ABS-OSPAR-Template - The Association of Banks in Singapore
advertisement
Outsourced Service Provider Audit Report (OSPAR) Of [Name of Outsourced Service Provider] Audit Report Date: xx Month yyyy Notes From Association of Banks In Singapore (ABS): This ABS Outsourced Service Provide Audit Report (OSPAR) Template version 1.0 is documented with reference to the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers version 1.0. The auditors engaged by the Outsourced Service Providers (OSPs) to perform the control audits against the ABS Guidelines on Control Objectives and Procedure for Outsourced Service Provider must use this OSPAR template to document the OSPs’ control audit results. This OSPAR template documents the minimum contents to be included in the control audit reports of the OSPs. This template also aims to provide the report structure to document the control audit results of the OSPs in a consistent manner, enabling the Financial Institution (FI) Clients of the OSPs to interpret the control audit results accurately. The auditors engaged have the choice to use the audit framework/standards such as ISAE3402 or SSAE3402 in performing and signing-off on the audits of the OSPs. Audit firms that wish to perform these control audits need to submit the CVs of their auditors to ABS by emailing to outsourcing@abs.org.sg. <<ABS Comment for Auditors: Please remove all the ABS comment clauses in this template when delivery the audit reports to the OSPs.>> OSPAR v1.0 – July 2015 Page 2 of 46 Contents Section 1 Management of [Name of OSP] Assertion Regarding Its Services Throughout The Period [dd Month yyyy] to [dd Month yyyy] Section 2 Independent Auditor’s Summary Report Description of OSP’s Services Throughout The Period [dd Month yyyy] to [dd Month yyyy] Overview and Background Financial Institution (FI) Clients’ Responsibilities Components of the Services Provided Components of the Technology Related Services I. ENTITY LEVEL CONTROLS II. GENERAL INFORMATION TECHNOLOGY (IT) CONTROLS a. Logical Security b. Physical Security c. Change Management d. Incident Management e. Backup and Disaster Recovery f. Network & System Security and Monitoring g. Security Incident Response h. System Vulnerability Assessment i. Technology Refresh Management III. SERVICE CONTROLS a. Setting up of New Clients/Processes b. Authorising and Processing Transactions c. Maintaining Records d. Safeguarding Assets e. Service Reporting and Monitoring Section 3 Functions/Services Outsourced To Sub-Contractors Section 4 Applicable ABS Controls Criteria, Tests of Controls and Test Results OSPAR v1.0 – July 2015 Page 3 of 46 Section 1 – Management of [Name of OSP] Assertion Regarding Its Services Throughout the Period [dd Month yyyy] to [dd Month yyyy] <<ABS Comment: The Management of the OSP must provide the engaged auditor(s) with a written assertion that is attached in this section as the management’s description of its organisation’s services. If the Management of the OSP refuses to provide a written assertion, this represents a scope limitation and consequently, the auditor(s) should withdraw from the engagement. [OSP’s Letterhead] [Name of OSP]'s Assertion << ABS Comment: The Management of OSP to provide users of this control audit report with information about the [type or name of] services the OSP provides, particularly service controls intended to meet the criteria set forth in the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers. Confirm, to the best of the OSP’s knowledge and belief.>> A. We have prepared the attached description titled “Description of [name of OSP]'s [type or name of] Services Throughout the Period [dd Month yyyy] to [dd Month yyyy]” (the “description”). The description is intended to provide users of this control audit report with information about the [type or name of] services, particularly service controls intended to meet the criteria set forth in the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers. We confirm, to the best of our knowledge and belief, that the description fairly presents the [type or name of] services throughout the period [dd Month yyyy] to [dd Month yyyy], based on the following description criteria: a. The description contains the following information: i. The types of services provided ii. The components of the system used to provide the services, which are the following: (1) Infrastructure: The physical and hardware components of a system (facilities, equipment, and networks) (2) Software: The programs and operating software of a system (systems, applications, and utilities) (3) People: The personnel involved in the operation and use of a system (developers, operators, users, and managers) (4) Procedures: The automated and manual procedures involved in the operation of a system (5) Data: The information used and supported by a system (transaction streams, files, databases, and tables) b. The boundaries or aspects of the services covered by the description c. How the services/systems capture and address significant events and conditions d. The processes used to prepare and deliver reports and other information to the Financial Institution (FI) Clients or other parties OSPAR v1.0 – July 2015 Page 4 of 46 e. If information is provided to, or received from, [sub-contractors or]1 other parties, how such information is provided or received; the role of the [sub-contractors or]1 other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subjected to appropriate controls. f. For each applicable ABS controls criteria and the related controls designed to meet those criteria [,including controls at the subcontractors2]. g. [For sub-contractors presented using the carve-out method, the nature of the services provided by the sub-contractors; each of the applicable ABS controls criteria that are intended to be met by controls at the sub-contractors, alone or in combination with controls at the OSP, and the types of controls expected to be implemented at carved-out sub-contractors to meet those criteria]1 h. Any applicable ABS controls criteria that are not addressed by a control at the OSP [or a sub-contractor]1 and the reasons therefore i. Other aspects of the OSP's control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable ABS controls criteria j. Relevant details of changes to the OSP's services/system during the period covered by the description B. The description does not omit or distort information relevant to the OSP’s services while acknowledging that the description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the services that each individual user may consider important to his or her own particular needs C. The controls stated in description were suitably designed and implemented throughout the period [dd Month yyyy] to [dd Month yyyy] to meet the applicable ABS controls criteria D. The controls stated in the description operated effectively throughout the period [dd Month yyyy] to [dd Month yyyy] to meet the applicable ABS controls criteria. 1 If sub-contractors are included within the report as being needed in the design of the OSP’s controls to meet one or more criteria, the assertion should be modified to include the language highlighted. 2 The sub-contractors are included within the report and the inclusive method is being used. Include “and controls at the sub-contractors”. OSPAR v1.0 – July 2015 Page 5 of 46 Section 2 – Independent Auditor’s Summary Report << ABS Comment to Auditors: The following section is for the engaged auditor to document the auditor's summary report. This should be used in conjunction with the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers, in reporting on controls at the OSP relevant to ABS controls criteria. [Auditor’s Letterhead] Report of Independent Service Auditors To the Management of [Name of OSP] Scope <<ABS Comment to Auditors: The engaged auditors to use the respective clauses below based on the following method use for the control audit of the OSP: Method 1 – the OSP does not use any sub-contractor. Method 2 (Inclusive) – the OSP uses sub-contractor(s) and this control audit report includes the audit of OSP’s sub-contractor(s). Method 3 (Carve-out) - the OSP uses sub-contractor(s) and this control audit report excludes the audit of OSP’s sub-contractor(s) relevant control objectives and controls from the description and from the scope of the auditor’s engagement>> <<ABS Comment to Auditors: Method 1 Clauses - when the OSP does not use any sub-contractor>> [We have examined the attached description titled "Description of [Name of OSP]'s [name or type of] Services Throughout the Period [dd Month yyyy] to [dd Month yyyy]"3 (the “description”) and the suitability of the design and operating effectiveness of controls to meet the controls criteria set forth in the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers, throughout