Vendor Management Presentation - Bcac

advertisement
Vendor Management
Presented by Kristina Buckley of
Buckley Technology Group
Understanding New Vendor Management Risks
and Key Areas for Improvement
1
Vendor Management Program
2
Risk Assessment & Due Diligence
3
Monitoring and Annual Reporting
4
SSAE16’s
5
Contracts
Vendor Management
•
The risks of Vendor Management and Outsourcing are numerous and complicated
•
A large number of critical processes are outsourced that contain customer and
employee non-public information, along with the financial institution’s intellectual
property in many cases
•
Upon outsourcing you have countless risks; reputation and brand risks, security
breaches and regulatory compliance concerns.
•
All of above; costs the financial institution money from legal liability, business
interruption and compliance fees to name a few!
Vendor Management
•
Also have the issue of vendor relationships are scattered throughout the business
units at the bank
•
Legal risks associated to lack of visibility into the vendor practices even if you get
everything you would like into the contract
•
Information security issues at most banks lack the resources to monitor large number
of potential security risks associated in-house, at the vendor, and at their vendors!
Vendor Management
How to Improve?
Vendor Management
•
Common knowledge are the requirements of a program including Service Providers,
Third Parties and Subcontractors
– Risk Assessment
– Due Diligence/Documentation
– Contracts
– Monitoring
Vendor Management
•
Let’s discuss some of the pitfalls or dilemmas we run into within each category
– Risk Assessment
– Due Diligence/Documentation
– Contracts
– Monitoring
Risk Assessment
•
A preliminary review should be performed upon every vendor. The philosophy “they
have been a long term vendor they warrant no review” is flawed.
•
A list of all vendors should be maintained and reviewed annually. Without a
preliminary and annual you may miss:
•
If the long term vendor has NPI you have no way of knowing how that data is being retained,
secured or disposed of without performing a risk assessment.
•
Without the risk assessment you may miss the fact your contract with this long term vendor is
obsolete for GLBA, cybercrime and other compliance requirements.
•
You may miss identifying the vendor’s technology is outdated and vulnerable to the weekly
attacks we all see.
Risk Assessment
•
We all agree the risk assessment needs to be tempered for the relationship.
•
We typically recommend an initial review of each vendor looking at five categories.
•
•
•
•
•
•
NPI
Financial
Operational/Impact
Reputation
Compliance
Build your risk assessment based on your findings above.
Risk Assessment
•
A risk assessment should also be performed for any prospective vendor or changed
relationship.
•
Business change (merger and acquisitions)
•
Product change
•
Controls are changed
•
Regulations are changed (even if your contract states they will remain in
compliance)
Risk Assessment
•
•
The Business Owner (Contract) is responsible for the Vendor and the Risk
Assessment process.
•
If there are multiple relationships/contracts, all employees should be involved
because the risks may vary by service.
•
Assign one employee as the primary. They are responsible to pull the team
together.
The vendor management of a vendor should not be delegated to an employee
unfamiliar with the vendor and the related processes.
Risk Assessment
•
Define and document up front the responsibilities of:
•
•
•
•
•
•
•
•
Business Owner
Legal
Vendor Management facilitator
Information Security
IT
Audit
Risk Management
Compliance
Risk Assessment
•
Require these employees to sign off on the risk assessment. If they are required to
sign you will see a great deal more time and concern from them!
•
A big complaint is the time this process takes due to the number of vendors and the
involvement of so many departments. Look at the time and costs your financial
institution undergoes when something happens! It is worth the time.
•
•
•
Security Breach and customer reputation risk, notification, insurance and legal
liability
Poor product implementation and impact upon IT infrastructure, security and
compliance re-working!
Centralize the contracts and identify the business processes for DD and BCP.
Risk Assessment
NPI
•
When reviewing NPI during the risk assessment make sure to identify the level and
volume of NPI but also who is providing the NPI to the vendor.
•
•
•
Financial Institution?
Consumer?
What is the consumer’s perception of the relationship? Do they realize they are
providing information to a third party or feel it may be a division of the bank?
