outsourcing technology services
play

Outsourcing Technology Services Objectives Vendor Management - PowerPoint PPT Presentation

Vendor Management Outsourcing Technology Services Objectives Vendor Management Outsourcing Technology Services Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection


  1. Vendor Management Outsourcing Technology Services

  2. Objectives Vendor Management – Outsourcing Technology Services  Board and Senior Management Responsibilities  Risk Management Program • Risk Assessment • Service Provider Selection • Contracts • Ongoing Monitoring  Business Continuity Planning and Testing  Other Available Resources FEDERAL DEPOSIT INSURANCE CORPORATION

  3. Board and Senior Management Responsibilities Vendor Management – Outsourcing Technology Services The Board can outsource a service, but cannot outsource the responsibility. Identify  Develop and implement risk- based policies and procedures Report Measure RISK to govern the outsourcing process Monitor Mitigate FEDERAL DEPOSIT INSURANCE CORPORATION

  4. Board and Senior Management Responsibilities Vendor Management – Outsourcing Technology Services Board Responsibilities  Develop and approve policies that establish an effective vendor management program framework  Select a service provider that best meets the needs of the bank  Negotiate a contract that protects the interests of the bank  Oversee management’s implementation of the program through regular board reporting FEDERAL DEPOSIT INSURANCE CORPORATION

  5. Board and Senior Management Responsibilities Vendor Management – Outsourcing Technology Services Board Reports  Audits  Financial Statements  Business Continuity  Higher-risk Service Plans and Testing Providers  Service Level  Regulatory IT Examination Agreements Reports  Information Security FEDERAL DEPOSIT INSURANCE CORPORATION

  6. Board and Senior Management Responsibilities Vendor Management – Outsourcing Technology Services Management Responsibilities  Evaluate prospective providers based on the type of services outsourced and how critical the function is to the bank  Ensure each outsourced relationship supports business requirements and strategic plans, and is appropriate for the size and complexity of the bank  Confirm the bank has sufficient expertise to oversee and manage the relationship  Implement ongoing monitoring programs that prioritize activities based on the degree of risk and criticality of the services FEDERAL DEPOSIT INSURANCE CORPORATION

  7. Risk Management Overview Vendor Management – Outsourcing Technology Services  Inform senior management and the board of the risks associated with outsourcing  Ensure that outsourcing arrangements are prudent and consistent with business objectives  Implement effective controls to address identified risks  Perform ongoing risk monitoring to identify and evaluate changes in risk from the initial assessment  Document procedures, roles, responsibilities, and reporting mechanisms FEDERAL DEPOSIT INSURANCE CORPORATION

  8. Risk Management Overview Vendor Management – Outsourcing Technology Services Risk Monitoring Assessment Vendor Management Contracts Selection FEDERAL DEPOSIT INSURANCE CORPORATION

  9. Risk Management Overview Vendor Management – Outsourcing Technology Services Risk Monitoring Assessment Vendor Management Contracts Selection FEDERAL DEPOSIT INSURANCE CORPORATION

  10. Risk Management Overview Vendor Management – Outsourcing Technology Services Risk Monitoring Assessment Vendor Management Contracts Selection FEDERAL DEPOSIT INSURANCE CORPORATION

  11. Risk Management Overview Vendor Management – Outsourcing Technology Services Risk Monitoring Assessment Vendor Management Contracts Selection FEDERAL DEPOSIT INSURANCE CORPORATION

  12. Risk Management Overview Vendor Management – Outsourcing Technology Services Risk Monitoring Assessment Vendor Management Contracts Selection FEDERAL DEPOSIT INSURANCE CORPORATION

  13. Risk Management Overview Vendor Management – Outsourcing Technology Services Risk Monitoring Assessment Vendor Management Contracts Selection FEDERAL DEPOSIT INSURANCE CORPORATION

  14. Risk Assessment Vendor Management – Outsourcing Technology Services Risks • Planning, implementation, scalability Strategic • Legal and regulatory requirements Compliance • Errors, delays, omissions, fraud, breaches Reputational • Errors, inaccurate assumptions Interest Rate • Service disruptions, settlement delays Liquidity Cyber • Disruption, malware FEDERAL DEPOSIT INSURANCE CORPORATION

  15. Risk Assessment Vendor Management – Outsourcing Technology Services • Criticality • Data sensitivity Outsourced Function • Transaction volume • Financial strength Quantifying • Industry experience Service Provider Risks • Location • Reliability • Security Technology • Scalability FEDERAL DEPOSIT INSURANCE CORPORATION