the period [dd Month yyyy] to [dd Month yyyy].] << ABS Comment to Auditors: Method 2 (Inclusive) Clauses>> [We have examined the attached description titled "Description of [Name of OSP]'s [and Name of Sub-contractor]'s [name or type of] Services Throughout the Period [dd Month yyyy] to [dd Month yyyy]"1 (the “description”) and the suitability of the design and operating effectiveness of controls to meet the controls criteria set forth in the ABS Guidelines on Control Objectives & Procedure for Outsourced Service Providers, throughout the period [dd Month yyyy] to [dd Month yyyy]. [Sub-contractor Name] is an independent Outsourced Service Provider that provides [type of services] to [Name of OSP]. [Name of OSP]'s description includes a description of those elements of its service provided by [Name of Sub-contractor], the controls of which help meet certain applicable ABS controls criteria. << ABS Comment to Auditors: Method 3 (Carve-out) Clauses>> [We have examined the attached description titled "Description of [Name of OSP]'s [name or type of] Services Throughout the Period [dd Month yyyy] to [dd Month yyyy]"3 (the “description”) and the suitability of the design and operating effectiveness of controls to meet the controls criteria set forth in the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers, throughout the period [dd Month yyyy] to [dd Month yyyy]. 3 The title of the description of the OSP’s services in our report is the same as the title used by the Management of the OSP in its description of the OSP’s services. OSPAR v1.0 – July 2015 Page 6 of 46 [Name of OSP] uses [a] [type(s) of] sub-contractor organisation[s] for its [activities performed by the sub-contractor[s]]4. The description indicates that certain applicable ABS controls criteria can only be met if controls at the sub-contractor organisation[s] are suitably designed and operating effectively. The description presents [Name of OSP]'s services; its controls relevant to the applicable ABS controls criteria; and the types of controls that the OSP expects to be suitably designed, implemented and operating effectively at the sub-contractor organisation[s] to meet certain applicable ABS controls criteria. The description does not include any of the controls implemented at the sub-contractor [s]. Our examination did not extend to the services provided by the sub-contractor[s].] Outsourced Service Provider's Responsibilities [Name of OSP] [and name of sub-contractor]5 has [have] provided the attached assertion[s] titled "Management of [Name of OSP]'s Assertion Regarding Its [name or type of] Services Throughout the Period [dd Month yyyy] to [dd Month yyyy],"6 [and "Management of [name of subcontractor]'s Assertion Regarding Its [name or type of] Services Throughout the Period [dd Month yyyy] to [dd Month yyyy],"]3 which is [are] based on the criteria identified in the [those] management assertion[s]. [Name of OSP] [and Name of Sub-contractor]3 is [are] responsible for (1) preparing the description and assertion[s]; (2) the completeness, accuracy, and method of presentation of both the description and assertion[s]; (3) providing the services covered by the description; (4) specifying the controls that meet the applicable ABS controls criteria and stating them in the description; (5) identifying any applicable ABS controls criteria being reported on that have been omitted from the description and explaining the reason for the omission, and (6) designing, implementing, and documenting the controls to meet the applicable ABS controls criteria. Service Auditor's Responsibilities Our responsibility is to express an opinion on the fairness of the presentation of the description based on the description criteria set forth in [Name of OSP]'s [and Name of Sub-contractor]'s3 assertion[s] and on the suitability of the design and operating effectiveness of the controls to meet the applicable ABS controls criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the [Name of the audit standards such as ISAE3402 or SSAE3402 selected by the engaged auditors]. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the description is fairly presented based on the description criteria, and (2) the controls were suitably designed and operating effectively to meet the applicable ABS controls criteria throughout the period [dd Month yyyy] to [dd Month yyyy]. Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the description based on the description criteria and the suitability of the design and operating effectiveness of those controls to meet the applicable ABS controls criteria. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to meet the applicable ABS controls criteria. 4 5 6 Insert the functions performed by the sub-contractor, for example computer processing, custodial services, and data center hosting. Inclusive Method: If a sub-contractor is used and the sub-contractor’s relevant controls are included in the description and in the scope of the engagement, this language should be included. The title of the assertion in our report is the same as the title used by the Management of the OSP in its assertion. OSPAR v1.0 – July 2015 Page 7 of 46 Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the applicable ABS controls criteria were met. Our examination also included evaluating the overall presentation of the description. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. Inherent limitations Because of their nature and inherent limitations, controls at an Outsourced Service Provider [or a sub-contractor’s organisation]3 may not always operate effectively to meet the applicable ABS controls criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the description or conclusions about the suitability of the design or operating effectiveness of the controls to meet the applicable ABS controls criteria is subjected to the risks that the system may change or that controls at an Outsourced Service Provider [or a sub-contractor’s organisation]3 may become inadequate or fail. Opinion << ABS Comment to Auditors: Any adverse opinion should be summarised in the respective sections below (i.e. A, B and/or C) and the full details be reported in Section 4 of this report>> In our opinion, in all material respects, based on the description criteria identified in [Name of OSP]'s [and Name of Sub-contractor] assertion[s] and the applicable ABS controls criteria: A. The description fairly presents [name or type of] services [and the elements of the services provided by [Name of Sub-contractor]]3 that was [were] designed and implemented throughout the period [dd Month yyyy] to [dd Month yyyy]. B. The controls of [Name of OSP] [and [Name of Sub-contractor]]3 stated in the description were suitably designed to provide reasonable assurance that the applicable ABS controls criteria would be met if the controls operated effectively throughout the period [dd Month yyyy] to [dd Month yyyy]. C. The controls [of [OSP Name] and [Name of Sub-contractor]]3 tested, were those necessary to provide reasonable assurance that the applicable ABS controls criteria were met, operated effectively throughout the period [dd Month yyyy] to [dd Month yyyy]. Description of Tests of Controls The specific controls we tested and the nature, timing, and results of our tests are presented in the section of our report titled “[insert the title of the description from the scope paragraph]”. Restricted Use This report and the description of tests of controls and results thereof are intended solely for the information and use of [Name of OSP]; the FI client(s) of the [Name of OSP]'s [name or type of] services during some or all of the period [dd Month yyyy] to [dd Month yyyy]; and prospective FI Client(s) , OSPAR v1.0 – July 2015 Page 8 of 46 independent auditors and practitioners providing services to the FI Clients, and regulators (collectively referred to as "specified parties") who have sufficient knowledge and understanding of the following: A. B. C. D. E. The nature of the services provided by the OSP How the OSP's services/systems interact with FI Clients, sub-contractor organisations, or other parties Internal control and its limitations The applicable ABS controls criteria The risks that may threaten the achievement of the applicable ABS controls criteria and how controls address those risks This report is not intended to be and should not be used by anyone other than these specified parties. If a report recipient is not a specified party as defined above and has obtained this report, or has access to it, use of this report is the non-specified user's sole responsibility and at the non-specified user's sole and exclusive risk. Non-specified users may not rely on this report and do not acquire any rights against the [Name of Audit Firm] as a result of such access. Further, the auditor does not assume any duties or obligations to any non-specified user who obtains this report and/or has access to it. [Lead Auditor’s (signature)] [City, State]7 [Date] 7 The location of the office may be included in the office letterhead. It is unnecessary to repeat the "City, State" at the bottom of the report if it already appears in the letterhead. However, if letterhead stationery is not used, the "City, State" (or city and country) of the office should be indicated at the bottom of the report beneath the signature and before the report date. OSPAR v1.0 – July 2015 Page 9 of 46 Section 3 – Description of OSP’s Services Throughout the Period [dd Month yyyy] to [dd Month yyyy] <<ABS Comment: This section is for the OSP to provide a detailed description of its services and service controls covered under this report.