Vendor Management. Outsourcing Technology Services

Similar documents
VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Information Technology

Risk Management of Outsourced Technology Services. November 28, 2000

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Outsourcing Technology Services A Management Decision

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Outsourcing Technology Services OT

White Paper on Financial Institution Vendor Management

Vendor Management Compliance Top 10 Things Regulators Expect

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

Any business relationship between a bank and another entity, by contract or otherwise

Vendor Management Compliance Top 10 Things Regulators Expect

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

GUIDANCE FOR MANAGING THIRD-PARTY RISK

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

OCC 98-3 OCC BULLETIN

Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship

Instructions for Completing the Information Technology Officer s Questionnaire

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program

Sound Practices for the Management of Operational Risk

Guideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

Data Privacy, Security, and Risk Management in the Cloud

WHITE PAPER Third-Party Risk Management Lifecycle Guide

Cloud Computing: Legal Risks and Best Practices

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Third Party Relationships

VENDOR MANAGEMENT. General Overview

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Cybersecurity Awareness. Part 2

Managing Outsourcing Arrangements

Business Unit CONTINGENCY PLAN

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

OUTSOURCING POLICY

VENDORINSIGHTU P D A T E

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Technology Outsourcing. Effective Practices for Selecting a Service Provider

Statement of Guidance: Outsourcing All Regulated Entities

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program

Managing General Agents (MGAs) Guideline

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Cybersecurity: What CFO s Need to Know

Operational Risk Management Policy

Vendor Management Best Practices

Board of Directors and Senior Management 2. Audit Management 4. Internal IT Audit Staff 5. Operating Management 5. External Auditors 5.

SUPERVISION GUIDELINE

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

Vendor Management Panel Discussion. Managing 3 rd Party Risk

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Vendor Compliance Management Series: Performing an Effective Risk Assessment

THE EVOLUTION OF CYBERSECURITY

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Disaster Recovery Plan Documentation for Agencies Instructions

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Identifying and Managing Third Party Data Security Risk

Technology Recovery Plan Instructions

March 2007 Report No FDIC s Contract Planning and Management for Business Continuity AUDIT REPORT

Documentation. Disclaimer

Growing Vendor Management

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Data Privacy & Security: Essential Questions Every Business Must Ask

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Continuity of operations for critical infrastructure. Disclosure of critical information to the government.

Cybersecurity Issues for Community Banks

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

RISK MANAGEMENT AND COMPLIANCE

Board Responsibility. A bank can outsource a task, but it cannot outsource the responsibility.

Pandemic Planning. Presented by: Ron Wagner, IT Examiner with FDIC & Dana Lavey, Supervision Analyst with NCUA

CISM Certified Information Security Manager

National Check Payments Certification. Fraud, Risk, and Risk Mitigation Part II. Copyright 2015 by the Electronic Check Clearing House Organization

RESERVE BANK OF VANUATU OPERATIONAL RISK MANAGEMENT

The University of Iowa. Enterprise Information Technology Disaster Plan. Version 3.1

Statement of Guidance

Information Technology. A Current Perspective on Risk Management

LOCAL GOVERNMENT MANAGEMENT ASSESSMENT OVERVIEW AND QUESTIONNAIRE

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose

Transcription:

Vendor Management Outsourcing Technology Services

Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring Business Continuity Planning and Testing Other Available Resources

Board and Senior Management Responsibilities The Board can outsource a service, but cannot outsource the responsibility. Identify Develop and implement riskbased policies and procedures to govern the outsourcing process Report RISK Measure Monitor Mitigate

Board and Senior Management Responsibilities Board Responsibilities Develop and approve policies that establish an effective vendor management program framework Select a service provider that best meets the needs of the bank Negotiate a contract that protects the interests of the bank Oversee management s implementation of the program through regular board reporting

Board and Senior Management Responsibilities Board Reports Audits Business Continuity Plans and Testing Service Level Agreements Information Security Financial Statements Higher-risk Service Providers Regulatory IT Examination Reports

Board and Senior Management Responsibilities Management Responsibilities Evaluate prospective providers based on the type of services outsourced and how critical the function is to the bank Ensure each outsourced relationship supports business requirements and strategic plans, and is appropriate for the size and complexity of the bank Confirm the bank has sufficient expertise to oversee and manage the relationship Implement ongoing monitoring programs that prioritize activities based on the degree of risk and criticality of the services

Risk Management Overview Inform senior management and the board of the risks associated with outsourcing Ensure that outsourcing arrangements are prudent and consistent with business objectives Implement effective controls to address identified risks Perform ongoing risk monitoring to identify and evaluate changes in risk from the initial assessment Document procedures, roles, responsibilities, and reporting mechanisms

Risk Management Overview Monitoring Risk Assessment Vendor Management Contracts Selection

Risk Management Overview Monitoring Risk Assessment Vendor Management Contracts Selection

Risk Management Overview Monitoring Risk Assessment Vendor Management Contracts Selection

Risk Management Overview Monitoring Risk Assessment Vendor Management Contracts Selection

Risk Management Overview Monitoring Risk Assessment Vendor Management Contracts Selection

Risk Management Overview Monitoring Risk Assessment Vendor Management Contracts Selection

