asset Management (D.3 refers broadly to coverage for business interruption or general services interruption, and to products and services) Tab C: Organizational Security (C.2.6.23) Evaluate the potential legal and financial implications to the bank of these contracts between the third party and its subcontractors or other parties Tab C: Organizational Security (C.2.6.23) 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information