>> Overview and Background <<Description>> Financial Institution (FI) Clients’ Responsibilities <<Description>> Components of the Services Provided: a. Process <<Description>> b. People <<Description>> c. Technology <<Description>> Components of the Technology Related Services: a. Infrastructure <<Description>> b. Software <<Description>> c. People <<Description>> d. Procedures <<Description>> e. Data <<Description>> OSPAR v1.0 – July 2015 Page 10 of 46 I. ENTITY LEVEL CONTROLS a. Control Environment <<Description>> b. Risk Assessment <<Description>> c. Information and Communication <<Description>> d. Monitoring <<Description>> e. Information Security Policies <<Description>> f. Other HR & Sub-contracting Specific Controls <<Description>> II. GENERAL INFORMATION TECHNOLOGY (IT) CONTROLS a. Logical Security <<Description>> b. Physical Security <<Description>> c. Change Management <<Description>> d. Incident Management <<Description>> e. Backup and Disaster Recovery <<Description>> f. Network & System Security and Monitoring <<Description>> g. Security Incident Response <<Description>> OSPAR v1.0 – July 2015 Page 11 of 46 h. System Vulnerability Assessment <<Description>> i. Technology Refresh Management <<Description>> III. SERVICE CONTROLS a. Setting up of New Clients/Process <<Description>> b. Authorising and Processing Transactions <<Description>> c. Maintaining Records <<Description>> d. Safeguarding Assets <<Description>> e. Service Reporting and Monitoring <<Description>> Functions/Services Outsourced To Sub-Contractors The following table summarized functions/services that are outsourced to sub-contractor(s): No 1. 2. Functions/Services Xx Xx OSPAR v1.0 – July 2015 Name of Sub-Contractors Xxx Xxx Page 12 of 46 Section 4 – Applicable ABS Controls Criteria, Tests of Controls and Test Results Scope of ABS Controls Applicability The following table summaries the applicability of the ABS controls criteria for [Name of OSP] [and Name of Sub-contractor if inclusive method is used] on description of its services3: Sections of the ABS Guidelines I (a) (b) (c) (d) (e) (f) II (a) (b) (c) (d) (e) (f) (g) (h) (i) III (a) (b) (c) (d) (e) ABS Control Criteria Applicability (Applicable / Non-Applicable/ Partial-Applicable) Test Result Summary (Exceptions Noted/ No Exceptions Noted) Entity Level Controls Control Environment Risk Assessment Information and Communication Monitoring Information Security Policies Other HR and Sub-contracting Specific Controls General Information Technology (IT) Controls Logical Security Physical Security Change Management Incident Management Backup and Disaster Recovery Network & System Security and Monitoring Security Incident Response System Vulnerability Assessment Technology Refresh Management Service Controls Setting up of New Clients/Process Authorising and Processing Transactions Maintaining Records Safeguarding Assets Service Reporting and Monitoring OSPAR v1.0 – July 2015 Page 13 of 46 Management of [Name of OSP]’s Comment/Response <<ABS Comment to Auditors: The Management of the OSP may provide a summary of their comment in response to the audit results tabled by the auditors. In the event of any findings or non-compliance it is highly recommended for the Management of the OSP to pen down their response and action plan.> <<ABS Comment to Auditors: Additional specific control objectives should also be outlined below. These do not represent the inclusive list but give guidance for the OSPs. Each OSP should specifically agree the detailed requirements with their individual FI clients and incorporate within service level agreements I. ENTITY LEVEL CONTROLS CRITERIA (a) Control Environment The control environment sets the priority and culture for the OSP, influencing the control consciousness of its people. It is the foundation for all the other components of internal control, providing discipline and structure. Aspects of the OSP’s control environment may affect the services provided to the FIs. For example, the OSP’s hiring and training practices may affect the quality and ability of the OSP’s personnel to provide services to the FIs. ABS Control Criteria Description of OSP’s Control Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan The control environment includes the following elements: i. Communication and enforcement of integrity and ethical values ii. Commitment to competence iii. Management's philosophy and operating style iv. Organisational structure v. Assignment of authority and responsibility vi. Human resource policies and practices i. Communication and enforcement of integrity and ethical values The entity has established workplace conduct standards, implemented workplace candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the ABS controls criteria. ii. Commitment to competence Personnel responsible for designing, developing, implementing, operating, OSPAR v1.0 – July 2015 Page 14 of 46 maintaining, and monitoring of the system affecting the ABS controls criteria have the qualifications and resources to fulfil their responsibilities. iii. Management's philosophy and operating style The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to the ABS controls criteria. The entity has established workplace conduct standards, implemented workplace candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the ABS controls criteria. iv. Organisational structure Personnel responsible for designing, developing, implementing, operating, maintaining, and monitoring of the system affecting the ABS controls criteria have the qualifications and resources to fulfil their responsibilities. Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity’s system controls are assigned to individuals within the entity with authority to ensure policies, and other system requirements are effectively promulgated and placed in operation. The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and OSPAR v1.0 – July 2015 Page 15 of 46 requirements as they relate to the ABS controls criteria. v. Assignment of authority and responsibility Personnel responsible for designing, developing, implementing, operating, maintaining, and monitoring of the system affecting the ABS controls criteria have the qualifications and resources to fulfil their responsibilities . Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity’s system controls are assigned to individuals within the entity with authority to ensure policies, and other system requirements are effectively promulgated and placed in operation. The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of the system enabling it to meet its commitments and requirements as they relate to the ABS controls criteria. vi. Human resource policies and practices The entity has established workplace conduct standards, implemented workplace candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the ABS controls criteria. OSPAR v1.0 – July 2015 Page 16 of 46 (b) Risk Assessment Auditor’s Recommendation and OSP Management’s Response/Action Plan The OSP’s risk assessment process may affect the services provided to FIs. The following is a list of risk assessment factors and examples of how they might relate to the OSP: i. Changes in the operating environment - If the OSP provide services to FIs, a change in regulations may necessitate a revision to existing processes which may require additional or revised controls ii. New personnel - New personnel may increase the risk of controls not performed effectively iii. New or revamped information systems – the OSP may incorporate new functions into its systems that could affect the FIs iv. Rapid growth - If the OSP gain a substantial number of new customers, the operating effectiveness of certain controls could be affected v. New technology – the OSP may implement a new technology whereby its risks and impact to the FIs would need to be assessed vi. New business models, products, or activities - The diversion of resources to new activities from existing activities could affect certain controls at the OSP