•
•
NPI and Reputation risk
Call Centers & Mortgage & Investment Services
Risk Assessment
Reputation
•
Recent example of ATM branding vendor.
•
The machine does not notify the customer that the machine is not owned or operated
by the financial institution. So, what is the customer to think?
•
The bank does not have any control over who has access for cash replenishment or
maintenance to the machines.
•
Typically, the security controls at the stores in which the machines reside is very
limited.
Risk Assessment
Reputation
•
Will the customer blame the store or the financial institution in the situation of a
security breach?
•
Will the bank’s insurance cover a security breach?
•
A review of the vendor contract identified some concerns for the financial institution.
•
SLA regarding maintenance and uptime was not tied to a measurement period
and no penalties or credits were identified if SLA’s were missed.
•
Indemnification provision was too narrow and did not include verbiage for if any
claim was made against FI as a result of Vendor’s performance under
agreement. Also did not include a provision regarding cybercrime, loss of data.
Risk Assessment
NPI
•
Confidentiality provision was too narrow and did not address GLBA/NPI
compliance although BIN numbers are provided.
•
Confidentiality provision did not address the retention, destruction and/or return
of confidential information upon the termination of the agreement.
•
Contract was missing a provision giving the ability to audit the vendor/ or have
access to vendor’s audit reports. (subcontractors) Also the ability to audit the
site of the ATM machines.
Risk Assessment
Government
Fannie Mae and Freddie Mac
•
FHFA’s annual examination program assesses Fannie Mae's and Freddie
Mac's financial safety and soundness and overall risk management practices.
– Fannie Mae's and Freddie Mac's financial condition, earnings, liquidity, and
efforts taken to mitigate losses in its single-family and multifamily portfolios.
– Assess their response to continued stress in the mortgage markets and its effect
on their risk profile, performance, and condition.
Risk Assessment
Government
•
Reporting Framework
•
Use a specific framework to summarize examination results and conclusions
to Fannie Mae's and Freddie Mac's board of directors and Congress is known as
GSEER, which stands for Governance, Solvency, Earnings, and Enterprise Risk
(enterprise risk comprises credit, market, and operational risk management).
•
http://www.fhfa.gov/SupervisionRegulation/FannieMaeandFreddieMac.
Risk Assessment
Other Risk Questions to think of:
•
Does the financial institution need additional insurance coverage for the services?
•
Has a cost benefit analysis been performed?
•
Any lawsuits or legal proceedings involving the vendor, third parties or
subcontractors?
•
Has the financial institution performed a reference review? (refer to sample risk
assessment form)
Risk Assessment
Other remaining Risk Categories:
•
•
•
•
•
Transactional
Credit
Interest Rate
Liquidity
Out of Country
Due Diligence &
Documentation
If you have collected it, you are responsible to review it.
•
Business Continuity/Disaster Recovery Plan –
– Is it current and applicable to the bank’s service?
•
Most Recent BC/DR Test Results –
– Testing at least annual, applicable to the bank’s service and are the banks
involved in testing? Is there any involvement from an independent third party?
Due Diligence &
Documentation
•
Internal Audits Reports for GLBA, BSA, Red Flag Compliance
•
Most Recent Audited Financials
•
SSAE 16 Reports
•
Information Security Policies and Procedures
– Current and includes all areas of security documented in a SSAE16
Due Diligence &
Documentation
•
Current GL and E&O Insurance Certificates
– Cybercrime if applicable
•
Most Recent Penetration/Vulnerability Test Results
– Performed at a minimum of annually (depends on the service).
•
PCI DSS Compliance Certification
•
Privacy Policies and Procedures
– Current and in compliance with Bank’s requirements
Due Diligence &
Documentation
Recommendations for Documentation based on Risks:
•
NPI = High
– SSAE16 or like Security Policy
– Privacy Policy
– PEN Test
If not in contract:
– Red Flag, GLBA, BSA, PCI
– Security breach notification and Incident response
– NPI disposal, retention, return
– Confidentiality
– Insurance
Due Diligence &
Documentation
•
Recommendations for Documentation based on Risks:
•
Financial = High
- Audited Financials
•
Operational/Impact = High
•
- BCP/DR
SSAE16 Reports
•
Reports should be used to evaluate the vendors internal controls.
