Interview Notes
7. Financial Persons Name & Title
Contact Information
Technology Departmental Structure Size of Department
Process and Procedures Checks and Balances Disaster Recovery Process Flow
Technology Oversight and Internal Controls
7. Financial Persons Name & Title Contact Information
Accounting and Finance Departmental Structure Size of Department
Process and Procedures Checks and Balances
Internal and External Oversight and Controls Auditor (and Auditor Report)
Financial Statement Review Sample Reconciliation Reports
OnsiteMN_7/2012_Draft Page 5 Due Diligence Officer Summary Analysis (to be completed internally)
Due Diligence Officer Name: Date Analysis Completed:
Outsourcing Due Diligence Form 1
OUTSOURCING DUE DILIGENCE FORM
SERVICE TO BE OUTSOURCED
1. Type of service to be outsourced:
Accounting/Finance: _____________________ Compliance Consulting: _______________________
Legal Services: _________________________ Administrative Functions: ______________________
Information Technology: __________________ Operations/Support Functions: __________________
Other: _______________________________________________________________________________
2. Is this service essential to the operation of the Firm (i.e. transaction order entry; custody and prime brokerage;
service designed to promote rapid recovery of operations etc.)? Yes No
APPROPRIATENESS OF OUTSOURCING
1. Potential impact on Firm if service provider fails to perform:
Financial Impact: High Medium Low N/A
Reputational Impact: High Medium Low N/A
Operational Impact: High Medium Low N/A
Customer Service Impact: High Medium Low N/A
Potential Losses to Customers: High Medium Low N/A
Comply with Regulatory Requirements: High Medium Low N/A
Costs to Firm: High Medium Low N/A
Degree of Difficulty Replacing Service Provider: High Medium Low N/A Comments:
2. Is there an affiliation or other relationship between the Firm and the service provider? Yes No If yes, please describe the relationship and any potential conflicts of interest:
3. Is the service provider a regulated entity subject to independent supervision? Yes No
If yes, name of regulator: __________________________________________________________________
SERVICE PROVIDER INFORMATION
Contact Name(s): ________________________________________ CRD # (if applicable): ______________
Phone: _____________________ Fax: ________________ Website: _______________________________
Outsourcing Due Diligence Form 2
(PAGE 2)
2. Is the service provider owned/controlled by a Parent Co.? Yes Name: ________________________
No 3. Personnel:
Approximate # of employees:_______
Does the service provide hire independent contractors? Yes No 4. Background Information:
How many years has the service provider been in business? _____________
How many years has the service provider provided the outsourced function? __________
Is the service provider known to the Firm or employees of the Firm? Yes No
If yes, please name the individual(s) and describe any prior experience each had with the service provider:
_______________________________________________________________________
_______________________________________________________________________
DUE DILIGENCE
1. What methods did the Firm use to verify the service provider s information? (Choose all that apply.)
FINRA Public Disclosure Internet Research Entity Formation Documents SEC Public Disclosure Credit/Background Check Independent Research
Form BD/ADV Media/News Reports Personal Referral
Business Plan 10K RFP
Policies Manual(s) Personal Interviews Marketing Materials
Financials Onsite Inspection Sales Materials
Other:
__________________________________________________________________________________
Does the firm maintain evidence of the above methods used to verify the service provider s information (i.e.
copies of documents reviewed; notes from personal interviews and onsite inspections; printouts from public disclosure sites etc.)? Yes No
If yes, please identify where this evidence is maintained:
_______________________________________________
2. Please list one or more qualified references; firms that use this service (if contacted personally, identify the name of the contact and the result of the contact):
3. Please describe the background and experience of individuals who will be performing the services:
4. Based on your review of the information, has the service provider and/or its principals been subject to any regulatory, criminal or civil disciplinary issues? Yes No
If yes, please describe:
Outsourcing Due Diligence Form 3
5. Based on your review of the information, please describe the service provider s ability and capacity to perform the outsourced activities effectively, reliably, and to a high standard (include in your description relevant technical, financial, human resources, and/or other assets of the service provider):
6. Does the service provider have a business continuity plan? Yes No If yes, review a copy of the plan and comment on its adequacy:
7. Is privacy and protection of non-public information a factor in outsourcing? Yes No If yes, comment on the adequacy of the service provider s for safeguarding non-public information:
8. After reviewing the information, are there any questionable issues or potential conflicts of interest?
Yes No
If yes, please describe:
CONTRACTS AND AGREEMENTS
1. Has (or will) the Firm entered into a written agreement with the service provider? Yes No If yes, please identify the relevant provisions and disclosures in the contract (choose all that apply).
Provides for Firm and regulator access to records Firm and client confidentiality Limitations on service provider s ability to sub-contract Payment arrangements
Defines responsibilities of all parties subject to contract Provide quality services measures Defines how responsibilities will be monitored Guarantees and indemnities Liability for unsatisfactory performance or other breach Information security provisions Requirement to maintain a disaster recovery plan Disclosure of breaches in security Time Commitment (Termination Date):
_________________________________________________________
Other relevant provision(s):
________________________________________________________________
2. Was the written agreement reviewed by the Firm s legal counsel? Yes No N/A If yes, name of legal counsel: ___________________________
Date of Review: _____________________
3. Was the written agreement reviewed by the principal responsible for outsourcing functions?
Yes No
If yes, name of principal: ____________________________ Date of Review: ________________
Outsourcing Due Diligence Form 4 OVERSIGHT AND PERIODIC REVIEW
1. List the name and title of the Firm Principal who is responsible for the periodic oversight and review of the outsourced service ? ________________________
2. Please identify the individual(s) who will monitor the outsourced service if different from above.
________________________________
3. Please identify the tools that will be used to monitor the outsourced service:
Service delivery reports prepared internally Service delivery reports supplied by the service provider Publicly available resources Performance levels established in written agreement
Internal auditor Onsite inspection
External auditor Attestations by service provider
Other
__________________________________________________________________________________
4. Frequency of monitoring: Daily Weekly Monthly Quarterly Annually Other
______________________________________________________________
5. If deficiencies are found, are there procedures in place to respond to such deficiencies (i.e. communicate with the service provider; terminate the contract)? Yes No
DOCUMENTATION REVIEW AND APPROVAL
1. Individual(s) responsible for completing this due diligence review:
a. ____________________________________________
b. ______________________________________________
c. ______________________________________________
Firm Principal: I have reviewed the information contained in this Outsourcing Due Diligence Form and:
The Firm has elected to use the service provider above.