vii. Corporate restructurings - A change in ownership or internal reorganisation could affect reporting responsibilities or the resources available for services to the FIs viii. Expanded foreign operations – the OSP that use personnel in foreign locations may have difficulty responding to changes in user requirements ix. Environmental scan – the OSP scans for emerging threats that may impact its operations or services (e.g. cyber threats, etc). ABS Controls Criteria OSPAR v1.0 – July 2015 Description of OSP’s Control Test of Controls Results of Tests Page 17 of 46 (c) Information and Communication Auditor’s Recommendation and OSP Management’s Response/Action Plan Adequate information and effective communication are essential to the proper functioning of internal control. The OSP’s information and communication component of internal control include the following: i. The information system must be documented with procedures for initiating, authorising, recording, processing and reporting FIs’ transactions for proper accountability ii. Communication involves how the OSP communicates its roles and responsibilities, significant matters relating to the services provided to the FIs, including communication within its organisation, with the FIs and regulatory authorities. This may include the OSP’s communication to its staff on how its activities impact the FIs, escalation process for reporting exceptions within the OSP and to the FIs, and seeking FIs’ approval prior to any sub-contracting ABS Control Criteria (d) Description of OSP’s Control Test of Controls Results of Tests Description of OSP’s Control Test of Controls Results of Tests Monitoring ABS Control Criteria Auditor’s Recommendation and OSP Management’s Response/Action Plan Many aspects of monitoring may be relevant to the services provided to FIs. For example, the OSP may employ internal auditors or other personnel to evaluate the effectiveness of controls over time, either by ongoing activities, periodic evaluations, or combinations of the two. The OSP’s monitoring of its sub-contractors’ activities that affect the services provided to the FIs is another example of monitoring. This OSPAR v1.0 – July 2015 Page 18 of 46 form of monitoring may be accomplished through by visiting the sub-contractors’ organisation, obtaining and reading a report containing detailed description of the subcontractors’ controls, or conducting an independent assessment of whether the controls are placed are suitably designed and operating effectively throughout the specified period. Monitoring external communications, such as customer complaints and communications from regulators, generally would be relevant to the services provided to FIs. Often, these monitoring activities are included as control activities for achieving a specific control objective. (e) Information Security Policies ABS Control Criteria Description of OSP’s Control Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan Information Security (IS) policies and procedures are established, documented and reviewed at least annually or as and when there are changes. IS policies and procedures should state the person(s) responsible for information security management. These documents are reviewed and approved by management. Specific security controls for systems and networks are defined to protect the confidentiality, integrity and availability of systems and data. Any identified deviations are documented, tracked and remediated. Deviations which impact the services rendered to the FIs should be communicated immediately. OSPAR v1.0 – July 2015 Page 19 of 46 (f) Other HR & Sub-contracting Specific Controls Auditor’s Recommendation and OSP Management’s Response/Action Plan These controls should provide reasonable assurance that the management of the OSP provides oversight, ensures segregation of duties, and guides consistent implementation of security practices. Staff and sub-contractors of the OSP understand their responsibilities and are suitable for the roles for which they are considered. (i) OSP’s staff and sub- contractors understand their responsibilities and are suitable for the roles for which they are considered ABS Control Criteria (ii) Description of OSP’s Control Test of Controls Results of Tests The OSP should ensure that individuals considered for employment are adequately screened for experience, professional capabilities, honesty and integrity. Screening should include background employment checks to assess character, integrity and track record. An information security awareness training program should be established. The training program should be conducted for OSP’s staff, sub-contractors and vendors who have access to IT resources and systems. Contracts with staff and subcontractors of the OSP should include non-disclosure clauses protecting confidentiality clauses which would apply staff and sub-contractors of the OSP working for its FI clients on and off premises. The OSP’s sub-contracting are properly managed and monitored Sub-contracting or use of subcontractors is at the approval of the FIs and is subjected to and due diligence as agreed with the FIs. OSPAR v1.0 – July 2015 Page 20 of 46 II. GENERAL INFORMATION TECHNOLOGY (IT) CONTROLS CRITERIA (a) Logical Security These controls should provide reasonable assurance that logical access to programs, data, and operating system software is restricted to authorised personnel within the OSP and these applies to new and existing systems. ABS Control Criteria 1. (i) Description of OSP’s Control Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan Logical access to programs, data, and operating system software is restricted to authorised personnel. Information Security (IS) policies and procedures are established, documented and reviewed at least annually or when there are changes. IS policies and procedures are reviewed and approved by management. Logical access requirements to programs, data and operating system software are defined, as agreed with FIs. (ii) Access to systems and network devices is only granted based upon a documented and approved request and on a need basis. (iii) Access to production & backup data and sensitive information is granted on a 'least privilege’ basis. Access to sensitive files (including system logs), commands and services are restricted and protected from manipulation on both production & non-production (consisting of FIs’ customer information) systems. (iv) Access to systems (i.e. applications, operating systems, databases) and network devices by end users and IT Staff are reviewed periodically, frequency as agreed with FIs. (v) OSP’s staff and sub-contractors offboarding process includes revoking access from systems and network devices upon termination or when no longer required. OSPAR v1.0 – July 2015 Page 21 of 46 (vi) Encryption, access privilege management, reconciliation and traceability IT security and control protocols are in place to protect the processing, transmission and storage of confidential information (including data at endpoint such as notebooks and mobile devices). (vii) Individual FI information is not merged with those of other OSP’s clients. Appropriate technological measures are established to isolate, control and clearly identify FIs’ data, information system assets, documents and records. Procedures are established to securely destroy or remove the FI’s data as per the agreed retention and destruction policies as well as well upon termination. This requirement also applies to backup data. (viii) Industry-accepted cryptography standards agreed with FIs are deployed to protect FIs’ information and other sensitive data transmitted between terminals and hosts, including networks and in storage, as defined in the MAS Technology Risk Management (TRM) guidelines. (ix) Electronically transmitted FIs’ data to external parties (where permissible) is encrypted and industry-accepted cryptography standards is applied. (x) Industry-accepted password construction rules and parameters (e.g. complex password,lockout settings, password history) are implemented. The password controls for applications/systems are reviewed according to the agreed information security requirements/standards. (xi) Procedures are established to manage privilege system administration accounts (including emergency usage). Privileged access requested is documented and approved. (xii) Privileged access are reviewed at least annually and subjected to restricted OSPAR v1.0 – July 2015 Page 22 of 46 controls such as dual control, never alone principle, two-factor authentication (“2FA”), etc. Passwords are changed regularly and access removed when no longer required. Changes made via privileged access must also be logged and monitored by an appropriate staff within the organisation. (xiii) Password should be stored in a secured manner (e.g. encrypted, access controlled etc). (b) Physical Security These controls demonstrate that the OSP restrict physical access to Data Centre/Controlled (DC) areas and have put in place environmental controls to protect the IT assets hosted at its data centres. ABS Control Criteria Description of OSP’s Control 1. (i) Physical access to Data Centre/Controlled areas is restricted to authorised individuals Access to data centre/controlled areas is restricted: a. Access is physically restricted (e.g. card access, biometric systems, ISO standard locks) to authorised personnel on a needs basis only. Access mechanism may include ‘anti-passback’ feature to prevent use of card access for multiple entries. b. Access granted to employees, contractors and third parties to must be approved, documented and provided on a need to basis only. c. All visitors must be registered and entry/exit recorded. Visitors should be issued with clear identification (e.g. an ID badge) and escorted by authorised personnel at all times. (ii) For controlled areas that have emergency exits, they must audible alarms and are monitored by security personnel. Periodic verification that of OSPAR v1.0 – July 2015 Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan Page 23 of 46 the alarms are functioning must be performed and documentation retained. (iii) Entry and exit to secure areas must have an audit trail (i.e. include CCTV footage / user id / name, date and time). Access rights to data centre/controlled areas are reviewed at least annually and as agreed with FI. Monitoring of access violations should be conducted on a monthly basis. (iv) Physical access right granted to employees, contractors and thirds parties are removed upon termination or when no longer required. (v) Threat and Vulnerability Risk Assessment (“TVRA”) should be performed for the data centre. The assessment criteria should be specified and should include at a minimum the data centre’s perimeter and surrounding environment and modelled on various scenarios of threats such as, theft and explosives. Note: Before FIs procure DC services from the OSP, FIs will ensure that all identified risks are adequately addressed. Subsequent assessments may also be conducted at a frequency that commensurate with the level and type of risk to which a DC is exposed as well as the criticality of the DC to the FIs. FIs will obtain and assess the TVRA report from the OSP on the DC facility. 2. (i) Environmental controls are in place to protect the IT assets hosted at the data centre/ controlled areas. The following physical and environmental control feature are minimally available at the data centre: a. b. c. d. e. f. Systems and network equipment locked up in cabinet Uninterruptible power supply Air conditioning system Temperature and Humidity sensor Fire detector Smoke detector OSPAR v1.0 – July 2015 Page 24 of 46 g. h. i. j. k. l. (ii) Water sprinkler (drypiped or wet-piped) FM200 or other fire suppression system Raised floor CCTV Water leakage detection system Fire extinguisher The OSP should ensure that the perimeter of the DC, the DC building, facility, and equipment room are physically secured and monitored. The OSP should employ physical, human and procedural controls such as the use of security guards, card access systems, mantraps and bollards where appropriate (iii) The OSP should deploy security systems and surveillance tools, where appropriate, to monitor and record activities that take place within the DC. The OSP should establish physical security measures to prevent unauthorised access to systems and equipment. (c) Change Management These controls provide reasonable assurance that the OSP documents and approves all changes to the system software and network components. ABS Control Criteria 1. (i) Description of OSP’s Control Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan Changes to the system software and network components are documented and approved A formal change management process is established, documented and reviewed at least annually or when there are changes to the process. The change management process is reviewed and approved by management. Segregation of change management duties should also be specified. OSPAR v1.0 – July 2015 Page 25 of 46 (ii) The following controls exist for changes applied to the production environment: a. b. c. d. e. f. g. h. i. Changes should be initiated through a formal change request process and classified according to different severity levels. Change requests are approved in accordance to an established Change Authority Matrix (includes internal and FIs’ approvals), as agreed with FIs. A risk and impact analysis of the change request in relation to existing infrastructure, network, upstream and downstream systems should be performed. All changes must be tested and appropriate approvals must be obtained prior to implementation. System Integration Testing (“SIT”) and User Acceptance Testing (“UAT”) test plans should be prepared and signed off in accordance to the established Change Authority Matrix. Emergency change escalation protocols (e.g. by phone and email) and approval requirements should be established in the change approval matrix (includes internal and FI approvals) as agreed with FIs. Documented approval must still be obtained after the emergency change. A rollback plan (which may include a backup plan) is prepared and approved prior to changes being made. System logging is enabled to record activities that are performed during the migration process Segregation of duties should be enforced so that no single individual has the ability to develop, compile and migrate object codes into the production environment. Disaster recovery environment versions are updated timely after production migration is successfully completed. OSPAR v1.0 – July 2015 Page 26 of 46 (iii) Change risk categories are used to determine approval requirements in accordance with the defined change management process. Appropriate escalation levels and approvals are established and documented in the Change Authority matrix for changes. (iv) Segregation of environments for development, testing, staging and production is established. UAT data must be anonymised. If UAT contains production data, the environment must be subject to appropriate production level controls. (d) Incident Management These controls provide reasonable assurance that the OSP resolves all system and network processing issues in a timely manner. ABS Control Criteria Description of OSP’s Control Test of Controls 1. (i) System and network processing issues (once input into the incident and problem management tool) are resolved in a timely manner A formal documented incident management process exists. The process is reviewed at least annually or when there are changes to the process. The procedures documentation should be reviewed, updated and approved accordingly. (ii) Clear roles and responsibilities of staff involved in the incident management process should be outlined in the procedures, including recording, analysing, remediating and monitoring of problem and incidents. Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan Clear escalation and resolution protocols, including timelines should be documented. The need for incident notification to the FIs; and all these notifications should be tracked and reported to the FIs regularly. (iii) Incidents are recorded and tracked with the following information: OSPAR v1.0 – July 2015 Page 27 of 46 a. b. c. d. e. f. g. h. Severity Client information Date and time raised; description of incident or problem Incident type Application, systems and / or network component impacted Escalation and approvals Actions taken to resolve the incident or problem, including date and time action was taken Post-mortem on incidents that includes root-cause analysis. (iv) Problems attributing to the occurrence of the incidents should be identified to address root cause and to prevent recurrence. Trend analysis of past incidents should be performed to facilitate the identification and prevention of similar problems. Problems and incidents occurrence, root cause and resolution are tracked, monitored and reported to FIs. (e) Backup and Disaster Recovery These controls provide reasonable assurance that the OSP’s business and information systems recovery and continuity plans are documented, approved, tested and maintained. Backups are performed and securely stored. ABS Control Criteria 1. (i) Description of OSP’s Control Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan Backups are performed and securely stored. Backup and restoration processes have been implemented such that FIs’ critical system information can be recovered. Backup procedures are formally documented based on the data backup and recovery requirements of FIs. These should include a data retention policy and procedures designed to meet business, statutory and regulatory requirements as agreed with FIs. OSPAR v1.0 – July 2015 Page 28 of 46 (ii) System level backups are securely stored at off-site storage facilities. (iii) Backup logs associated with system level backups are generated and remedial action is taken for unsuccessful backups. (iv) Data backed up to external media such as tapes is is encrypted and industryaccepted cryptography standards is applied. (v) Tape (or other media) tracking/management system is used to manage the physical location of backup tapes. This includes a full inventory of all tapes on and off site, tapes retention periods and tapes due for rotation. (vi) Tape (or other media) inventory checks are performed at least annually such that all tapes are accounted for. (vii) Backup tapes (or other media) are periodically tested to validate recovery capabilities. 