Skip to content
 

Managing Technology Risk When You Outsource?

Managing Technology Risk When You Outsource
by Cynthia A. Bonnette, Managing Director, Technology Risk Assessment Services

Technology risk management is a complex process. The fact that technology is an enabler for numerous business processes and functions throughout the bank requires that risks be assessed and managed strategically. Information technology plays an essential role in gathering, processing, and storing data, and for a bank to identify and prioritize its vulnerabilities, a comprehensive overview of its systems, networks, and applications must be undertaken. Therefore, the first step in managing technology risk is to determine where critical data resides and how it moves throughout the bank's various systems. Once the data flows and system designs are defined, the adequacy of existing controls and security programs can be evaluated.

Developing a comprehensive overview of systems, networks, and applications is challenging enough for a bank that manages all of its information in-house. But how can such an assessment be conducted when the bank outsources some or all of its systems and applications to one or more service providers?

Outsourcing as a risk management technique
When deciding to engage in new business lines, services, or processes, bank management must carefully evaluate the bank's ability to provide the necessary expertise and resources to support the activity. In the case of information systems and technology services, the requirements are often beyond the capabilities of many institutions and may not represent a core competency. Therefore, outsourcing may represent the most cost effective and feasible way to engage in a particular activity.

Outsourcing may also represent the best way to ensure that appropriate security and controls are in place to protect information systems and data when the bank lacks the ability to establish and support these controls in-house. Therefore, the decision to outsource a function can represent a risk management technique by ensuring that necessary safeguards are in place.

Dependence on service providers
Technology outsourcing has become increasingly commonplace for banks of all sizes. However, by turning over the operation of certain systems and applications to a third party service provider, bank management has also given that company a role in the bank's risk management process. By design, an outsourcing arrangement results in the loss of direct control over the system's operation; however, it does not relieve the bank of its risk management responsibilities.

Specifically, when outsourced functions involve the transmission, storage, or processing of critical or sensitive data, the bank must ensure that appropriate controls are in place at the service provider. While the bank is dependent upon its service provider to establish and maintain appropriate programs for security and internal controls, bank management should play an active role in evaluating and overseeing these programs.

Assessing risk in outsourced activities
Evaluating risk in outsourced activities is initially similar to evaluating risk in activities conducted in-house. The process begins with an assessment of the data or applications involved and their criticality to the bank's business operations. An information >
Understanding the relative importance of the information will clarify the related requirements for its availability, integrity, and confidentiality. Bank management must ensure that the security and controls in place with the service provider are appropriate given the relative importance of the data or applications with which they are entrusted.

Whenever the bank considers linking its information systems to those of another party-service provider, partner, or customer-there are important security implications to consider. Any direct connection (e.g., linkage of networks or creation of an extranet or virtual private network) requires that appropriate controls be in place to guard against unauthorized access or the introduction of viruses or malicious content. Effectively, by connecting the systems together, the vulnerabilities of one can contribute to a compromise of the other. Indirect connections (e.g., transfer of data by disk), also require controls to ensure that data leaving or entering the bank's system is accurate and only accessible by authorized individuals.

There are several steps that bank management can take to evaluate the risk management practices and controls in place with their service provider. Then, armed with this knowledge, the bank can determine whether the outsourced relationship makes sense for the institution in the context of its risk management needs. If not, the bank can consider other service providers or explore the possibility of moving the activity in-house.

Ideally, the evaluation of the service provider's risk management practices should be conducted during the due diligence process, prior to entering into a contractual relationship. However, periodic reviews are also important to ensure that adequate controls remain in place even after a contractual relationship has been established. Updated reviews are particularly important if significant changes have occurred such as a merger, management turnover, financial difficulties, or system modifications.

The evaluation of security policies and practices often represents an area of significant tension between service providers and bank clients. While bankers may ask for and expect to obtain specific details about the service provider's security techniques (e.g., firewall settings, intrusion detection software, etc.), many service providers consider this information proprietary and confidential. Service providers are often reluctant to share information that they believe could lead to a compromise of their security. However, common ground may be found by agreeing to accept independent security reviews that document the adequacy of controls without providing explicit details. Furthermore, confidentiality agreements and non-disclosure provisions may also help to ease the tension between parties on this subject.