  16. Vendor Selection Vendor Management – Outsourcing Technology Services Risk Monitoring Assessment Vendor Management Contracts Selection FEDERAL DEPOSIT INSURANCE CORPORATION

  17. Vendor Selection Vendor Management – Outsourcing Technology Services Due Diligence: Key Considerations  Corporate history,  Reliance on and success in qualifications, references managing subcontractors  Financial condition  Legal and regulatory compliance  Service delivery capability  Insurance coverage  Technology and system  Site visits architecture  Internal control environment,  Disaster recovery/business security history, audit coverage continuity FEDERAL DEPOSIT INSURANCE CORPORATION

  18. Contracts Vendor Management – Outsourcing Technology Services Risk Monitoring Assessment Vendor Management Contracts Selection FEDERAL DEPOSIT INSURANCE CORPORATION

  19. Contracts Vendor Management – Outsourcing Technology Services Common Provisions Scope of Service Security and Confidentiality • Rights and Responsibilities • Responsibility and Controls • Description of Activities • Incident Response and • Timeframes for Implementation Notification Requirements • Appendix B to Part 364 (GLBA) • Assignment of Responsibilities FEDERAL DEPOSIT INSURANCE CORPORATION

  20. Contracts Vendor Management – Outsourcing Technology Services Common Provisions Internal Controls Audit • Records Maintenance • Types of Audits • System Monitoring • Financial • Notification Requirements • General Controls • Cybersecurity • Network Security Assessments • Electronic Funds Transfer • Disaster Recovery Tests • Frequency • Right to Receive • Right to Audit FEDERAL DEPOSIT INSURANCE CORPORATION

  21. Contracts Vendor Management – Outsourcing Technology Services Common Provisions Business Resumption/ Reports Contingency Plans • Frequency and Types • Backup and Records Protections • Performance • Equipment • Financials • Programs and Data Files • Compliance with regulatory • Maintenance and Testing guidance • Frequency • Availability of Test Results • Bank Participation FEDERAL DEPOSIT INSURANCE CORPORATION

  22. Contracts Vendor Management – Outsourcing Technology Services Common Provisions Regulatory Compliance Sub-contracting • Awareness • Adherence to Regulatory Guidance • Risk Management • Assessment • Responsibility • Consumer Compliance Performance Standards • Measurable • Minimum Service Level Requirements • Remedies • Service Level Agreements (SLAs) FEDERAL DEPOSIT INSURANCE CORPORATION

  23. Contracts Vendor Management – Outsourcing Technology Services Bank Service Company Act Notification  Banks should notify their primary Federal regulator of the outsourcing relationship within: • 30 days of entering into the contract, or • performance of the services ……..whichever occurs first FEDERAL DEPOSIT INSURANCE CORPORATION

  24. Contracts Vendor Management – Outsourcing Technology Services SLAs Confidentiality of Data • GLBA compliance, notifications, responsiveness Integrity and Availability • Error rates, up time, processing timeliness • Programming changes, system updates System Changes • Compliance, independent testing Security Standards • Backup, retention, protection, restoration, recovery Business Continuity • Responsiveness, availability, qualifications Help Desk Support FEDERAL DEPOSIT INSURANCE CORPORATION

  25. Monitoring Vendor Management – Outsourcing Technology Services Risk Monitoring Assessment Vendor Management Contracts Selection FEDERAL DEPOSIT INSURANCE CORPORATION

  26. Monitoring Vendor Management – Outsourcing Technology Services  Periodically reevaluate active service providers  Tailor ongoing monitoring using a risk-based approach considering: • Criticality of the services • Sensitivity of data • Degree of perceived risk  Implement more frequent and stringent ongoing monitoring for higher-risk service providers  Report results to the board FEDERAL DEPOSIT INSURANCE CORPORATION

  27. Monitoring Vendor Management – Outsourcing Technology Services  Audit reports • Performed by qualified and independent personnel • Type, scope, and frequency consistent with: o Size and complexity o Products and services o Level of risk • Review corrective actions FEDERAL DEPOSIT INSURANCE CORPORATION

  28. Monitoring Vendor Management – Outsourcing Technology Services  Financial Condition • Continuity of operations • Support for the contracted services • Investment in security controls • Product updates FEDERAL DEPOSIT INSURANCE CORPORATION

Recommend


More recommend