2. Business and information systems recovery and continuity plans are documented, approved, tested and maintained. Disaster Recovery (“DR”) refers to disaster recovery capabilities as a whole for services rendered and not specific to information technology (“IT”) disaster recovery only. (i) A DR strategy and business continuity plan is established and maintained based on business, operational and information technology needs of FI. Operational considerations include geographical requirements, on-site and off-site redundancy requirements. a. Different scenarios such as major system outages, hardware malfunction, operating errors or security incidents, as well as a total incapacitation of the primary processing centre should be considered in a DR plan b. DR facilities shall accommodate the capacity for recovery as agreed with FIs OSPAR v1.0 – July 2015 Page 29 of 46 (ii) DR strategy and business continuity plan, including activation and escalation process is reviewed, updated and tested at least annually. In consultation with FIs this may be conducted more frequent depending on the changing technology conditions and operational requirements. (iii) DR exercise (i.e. testing plans and results) should be documented with action plans to resolve and retest exceptions. (iv) Recovery plans include established procedures to meet recovery time objectives (RTO) and recovery point objectives (RPO) of systems and data. (v) (f) Redundancies for single point of failure which can bring down the entire network are considered and implemented. Network & Security and Monitoring These controls provide reasonable assurance that the OSP’s systems and network controls are implemented based on FIs’ business needs. ABS Control Criteria Description of OSP’s Control 1. (i) Systems and network controls are implemented based on client and business needs. Information Security (IS) policies and procedures are established, documented and reviewed at least annually or when there are changes. IS policies and procedures are reviewed and approved by management. Specific security controls for systems and networks are defined to protect the confidentiality, integrity and availability of systems and data. (ii) Security baseline standards (i.e. system security baseline settings and configuration rules) are defined for the various middleware, operating system, databases and network devices. Regular checks against baseline standards OSPAR v1.0 – July 2015 Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan Page 30 of 46 should be carried out to monitor compliance. (iii) Systems are ‘hardened’ (i.e. system security settings configured to the required level of protection) and meet established baseline standards. This should include changing of all default passwords and protection against known vulnerabilities. (iv) Anti-virus/ malware detection programs are installed and operational. Procedures should include the timely detection and removal of known viruses/malware. (v) Patch management procedures include the monitoring, review, testing and timely application of vendor patches, prioritising security patches to address known vulnerabilities. (vi) Any identified deviations of security policy/standards are documented, tracked and remediated. Deviations which impact the services rendered to the FIs should be communicated. (vii) File integrity checks are in place to detect unauthorised changes (e.g. databases, files, programs and system configuration). (viii) Network security controls should be deployed to protect the internal network. These include firewalls and intrusion detection-prevention devices (including denial-of-service security appliances where appropriate) between internal and external networks as well as between geographically separate sites, if applicable. Review for obsolete and duplicate firewall rules should be carried out at least half-yearly. (ix) Network surveillance and security monitoring procedures (e.g. network scanners, intrusion detectors and security alerts) are established. (x) Security system events are logged, retained and monitored. OSPAR v1.0 – July 2015 Page 31 of 46 (xi) Two-factor authentication at login for all online financial systems and transaction signing for authorising high risk transactions is implemented. (xii) Internal Network Vulnerability Assessment (“VA”) should be conducted quarterly to detect security vulnerabilities, including common web vulnerabilities. A combination of automated tools and manual techniques should be deployed. The scope, results (i.e. number of critical, high, medium and low risk findings) and remediation status (i.e. open, closed pending and extension, if any) are established and gaps are fully addressed in a timely manner. (xiii) Network and Application Penetration Testing (“PT”) should be conducted annually, particularly for internet facing systems. The scope, results (i.e. number of critical, high, medium and low risk findings) and remediation status (i.e. open, closed pending and extension, if any) are established and gaps are fully addressed in a timely manner. (xiv) Secured code review should be conducted before on-boarding new application. The scope, results (i.e. number of critical, high, medium and low risk findings) and remediation status (i.e. open, closed pending and extension, if any) are established and gaps are fully addressed. (g) Security Incident Response These controls provide reasonable assurance that appropriate personnel within the OSP are contacted and immediate action is taken in response to a security incident. Requirements in the relevant notices such as the MAS TRM Notice are adhered to. ABS Control Criteria 1. Description of OSP’s Control Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan Appropriate Personnel are contacted and immediate action taken in response to a security incident OSPAR v1.0 – July 2015 Page 32 of 46 (i) Incident Response Plan establishes and documents specific procedures that govern responses to security incidents (physical or system security). The roles and responsibilities of staff involved in responding to security incidents are clearly defined. (ii) Security response procedures are reviewed and tested annually and the Incident Response Plan updated where necessary. (iii) When an incident is detected or reported, the defined incident management process is initiated by authorised personnel. The incident severity level and escalation process must be pre-agreed with FIs. FIs should be notified immediately upon discovery and an Incident Report should be provided post-event. (h) System Vulnerability Assessments These controls provide reasonable assurance that the OSP performs regular system vulnerability assessment and penetration testing on environments with FIs’ customer information. ABS Control Criteria 1. (i) Vulnerability Assessments The OSP should continually monitor for emergent security exploits, and perform regular vulnerability assessments of its IT systems against common and emergent threats. (ii) As vulnerability assessments would only enable the OSP to identify security deficiencies in its IT systems at a particular point in time, OSP should institute a robust regime of prompt system patching and hardening, as well as adopt secure software coding OSPAR v1.0 – July 2015 Description of OSP’s Control Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan Page 33 of 46 practice. 