Bank management should also check references and credentials for the service provider, with a particular view toward how the company handled security incidents or other problems in the past. The willingness of the service provider to discuss security and produce supporting documentation is a clear indicator of their strength (or weakness) in this area. The financial condition of the company is also a factor to consider in evaluating risk management. Weaknesses in financial strength often lead to cut backs in staff and other resources that may ultimately result in loosened controls and heightened vulnerability of bank data.

Managing risk in outsourced activities
Having invested the time and energy in the due diligence process to select a service provider with the expertise, qualifications, and financial stability necessary to perform the outsourced functions in a secure environment, bank management must also take steps to ensure that appropriate risk management processes remain in place. This is where contractual provisions and service level agreements are helpful tools to manage future performance.

The bank and the service provider must have a common understanding regarding the sensitivity of the data and expectations for its treatment in terms of confidentiality, availability, and integrity. Depending on the nature of the service provided and the criticality of information involved, the following should be addressed in the contract terms or service level agreement between the bank and service provider:

  • Minimum security standards. These may be based on the bank's own minimum standards or common industry benchmarks.
  • Requirements for periodic vulnerability tests and security assessments. A general summary of the results and follow-up action should be provided to the bank.
  • Notification of security incidents. This provision should include a definition of what constitutes a relevant "incident," set specific time frames for notice, and designate whom to notify.
  • Specific parameters for addressing problems. This provision specifies criteria for escalating an incident to "problem status" and sets time frames for reporting and resolution.
  • Periodic audited financial statements.
  • Provision that information security standards will be maintained consistent with the requirements of the Gramm-Leach-Bliley Act, Section 501(b).
  • Provision that the service provider institute and maintain a privacy policy that is consistent with that of the bank.
  • Right to audit clause that permits the bank, or its designee, to conduct an onsite audit of the service provider's operations.
  • Independent reports of internal control (e.g., SAS 70 reports) for the location where the bank's data or applications are being managed. This provision should specify the frequency of reports, their scope, and independence of the auditor.

Other important steps that bank management can take to effectively supervise the risk management practices of their service providers include regular communication with the company and participation in users groups. The bank should also closely monitor the service provider's performance relative to contract terms and the service level agreement. Audit reports, security assessments, and financial statements should be obtained in a timely manner and reviewed for any significant weaknesses or changes from prior reports. The service provider should be required to report on any corrective action taken in response to a material concern.

Complex service provider relationships
Often, oversight of risk management and security programs for outsourced activities is further complicated by multiple service provider relationships. It is increasingly common for teams of service providers to work together to offer a comprehensive package of services. Managing risks in such an environment requires a full understanding of the hand-off points between service providers and clear designation of responsibility at each transition point.

Complex relationships with multiple service providers can result from the bank's decision to contract with additional partners or they can result from sub-contracting arrangements made by existing service providers. Therefore, bank management may wish to include a contract provision requiring notice, and possibly approval, of significant sub-contractors.

The decision to outsource technology services should be predicated on an understanding of how the involvement of a third party will impact the bank's risk management program. Both the bank and the service provider must have a common understanding of the criticality of the data involved and expectations for confidentiality, availability, and integrity.

Bank management should include a comprehensive assessment of the service provider's ability to maintain appropriate security and controls in the due diligence process. In addition, fundamental requirements should be incorporated into the contract and performance should be closely monitored. While the premise of outsourcing involves extending data and applications outside the institution, the bank's involvement in risk management must travel with its information assets.

M ONE, Inc. is a bank technology consulting firm that specializes in helping mid-size financial institutions develop strategic technology solutions to interact more effectively with customers and business partners. M ONE also offers technology risk assessment services that assist banks in evaluating their information security programs and addressing relevant vulnerabilities and threats. Information security education programs and materials for bank directors, management, and employees are also available. Visit www.moneinc.com for further information.

First published on BankersOnline.com 4/22/02

First published on 04/22/2002

Filed under: 
Technology
Filed under technology as: 
Audit
Outsourcing
Risk Assessment/Risk Management
Technology

Report a problem with this page

Search Topics