• No results found

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

N/A
N/A
Protected

Academic year: 2021

Share "Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd."

Copied!
35
0
0

Loading.... (view fulltext now)

Full text

(1)

Vendor Management: An

Enterprise-wide Focus

Susan Orr, CISA CISM CRISC CRP

Susan Orr Consulting, Ltd.

(2)

Why Focus on Vendor Management

• Increased financial regulatory scrutiny

– GLBA and Identity Theft Red Flags Program – Regulatory guidance

• FFIEC Statement on Cloud Computing July 2012 • FRB SR 11-7 Model Risk Management

• OCC 2011-12 Sound Practices for Model Risk Management • FFIEC 2011 Authentication In An Internet Banking

Environment Supplement

• FFIEC 2009 Risk Management of Remote Deposit Capture • FDIC FIL 44-2008 Guidance for Managing Third-Party Risk • OCC 2008-16 Information Security – Application Security • OCC 2001-47 Risk Management Principles

(3)

CFPB

• Bulletin 2012-03 - FI ensure third parties do

not present unwarranted risks to consumers

– Conduct due diligence to verify provider’s ability to comply with consumer law

– Request and review provider’s policies and procedures to ensure appropriate oversight – Set clear expectations about enforceable

(4)

CFPB

• Bulletin 2012-06

– Marketing materials for credit card add-on products are not deceptive

– Compensation does not create incentives to provide inaccurate information

– Scripts follow specific requirements and have compliance management programs

(5)

FRB SR 11-7 and OCC 2011-12

• Validation of Vendor/Third-Party Products

– Appropriate processes for selecting vendor models

• Provide developmental evidence on components, design, intended use

• Determine appropriateness for bank

– Risk assessing to determine exposures and risks – Bank validation of use of the vendor products – Vendor performance monitoring and analysis – Business Continuity

(6)

Why Focus on Vendor Management

• Essential part of enterprise-wide risk

management

• Emerging technology

• More reliance on outsourcing and cloud

computing

(7)

Vendor Management Focus

• Bank-wide, all vendors/providers

– Develop definition for vendor/provider – Analyze accounts payable

(8)

Key Factors of Vendor Management Program

• BOD and senior management awareness

• Prudence of outsourcing relationship

• Needs assessment

• Implementation of effective controls

• Ongoing monitoring

• Documentation of procedures, responsibilities,

reporting

(9)

Program Oversight Responsibility

• Board ultimately responsible for ensuring

program in place

• Who has daily oversight:

– Seems to fall in IT

– Should it be the ISO (which is usually IT) – Should it be the risk manager

(10)

Vendor Risk Management Program Elements

• Strategic planning • Risk Assessment • Written Program • Repeatable Process/Procedures – Needs requirements – Service provider

selection and due diligence

– Contract

– Ongoing monitoring – Continuity

(11)

Program Elements:

Strategic Planning

(12)

Strategic Planning

• Integration with overall strategic objectives

– Identify role of the relationship in conjunction with business strategy and objectives

– Identify:

• Need/purpose • Benefits

• Costs

(13)

Program Elements:

Risk Assessment

(14)

Third Party Risk Assessment

• Identify all service providers and vendors =

third party

• Identify risk

• Identify risk mitigation strategies

• Risk rating and ranking

(15)

Classification Factors

• Mission critical

• Access to sensitive or confidential information

• Information controlled by service provider

• Volume of transactions

• Concentration of $

• New activity for institution

• New provider

(16)

Types of Risks

• Reputation Risk – risk arising from negative

publicity or public opinion

• Strategic Risk – risk arising from adverse

business decisions or failure to implement

appropriate business decisions or to make

invalid assumptions

(17)

Types of Risks

• Operational

Risk - loss from inadequate or

failed internal processes, people, systems or

an external event.