2. (i) Penetration Testing The OSP should perform penetration testing at least annually on its internet facing systems. (ii) As penetration testing would only enable the OSP to identify security deficiencies in its IT systems at a particular point in time, the OSP should institute a robust regime of prompt system patching and hardening, as well as adopt secure software coding practice 3. (i) Timely Remediation The OSP should establish a process to effectively remediate issues identified from the vulnerability assessments and penetration testing a timely manner. (i) Technology Refreshment Management These controls provide reasonable assurance that the OSP maintains up-to-date software and hardware components used in the production and disaster recovery environment. ABS Control Criteria Description of OSP’s Control 1. (i) Timely refresh of IT systems and software of the production and disaster recovery supporting FIs To facilitate the tracking of IT resources, the OSP should maintain an up-to-date inventory of software and hardware components used in the production and disaster recovery environment (supporting FIs) of which includes all relevant associated warranty and other supporting contracts related to the software and hardware components. (ii) The OSP should actively manage its IT systems and software (supporting FIs) so that outdated and unsupported systems which significantly increase its exposure to security risks are replaced on a timely basis. The OSP should pay OSPAR v1.0 – July 2015 Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan Page 34 of 46 close attention to the products’ end-ofsupport (“EOS”) date as it is common for vendors to cease the provision of patches, including those relating to security vulnerabilities that are uncovered after the products’ EOS date. (iii) The OSP should establish a technology refresh plan to ensure that systems and software are replaced timely manner. OSP should conduct a risk assessment for systems approaching EOS dates to assess the risks of continued usage and establish effective risk mitigation controls where necessary. OSPAR v1.0 – July 2015 Page 35 of 46 III. SERVICE CONTROLS (a) Setting-up of New Clients/Processes These controls provide reasonable assurance that client contracting procedures within the OSP are defined and monitored, and client processes are set up and administered in accordance with client agreements/instructions. ABS Control Criteria 1. (i) Description of OSP’s Control Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan OSP contracting procedures are defined and monitored In considering, renegotiating or renewing an outsourcing arrangement, the OSP is to provide accurate and timely information to FIs so that they can perform an appropriate due diligence to assess the risks associated with the outsourcing arrangements. Information provided should include: a. experience and competence to implement and support the outsourcing arrangements over the contracted period b. financial strength and resources c. corporate governance, business reputation and culture, compliance, complaints and outstanding or potential litigation d. security and internal controls, audit coverage, reporting and monitoring environment e. risk management framework and capabilities, including in technology risk management and business continuity management in respect of the outsourcing arrangements f. arrangements for disaster recovery provisioning should be tracked and recorded g. reliance on and success in dealing with sub-contractors h. insurance coverage i. external factors (such as the political, economic, social and legal environment of the jurisdiction in which the OSP OSPAR v1.0 – July 2015 Page 36 of 46 j. operates, and other events) that may impact service performance track record and ability to comply with applicable laws and regulations (ii) Contractual terms and conditions governing relationships, functions, obligations (including minimal insurance coverage of assets), responsibilities, rights and expectations of all contracting parties are set out fully in written agreements, e.g. Service Level Agreements (“SLA”). (iii) OSP’s SLA with FIs should clearly include the following: a. the scope of the outsourcing arrangements b. the performance, operational, internal control and risk management standards c. confidentiality and security (i.e. roles and responsibility, liability for losses in the event of breach of security/confidentiality), including a written undertaking to protect, isolate and maintain the confidentiality of FIs information and other sensitive data d. business resumption and contingency requirements. The OSP is required to develop and establish a disaster recovery contingency framework which defines its roles and responsibilities for documenting, maintaining and testing its contingency plans and recovery procedures e. the process and procedures are in place to adequately monitor the controls in place f. notification of adverse developments or breach of legal and regulatory requirements g. dispute resolution (i.e. protocol for resolving disputes and continuation of contracted service during disputes as well as the jurisdiction and rules under which disputes are to be settled) OSPAR v1.0 – July 2015 Page 37 of 46 h. i. j. k. l. m. n. default termination and early exit by all parties. Note: FIs have right to terminate the SLA in the event of default, ownership change, insolvency, change of security or serious deterioration of service quality sub-contracting (i.e. restrictions on sub-contracting, and clauses governing confidentiality of data) FIs’ contractual power to remove or destroy data stored at the OSP’s systems and backups in the event of contract termination ownership and access (i.e. ownership of assets generated, purchased or acquired during the outsourcing arrangements and access to those assets) provisions that allow the FIs to conduct audits on the OSP and its sub-contractors, whether by its internal or external auditors, or by agents appointed by the FIs; and to obtain copies of any report and findings made on the OSP and its sub-contractors, in relation to the outsourcing arrangements and to allow such copies of any report or finding to be submitted to the Monetary Authority of Singapore (“MAS”) provisions that allow the MAS, or any agent appointed by the MAS, where necessary or expedient, to exercise the contractual rights of the FIs to access and inspect the OSP and its sub-contractors, to obtain records and documents of transactions, and information given to the OSP, stored at or processed by the OSP and its sub-contractors, and the right to access and obtain any report and finding made on the OSP and its sub-contractors provisions that indemnify and hold MAS, their officers, agents and employees harmless from any liability, loss or damage to the OSP and its sub-contractors arising out of any action taken to access and inspect the OSP or its sub- OSPAR v1.0 – July 2015 Page 38 of 46 o. p. q. r. contractors pursuant to the outsourcing agreement provisions for the OSP to comply with FIs’ security policies, procedures and controls to protect the confidentiality and security of the FIs’ sensitive or confidential information, such as customer data, computer files, records, object programs and source codes provisions for the OSP to implement of security policies, procedures and controls that are at least as stringent as the FIs’ provisions to ensure that audit is completed for any new application/system prior implementation that will address FIs’ information asset protection interests. The audit should at least cover areas like system development & implementation life cycle adherence, the relevant documentation supporting each cycle phase, business user (including client where applicable) involvement and sign-off obtained on testing and penetration test outcome for application/ system and compliance with pre-agreed security policies with FIs. Provisions to sub-contracting of material outsourcing arrangements to be subjected to prior approval of the FIs and any applicable laws. 2. (i) OSP’s processes are set up and administered in accordance with FIs agreements/instructions. Controls should be agreed by the FIs. The nature of these controls is appropriate for the nature and materiality of the outsourcing arrangements. (ii) Operating procedures are documented, kept current and made available to appropriate personnel. OSPAR v1.0 – July 2015 Page 39 of 46 (b) Authorising and Processing Transactions These controls provide reasonable assurance that services of the OSP are authorised, recorded and subjected to internal checks to ensure completeness, accuracy and validity on a timely basis. Services are processed in stages by independent parties such that there is segregation of duties from inception to completion. . ABS Control Criteria Description of OSP’s Control Test of Controls 1. (i) Services and related processes are authorised and recorded completely, accurately and on a timely basis Services provided to the FIs and related automated and manual processes, including controls, are set up and administered in accordance with the FIs’ standard operating procedures (SOP) agreements/ instructions. (ii) Service procedures are documented, kept current and made available to appropriate personnel. 