Risk Assessment Risks Strategic Compliance Reputational Interest Rate Liquidity Cyber Planning, implementation, scalability Legal and regulatory requirements Errors, delays, omissions, fraud, breaches Errors, inaccurate assumptions Service disruptions, settlement delays Disruption, malware

Risk Assessment Outsourced Function Criticality Data sensitivity Transaction volume Quantifying Risks Service Provider Financial strength Industry experience Location Technology Reliability Security Scalability

Vendor Selection Monitoring Risk Assessment Vendor Management Contracts Selection

Vendor Selection Corporate history, qualifications, references Financial condition Due Diligence: Key Considerations Service delivery capability Technology and system architecture Internal control environment, security history, audit coverage Reliance on and success in managing subcontractors Legal and regulatory compliance Insurance coverage Site visits Disaster recovery/business continuity

Contracts Monitoring Risk Assessment Vendor Management Contracts Selection

Contracts Scope of Service Rights and Responsibilities Description of Activities Timeframes for Implementation Assignment of Responsibilities Common Provisions Security and Confidentiality Responsibility and Controls Incident Response and Notification Requirements Appendix B to Part 364 (GLBA)

Contracts Internal Controls Records Maintenance System Monitoring Notification Requirements Cybersecurity Common Provisions Audit Types of Audits Financial General Controls Network Security Assessments Electronic Funds Transfer Disaster Recovery Tests Frequency Right to Receive Right to Audit

Contracts Reports Frequency and Types Performance Financials Compliance with regulatory guidance Common Provisions Business Resumption/ Contingency Plans Backup and Records Protections Equipment Programs and Data Files Maintenance and Testing Frequency Availability of Test Results Bank Participation

Contracts Sub-contracting Awareness Assessment Responsibility Common Provisions Performance Standards Regulatory Compliance Measurable Minimum Service Level Requirements Remedies Service Level Agreements (SLAs) Adherence to Regulatory Guidance Risk Management Consumer Compliance

Contracts Bank Service Company Act Notification Banks should notify their primary Federal regulator of the outsourcing relationship within: 30 days of entering into the contract, or performance of the services..whichever occurs first

Contracts SLAs Confidentiality of Data GLBA compliance, notifications, responsiveness Integrity and Availability Error rates, up time, processing timeliness System Changes Security Standards Business Continuity Help Desk Support Programming changes, system updates Compliance, independent testing Backup, retention, protection, restoration, recovery Responsiveness, availability, qualifications

Monitoring Monitoring Risk Assessment Vendor Management Contracts Selection

Monitoring Periodically reevaluate active service providers Tailor ongoing monitoring using a risk-based approach considering: Criticality of the services Sensitivity of data Degree of perceived risk Implement more frequent and stringent ongoing monitoring for higher-risk service providers Report results to the board

Monitoring Audit reports Performed by qualified and independent personnel Type, scope, and frequency consistent with: o o o Size and complexity Products and services Level of risk Review corrective actions

Monitoring Financial Condition Continuity of operations Support for the contracted services Investment in security controls Product updates

Monitoring Compliance with Service Level Agreements Performance standards Information security standards (GLBA) Incident response programs Business Continuity Plans

Monitoring Available only to client banks under contract Request from FDIC Regional Office Case Manager National and State-member banks may request from the bank s primary Federal regulator

Business Continuity Planning Monitoring Contracts Vendor Management Risk Assessment Selection Business Continuity Planning

Business Continuity Planning Review service provider plans Mission critical service restoration o Timeframes and recovery time objectives o Staffing, capacity, telecommunications, hardware, software, and facilities availability o Wide-scale disruptions Contingency plan testing and testing scenarios o Connectivity, functionality, volume, and capacity of alternate facilities o Annual or more frequent Interdependencies o Internal and external dependencies o Test where feasible

Outsourcing to Foreign Service Providers Arrangements should be subject to the same due diligence and assessment processes as domestic outsourcing relationships Identify Risks become unique Report RISK Measure Monitor Mitigate

Summary: Review Monitoring Risk Assessment Vendor Management Contracts Selection

Summary: Review Monitoring Risk Assessment Vendor Management Contracts Selection

Summary: Review Monitoring Risk Assessment Vendor Management Contracts Selection

Summary: Review Monitoring Risk Assessment Vendor Management Contracts Selection

Resources FFIEC IT Examination Handbook (www.ffiec.gov)

Resources FDIC Financial Institution Letters (FILs) FIL-13-2014: Informational Tools for Community Bankers FIL-44-2008: Guidance for Managing Third-Party Risk FIL-52-2006: Guidance on Foreign-Based Third-Party Service Providers FIL-121-2004: Computer Software Due Diligence FIL-23-2002: Country Risk FIL-81-2000: Risk Management of Technology Outsourcing FIL-49-99: Bank Service Company Act Website: www.fdic.gov

Resources Directors Resource Center www.fdic.gov/regulations/resources/director/ Technical Assistance Video Program Information Technology (IT) Corporate Governance Third-Party Risk Cybersecurity Awareness Cyber Challenge: A Community Bank Cyber Exercise Questions supervision@fdic.gov

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information