• Transactional Risk – risk arising from problems

service or product delivery

(18)

Types of Risks

• Credit Risk – risk that those necessary to the

relationship are unable to meet the terms of

the contractual arrangements or otherwise

financially perform as agreed

• Compliance/legal Risk – risk arising from

violations of laws, rules or regulations, or

noncompliance with internal policies and

procedures

(19)

Other Potential Risks

• Interest rate

• Liquidity

• Market

• Foreign currency translation

• Country risk

(20)

Foreign Based Providers

• Background

• Country Risk/Ability to prosecute

• Compliance Risk

– US Laws – Embargo – Sanctions – OFAC

(21)

Failure To Manage/Mitigate

• Regulatory action

• Financial loss

• Reputation issues

• Legal actions

• Impact ability to establish new or continue

current customer relationships

(22)

Program Element:

Written Program

(23)

Written Program

• Policy Statement

– Reason for development and implementation of the vendor management

program

– Elements of the program – Responsibilities

• Risk Management

– Description of the risk assessment process

• Selection process

– Description of the process

• Due diligence/Approval

– Description/responsibility

• Contracting

– Description of minimum contract requirements

• Oversight and monitoring

(24)

Needs Requirement

• Function or activity to be outsourced

• Purpose/need served

• Alignment with institution business objectives

• Budgeted amount

• Minimum standards and service expectations

• Minimum acceptable characteristics

• Security and control requirements • Oversight reports • Business continuity - strategy • Conversion requirements/timing/suppo rt • Training • Contract requirement 24

(25)

Selection

• Due Diligence

– Financial status, audited financial statements if available

– Check references

– Legal or regulatory compliance issues

• Complaints

• Litigation

– Technology and systems architecture (specifications)

(26)

Contract Elements

• Scope of service • Performance standards • Security and confidentiality • Understanding of GLBA and other applicable laws

• Controls

• Notification

requirements and

approval rights for any material changes to services, systems, controls (change management)

• Incident Response Plan and notification of

breach

(27)

Contract Elements

• Audit • Reports • DRP/BCP • Subcontracting • Cost

• Ownership and license • Duration • Dispute resolution • Limits of Liability • Indemnification • Regulatory compliance • Assignment of contract • Foreign based providers

(28)

Contract Elements

• Termination

– Types of terminations

• Normal contract expiration • For cause

• For convenience

• For regulatory or supervisory requirements

– Ongoing Service Requirements – Data Security and Privacy

(29)

Service Level Agreement

• Identify significant elements of service

– Processing error rates – System up time

– System down time – Speed of transactions – For websites page

loading speeds • Performance standards – Availability and timeliness of services – Confidentiality and integrity of data – Change control – Security standards compliance – BCP

(30)

Monitoring and Oversight

• Financial statements

• Security

• Incident response

• Business continuity

• Pandemic preparedness

Types of Reports

• Patch management

• Change management

• Vulnerability

assessment

• Testing

(31)

Monitoring and Oversight

• Types of Audits

– SSAE 16

– Security/Controls Audit – Internal Audit

– AUP (Agreed Upon Procedures – Shared Assessments)

(32)

Bank Service Company Act

• FDIC supervised institutions

– Section 7(c)(2)

– Notification of Performance of Bank Services – New servicing relationships by third parties

(33)

Supervision of Technology Service

Providers

• FFIEC October 2012

– Examination program • Examination process • Examiner responsibilities • Frequency

(34)

Summary

• Outsourcing does not reduce risks

• Increases the need for controls and

monitoring

• Increases the oversight over third party

• Ultimately responsibility of the Board

• Regulatory requirement to have a written

program

(35)

Questions????

Thank You!!!

Susan Orr CISA, CISM, CRISC, CRP

susan@susanorrconsulting.com

References

Related documents

Vendor Security Management Process Ve ndo r Ri sk Cla ss ificatio n As sess Ve ndo r Ma na ge Iss ues Inventory Vendors Classify Risk of Each Vendor by Relationship &

the ARB suggested that an innocent violation of an SEC rule may give rise to jurisdiction under SOX if an employee were retaliated against for reporting it. While it was merely

Preliminary studies: project evaluation process, conceptual studies, pre-FEED, project economics, technical deliverables, preliminary project planning (global project schedule,

Information Security Program Cybersecurity 16 Information Security Program Governance Structure and Policies Threat Intelligence Audit Program Third-Party Management Risk

KATHLEEN A MULLIN, MBA, KATHLEEN A MULLIN, MBA, CIA, CISA, CISSP, ISA, CISM, CRISC, CGEIT.. DIRECTOR OF IT SECURITY/CISO HEALTHPLAN

Banks that engage in ACH transactions with high-risk originators or that involve third-party senders face increased reputation, credit, transaction, and compliance

5.1 prikazuje krivulji komolˇ cne metode in statistike vrzeli na podatkih represilatorja. Obe metodi nakazujeta na optimalno ˇ stevilo razredov pri k = 4, vendar moramo biti

Uniform flow; most economical cross-section; discharge; velocity; erosion;