2. (i) Services are subjected to internal checks to reduce the likelihood of errors. All services are recorded and checked against the FIs’ specifications as defined in documented procedures. Errors or omissions should be rectified promptly. All breaches and incidents are escalated as per the SLA. Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan (ii) Controls for reconciliation, error prevention, and error correction mechanisms such as “Maker & Checker” should be in place for key processes. (iii) A Management Information report should be generated as per the agreed procedure which would identify status of the task performed. KPIs need to be monitored as per the agreed procedure. (iv) For any exceptions noted, root cause analysis should be undertaken and where appropriate, remedial actions should be implemented to prevent recurrence. 3. Services are processed in stages by independent parties such that there is segregation of duties from inception to completion OSPAR v1.0 – July 2015 Page 40 of 46 (i) Appropriate segregation of duties should be implemented for transaction processing as access should be based upon need to know. (ii) Access to record, post and authorise transactions or services are restricted. Only authorised users should have access to update customer service records. 4. Sample Control for Data Entry Services Data entry procedures are performed in an accurate and timely manner. The mail receiving clerk data stamps mails and client information as it is received. Each mail is logged in a tracking sheet. (i) (ii) Mails and client information are sent to the relevant business department and recorded. (iii) Service Supervisor reviews and approves, and initials the data entry record as evidences of review. 5. Sample Controls for Debt Collection Services Collections and monies received are posted to customer accounts in an accurate and timely manner Documented collection processing procedures are in place to guide personnel in the debt collection process. (i) (ii) Debt collection information is scanned into a document imaging application for archiving and retrieval of information. (iii) Debt collection information received from client is balanced in total to the check, wire or amount received. (iv) Debt collection information entered in the system is reviewed by the Service Supervisor before final posting. 6. (i) Sample Controls for Physical & Electronic Statement Printing Services Customer Statements are printed accurately and sent timely to participants Documented statement printing procedures are in place to guide plan administrators in statement printing process. OSPAR v1.0 – July 2015 Page 41 of 46 (ii) A statement schedule outlines when statements are required to be printed and mailed for each customer. (iii) Service Staff compare system reports to ensure that statement include the correct balance information. (iv) A log of the number of statements printed is created by the Service Staff and reviewed by the Service Supervisor to ensure that the correct number of statements was printed. (c) Maintaining Records These controls provide reasonable assurance that the OSP classifies data according to sensitivity, which determines protection requirements, access rights and restrictions, and retention & destruction requirements Auditor’s Recommendation and OSP Management’s Response/Action Plan Data are classified according to sensitivity, which determines protection requirements, access rights and restrictions, and the retention and destruction requirements. Policies for data classification, retention and destruction are implemented. Retention is as required by local law (governing the FIs) or as required by the FIs. ABS Control Criteria 1. (i) (ii) Description of OSP’s Control Test of Controls Results of Tests Data held with the OSP (both in physical and electronic forms) are to be stored in appropriate mediums where level of storage/ backups are determined based on the classification of data. For information/ records held in electronic storage media (including cloud based storage services), the OSP is to ensure appropriate levels of data/ record segregation exist to prevent co-mingling of data. Procedures on Retention Management of Information/ Records/ Data are to be in place. These procedures should clearly state retention guidelines and they should be based on the OSPAR v1.0 – July 2015 Page 42 of 46 classification of information held and applicable law. (iii) Procedures on Destruction of Information/Records/Data by the OSP are to be in place. These procedures should clearly state the destruction process and they should be based on the classification of information held. (iv) For terminated arrangements, the OSP is to provide the FIs with the relevant reports/documentation and evidence that demonstrates that all forms of data/records/information (both electronic and physical) held have been destroyed. (d) Safeguarding Assets These controls provide reasonable assurance that physically held assets of the OSP are safeguarded from loss, misappropriation and unauthorised use. ABS Control Criteria Description of OSP’s Control 1. (i) Physically held assets are safeguarded from loss, misappropriation and unauthorised use Physical access to the operational OSP’s office/facilities is restricted to authorised personnel. The entry to office/ facilities is through an automated proximity access card entry control system. (ii) A security system is authored to restrict access to the office/facilities after normal business hours. Access must be monitored 24 hours a day, 365 days a year. (iii) Physical assets (e.g. office equipment, storage media) are tagged and are assigned to custodians. Annual inventory of assets are performed. There should be procedures to manage any outdated systems and software. Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan (iv) Proper tracking and verifying of asset movement should be in place. OSPAR v1.0 – July 2015 Page 43 of 46 (v) Access rights are reviewed in accordance with relevant policies. Access rights for personnel that no longer require access must be removed immediately. OSPAR v1.0 – July 2015 Page 44 of 46 (e) Service Reporting and Monitoring These controls provide reasonable assurance that OSP’s engagement with (1) its FI clients and (2) outsourced activities with its sub-contractors (that handles material outsourcing and FIs’ customer information) are properly managed. ABS Control Criteria Description of OSP’s Control 1. (i) Outsourced activities are properly managed and monitored Establish a structure and define ongoing governance process (including SLA and KPIs) to manage and deliver its services. (ii) Establish trainings to ensure its relevant staff and sub-contractors understand the FIs’ requirements. (iii) The SLA with its FI clients and the subcontractors clearly defines the performance monitoring (i.e. includes performance measures and indicators such as system uptime) and reporting requirements. Achievements of key performance indicators (KPIs) and key risk indicators (KRIs) are tracked and monitored. The OSP arranges regular meetings with its FI clients and the subcontractors to discuss its performance. Test of Controls Results of Tests Auditor’s Recommendation and OSP Management’s Response/Action Plan (iv) Establish service recovery procedures and reporting of lapses relating to the agreed service standards, including processes ensuring regular exchange of information and communication of critical issues. The OSP meets its FI clients and sub-contractors to discuss issues periodically. Corrective actions and plans are prepared and agreed with FI clients and sub-contractors if performance does not meet expected service levels. (v) Conduct periodic review, at least on an annual basis on its sub-contractors. The review includes the internal risk management, management of information and deficiency or breach in the agreed service standards. OSPAR v1.0 – July 2015 Page 45 of 46 Due diligence on its sub-contractors is performed on an annual basis. This includes: a. reviewing of internal controls report, where available b. confirming that the subcontractors have appropriate IT security policies and procedures in place c. reviewing of relevant aspects outlined under MAS Guidelines and Notices relevant to the outsourced services and as agreed with the FIs. (vi) Ensure that an independent control audit and/or expert assessment of its services are conducted at least every 12 months. The scope of the audits and/or expert assessment includes the security and control environment and incident management process. A copy of the audit report should be made known to the FIs as soon as it is available. At least once every 12 months to engage an independent auditor to perform a control audit and provide the control audit report on its sub-contractors’ compliance with the internal controls standards stipulated by the OSP and the respective FIs. OSPAR v1.0 – July 2015 Page 46 of 46