•
Report should be within two year period
•
Report should include relevant products
•
Exceptions and Management Responses and User Control Considerations should be
reviewed, noted and documented.
•
Exceptions should be audited to ensure vendor is correcting vulnerabilities and
maintaining security controls.
SSAE16
SOC1
•
SOC 1SM Report – Report on Controls at a Service Organization Relevant to
User Entities’ Internal Control over Financial Reporting (SSAE 16)
•
These reports, prepared in accordance with Statement on Standards for Attestation
Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are
specifically intended to meet the needs of the of entities that use service
organizations (user entities) and the CPAs that audit the user entities’ financial
statements (user’ auditors), in evaluating the effect of the controls at the service
organization on the user entities’ financial statements.
•
User auditors use these reports to plan and perform audits of the user entities’
financial statements. There are two types of reports for these engagements:
SSAE16
SOC1
•
SOC 1 Report – Report on Controls at a Service Organization Relevant to User
Entities’ Internal Control over Financial Reporting (SSAE 16)
•
Type 2 - report on the fairness of the presentation of management’s description of
the service organization’s system and the suitability of the design and operating
effectiveness of the controls to achieve the related control objectives included in the
description throughout a specified period.
•
Type 1 – report on the fairness of the presentation of management’s description of
the service organization’s system and the suitability of the design of the controls to
achieve the related control objectives included in the description as of a specified
date.
Use of these reports is restricted to the management of the service organization, user
entities, and user auditors.
•
SSAE16
SOC2
Report on Controls at a Service Organization Relevant to Security, Availability, Processing
Integrity, Confidentiality or Privacy
•
These reports are intended to meet the needs of a broad range of users that need to understand
internal control at a service organization as it relates to security, availability, processing integrity,
confidentiality and privacy.
•
These reports are performed using the AICPA Guide: Reporting on Controls at a Service
Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or
Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners,
suppliers, directors) of the service organization that have a thorough understanding of the service
organization and its internal controls.
SSAE16
SOC2
•
Report on Controls at a Service Organization Relevant to Security, Availability, Processing
Integrity, Confidentiality or Privacy
•
•
•
•
•
These reports can form an important part of stakeholders:
Oversight of the organization
Vendor management program
Internal corporate governance and risk management processes
Regulatory oversight
•
Similar to SOC 1sm engagement there are two types of report : Type 2, report on management’s
description of a service organization’s system and the suitability of the design and operating
effectiveness of controls; and Type 1, report on management’s description of a service
organization’s system and the suitability of the design of controls. These reports may be restricted
in use.
SSAE16
SOC3
SOC 3SM Report— Trust Services Report for Service Organizations
•
These reports are designed to meet the needs of users who need assurance
about the controls at a service organization that affect the security, availability, and
processing integrity of the systems used by a service organization to process users’
information ,and the confidentiality, or privacy of that information, but do not have the
need for or the knowledge necessary to make effective use of a SOC 2 Report.
•
These reports are prepared using the AICPA/Canadian Institute of Chartered
Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security,
Availability, Processing Integrity, Confidentiality, and Privacy. Because they are
general use reports, SOC 3 reports can be freely distributed or posted on a website
as a SysTrust for Service Organizations seal.
SSAE16
SOC1
SOC 3SM Report— Trust Services Report for Service Organizations
•
For more information about the SysTrust for Service Organization seal program go to
www.webtrust.org.
•
Unlike a SOC 1 report, which is only an auditor-to-auditor communication, SOC 2
Reports are generally restricted use report (at the discretion of the auditor using the
guidance in the standard) and SOC 3 Report (in all cases) will enable the service
organization to share a general use report that would be relevant to current and
prospective customers or as a marketing tool to demonstrate that they have
appropriate controls in place to mitigate risks related to security, privacy, etc.