The Firm will not use the service provider above.
_______________________________________ ____________ _______________________________
Principal Signature Date Printed Name of Principal
Section x IS Security Policies mm/dd/yy-Effective mm/dd/yy-Revised
Policy Checklist
Information Services -Author IS Policy Checklist.doc 1 of 6Policy Checklist RequiredPublishedApproved Adopted CommunicatedRevised
Acceptable Use <Yes / No> <Date> <Date> <By> <Date> <Date> <Date> Account Management Admin/Special Access Business Continuity Planning C ha ng e M an ag em en t Data Encryption Incident Management Intrusion Detection Network Configuration Network Access P as sw or ds Physical Security Portable Computing P riv ac y Security Monitoring Security Training Server Hardening V en do r A cc es s Vi rus and Malware Protection
Section x IS Security Policies mm/dd/yy-Effective mm/dd/yy-Revised
Policy Checklist
Information Services -Author IS Policy Checklist.doc 2 of 6 Analysis Matrix SECURITY ELEMENTINDUSTRY BESTPRACTICELOCATIONLAST REVISION DATEIMPLEMENTATION IS Program Program Development and Evaluation ProcessDocumented development process for the continual updating and review of security policies and procedures and compliance. Includes process for the continuous review and measurement of policy effectiveness. Responsibilities and Roles Documented policies that define the roles and responsibilities of system administrators and their relation to the computer systems and network infrastructure in their care. Security TrainingAwareness and training program in information security and the protection of information resources for personnel who come in contact with sensitive resources.
Security Training Policy Security Training Awareness and training program in information security and the protection of information resources for personnel who come in contact with sensitive resources. Change Management Software UpdatesPolicies and procedures for the monitoring of patch and vulnerability information sources, their review, remediation, and the creation of new baseline information for updated systems.
Change Management Policy Server Hardening Policy
Section x IS Security Policies mm/dd/yy-Effective mm/dd/yy-Revised
Policy Checklist
Information Services -Author IS Policy Checklist.doc 3 of 6 Access Policies Acceptable UseDocumentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users.Network Access Policy Acceptable Use Policy Account Management Documentation requiring standards and procedures for the creation, distribution, revocation of user accounts.
Account Management Policy PasswordsDocumentation requiring standards and procedures for the composition, creation, distribution, use, and revocation of passwords.
Password Policy Internet Access Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users.
Acceptable Use Policy E-Mail Access and UseDocumentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users.
Acceptable Use Policy
Section x IS Security Policies mm/dd/yy-Effective mm/dd/yy-Revised
Policy Checklist
Information Services -Author IS Policy Checklist.doc 4 of 6 Voice Mail Access and UseDocumentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users.Acceptable Use Policy Special Access Policy Secure Gateways Implemented, documented, and maintained gateways that implement security policy.
Network Access Policy Network Configuration Policy Vendor Access Review vendor access and safeguarding agreements.Vendor Access Policy Monitoring and Incident Management System Security Tools Intrusion Detection Security Monitoring Virus Detection
The use of audit controls and tools to periodically review security compliance.
Security Monitoring Policy Intrusion Detection Policy Escalation Procedures Incident Reporting Incident Handling Incident Investigation
Response plan for handling and resolving security incidents.
Incident Management Policy Hardware Management Policies Portable Computing Policy Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users.
Portable Computing Policy
Section x IS Security Policies mm/dd/yy-Effective mm/dd/yy-Revised
Policy Checklist
Information Services -Author IS Policy Checklist.doc 5 of 6 Equipment Computer equipment is maintained in accordance with manufacturers recommendations. Records of faults or suspected faults are maintained. Critical systems are under maintenance contract in proportion to their significance.Server Hardening Policy Data Protection Policies Data Encryption Policies regarding encryption of data in transit and in storage. Privacy Documentation establishing responsibility and appropriate measures for protecting private and personally identifying information. Minimum efforts may be required by legislation.
Privacy Policy Business Continuity PlanningDocumentation establishing responsibility for policies and procedures and mechanisms for the creation, testing, and revision of contingency plans for business critical systems.
Backup/Disaster Recovery Policy Data Retention Documented policies and procedures for the archival and retention of sensitive data.
Section x IS Security Policies mm/dd/yy-Effective mm/dd/yy-Revised
Policy Checklist
Information Services -Author IS Policy Checklist.doc 6 of 6 Backup Policies and procedures and mechanisms for the archival, retention, and recovery of data. Periodic testing of recovery schemes.Backup/Disaster Recovery Policy Off-Site Backup Copies of backup media and logs are stored off-site in a secured facility on a regular basis. Policies and procedures exist governing the transfer and handling of media.
Backup/Disaster Recovery Policy Disposal of Sensitive DataDocumented policies and procedures for the destruction of media containing sensitive data. Physical Security Basic Physical SecurityControlled building access, mandatory access controls for information systems; policy for use of controls and penalties for non- compliance.
Physical Security Policy
RFP DDQ_7/2012_v1 Page 1