** American Institute of CPA’s www. Aicpa.org
SSAE16 Determination
When determining which SOC to require for a vendor consider the following areas:
•
What level of Operational/Impact, NPI and Reputation Risk has been assessed?
•
What is the availability of the service? Is it in-house, private server, data center, public
cloud?
•
Are there any restrictions for the service? Time of usage, employee and vendor
access, etc.
SSAE16 Determination
•
What are the known security controls? Are they adequate in comparison to the NPI
and Reputation Risk rating?
•
What are the potential confidentiality issues that could arise? Security breach, loss of
data by vendor or employee, disgruntled employee, etc.
•
What is the customer usage level for the service?
•
What are the legal ramifications of loss or data or service interruption?
Red Flags
•
Be cautious if you run into any of the following during Risk Assessment or
Documentation review:
•
Incomplete answers to your questions.
•
Confidential, we can’t share?
•
We have to run it by legal and get back to you.
•
IS Policies are not based on any accepted security standard (ISO27001).
Red Flags
•
Be cautious if you run into any of the following during Risk Assessment or
Documentation review:
•
No formal security awareness training program noted for employees and
subcontractors.
•
Old documentation such as Privacy policy.
•
Difficulty providing the overall material.
Monitoring
•
Review all due diligence documentation. Question if reports are not being
updated at a minimum of every two years
•
Review of Penetration Test results (more during IT session
•
Monitor vendors with NPI risk for any changes in volume, data changes
–
–
–
–
Encryption
New technology for sending files
Remote access
Employee terminations
Annual Reporting
Five Components
Annual report of High risk vendors should include:
•
Vendor Overview
•
Vendor Risk Level Assessment
•
Operational Review
•
Legal/Regulatory Review
•
Conclusion
Annual Reporting
1. Vendor Overview
•
Service provided
•
Location of vendor corporation
•
If it is publicly traded or not
•
Experience in the financial industry
•
Number of other financial institutions using vendor
•
General reputation of the Vendor
Annual Reporting
2. Vendor Risk Level
Assessment should answer:
Strategic Risk and Reputation Risk
•
Vendor’s product/services have what kind of direct impact on Strategic and
Reputation risk?
•
Vendor’s products/services impact the financial institution how in these areas?
Annual Reporting
2. Vendor Risk Level
Assessment should answer:
Operational Risk
•
Vendor’s product/services have what kind of direct impact on Operational risk?
•
OR
•
Vendor’s products/services do not directly impact the financial institution’s operations.
Annual Reporting
2. Vendor Risk Level
Assessment should answer:
Transaction Risk
•
Vendor’s product/services have what kind of direct impact on Transaction risk?
•
OR
•
Vendor’s products/services do not interact with transaction processing.
Annual Reporting
2. Vendor Risk Level
Assessment should answer:
Credit Risk
•
Vendor’s product/services have what kind of direct impact on Credit and Interest rate
risk?
•
OR
•
Vendor’s products/services do not interact with our lending area.
Annual Reporting
2. Vendor Risk Level
Assessment should answer:
Compliance Risk
•
Vendor’s product/services have what kind of direct impact on Compliance risk?
Annual Reporting
2. Vendor Risk Level
Assessment should answer:
Liquidity Risk
•
Vendor’s product/services have what kind of direct impact on Liquidity risk?
OR
•
Vendor’s products/services do not impact our ability to fund obligations as they come
due.
Identify other Risk Categories as applicable!
Annual Reporting
3. Operational Review
•
Identify Vendor’s Financial strength noting:
– Balance sheet
– Debt
– Income
And any other pertinent discussion
Annual Reporting
4. Operational Review
•
A review of the Information Security controls indicated that
•
Information Security Audits
– Vendor’s accounting firm provided a ___________ report
– Report indicated that the internal controls were effective or ineffective.
– Vendor provided a summary of its Information Security and Privacy Policies and
procedures and they appear to be:
• Current
• Adequate
Annual Reporting
4. Operational Review
•
Privacy policy included:
– Proper employee background checks are or are not conducted
– Confidentiality provisions are / are not executed by employees, contractors and
or subcontractors.
– Appropriate for the level of NPI being shared with the vendor and the financial
institution’s compliance requirements.
Annual Reporting
3. Operational Review
•
Privacy policy included:
– Proper employee background checks are or are not conducted
– Confidentiality provisions are / are not executed by employees, contractors and
or subcontractors.
– Appropriate for the level of NPI being shared with the vendor and the financial
institution’s compliance requirements.
Annual Reporting
3. Operational Review
•
Business Continuity and Disaster Recovery Plan:
– Vendor provided a summary of it’s DR plan including the last test date and test
results. According to the summary the plan provides for:
•
•
•
•
•
•
•
Action Plan
Back—up Facilities
Customer Response Center
Event Monitoring
Disaster Recovery Teams
IT Recovery Plan
Pandemic Plan
Annual Reporting
3. Operational Review
•
Identify the Vendor Service Quality for the year.
•
Review and note any discussion required for the contract.
Annual Reporting
4. Legal/Regulatory
•
Identify if the vendor has any litigation matters
•
Were any material lawsuits in their annual report
•
Identify if vendor is or is not subject to any significant regulatory actions.
– If so, a copy of the most recent report of examination was reviewed and results
were….
Step 5 - Conclusion
Contract Review
•
Legal counsel reviewed especially if NPI, compliance or Operational risk has been
identified.
•
Ownership of data upon contract termination
•
NPI retention statement
•
NPI disposal statement
•
Security breach notification (within 24 hours) if NPI has potentially been
compromised.
Contract Review
•
Warranty/statement of operating order/compliance for GLBA and other existing and
new related state and federal regulations.
•
Service levels for maintenance and uptimes need to be tied to a measurement period
and there should be corresponding penalties/credits if SLA’s missed.
•
Audit reports and frequency to be provided documented
•
Contract includes legal jurisdiction as state of financial institution
Contract Review
•
A provision giving the financial institution the ability to audit vendor or have access to
the vendor audit reports and on-site premises.
•
Cybercrime indemnification clause
•
Confidentiality provision should address GLBA/NPI compliance
•
Responsibilities of all parties including subcontractors
Contract Review
Ownership and Licensing:
•
Use of Institution’s Data
– Data mining
– Marketing
•
Use of Processing Hardware
•
Use of Software
• Virtualization
• Operating System
• Application
• Updates
Contract Review
Business Continuity
•
Ensure a disaster recovery and business continuity plan exists and is included in the
contract. (data centers, selective restores, mobile recovery units)
•
Ensure the vendor plan will allow the financial institution to meet their recovery time
objectives for the service.
•
Document the roles and responsibilities of the vendor to provide the financial
institution with test plans and results. Participate in the disaster recovery test
whenever possible.
Contract Review
Cloud Computing
•
•
•
•
•
•
•
•
Review if Institution’s data separated from others in the Cloud
Restrictions on use of data
Responses to security breaches
Use of security measures such as encryption
Access to Vulnerability and Penetration tests
Loss of confidentiality
Loss of integrity
Loss of availability
Contract Review
Cloud Computing
•
End of Contract
–
–
–
–
Access to data
Deletion of data
Application
Updates
Contract Review
Subcontractor
•
Must have visibility into subcontractors
•
Define services to be performed by contractors
•
What NPI will subcontractors have access to?
Contract Review
Subcontractor
•
How does primary vendor assess contractors
•
What is the approval process for change of subcontractors? Is the financial institution
notified and given notice?
•
Policy on Foreign firms
Regulatory Sources and
References
•
Guidance for Managing Third Party Relationships – FIL 44-2008, FIL 50-2001
•
Part 364-B GLBA FDIC Rules and Regulations
•
FFIEC Supplement to Authentication in an Internet Banking Environment – FIL-502011
•
FFIEC Retail Payment Systems Handbook (FIL-6-2010)
•
FFIEC Guidance on Risk Management of Remote Deposit Capture (FIL-4-2009)
THANK YOU
Kris Buckley, President
kmb@buckleytechgroup.com
www.buckleytechgroup.com
781.258.0618
Download