Service Provider Oversight

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Service Provider Oversight

Many institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost-effective means to support the institution’s technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under the 501(b) guidelines to ensure service providers have implemented adequate security controls to safeguard customer information.

The guidelines require institutions to

  • Exercise appropriate due diligence in selecting service providers
  • Require service providers by contract to implement appropriate security controls to comply with the guidelines
  • Monitor service providers to confirm that they are maintaining those controls when indicated by the institution’s risk assessment
  • Financial institutions should implement these same precautions in all TSP relationships based on the level of access to systems or data for safety and soundness reasons, in addition to the privacy requirements

Institutions should evaluate the following security considerations when selecting a service provider:

  • Service provider references and experience
  • Security expertise of TSP personnel
  • Background checks on TSP personnel
  • Contract assurances regarding security responsibilities and controls
  • Nondisclosure agreements covering the institution’s systems and data
  • Ability to conduct audit coverage of security controls or obtain adequate reports of security testing from independent third parties
  • Clear understanding of the provider’s security incidence response policy and assurance that the provider will communicate security incidents promptly to the institution when its systems or data were potentially compromised

Institutions should ensure TSPs implement and maintain controls sufficient to appropriately mitigate risk. In higher-risk relationships the institution by contract may prescribe minimum control and reporting standards, obtain the right to require changes to standards as external and internal environments change, and obtain access to the TSP for institution or independent third-party evaluations of the TSP’s performance against the standard. In lower risk relationships the institution may prescribe the use of standardized reports, such as trust services reports or a Statement of Auditing Standards 70 (SAS 70) report.

Trust Services

The American Institution of Certified Public Accountants created two trust services, WebTrust and SysTrust, to address the risks and opportunities of information technology. WebTrust reports provide assurance related to e-commerce systems. SysTrust reports provide assurance on the reliability of systems. In each service, certified public accountants are engaged by the TSP to evaluate, test, and report on whether a system meets certain principles and associated evaluation criteria. One of those principles is security.

WebTrust and SysTrust reports differ from a SAS 70 report in many important respects. The primary difference is that the evaluation criteria are uniform for all WebTrust and SysTrust reports.

Institutions that consider using WebTrust and SysTrust reports as a part of their monitoring of service provider performance should consider whether the review criteria for security are sufficiently rigorous for the institution’s needs, whether the scope of the review is adequate for the institution’s needs, and whether additional monitoring is required.

SAS 70 Reports

Frequently TSPs or user groups will contract with an accounting firm to report on internal controls, including security, using SAS 70. SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants. SAS 70 focuses on controls and control objectives. It allows for two types of reports. A SAS 70 Type I report gives the service provider’s description of controls at a specific time, and an auditor’s report. The auditor’s report will provide an opinion on whether the control description fairly presents the relevant aspects of the controls, and whether the controls were suitably designed for their purpose.

A SAS 70 Type II report expands upon a Type I report by addressing whether the controls were functioning. It provides a description of the auditor’s tests of the controls. It also provides an expanded auditor’s report that addresses whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.

Financial institutions should carefully and critically evaluate whether a SAS 70 report adequately supports their oversight responsibilities. The report may not provide a thorough test of security controls and security monitoring unless requested by the TSP. It may not address the effectiveness of the security process in continually mitigating changing risks. Additionally, the SAS 70 report may not address whether the TSP is meeting the institution’s specific risk mitigation requirements. Therefore, the contracting oversight exercised by financial institutions may require additional tests, evaluations, and reports to appropriately oversee the security program of the service provider.

HORSE FACTS: Institutions should exercise their security responsibilities for outsourced operations through:

  1. Appropriate due diligence in service provider research and selection
  2. Contractual assurances regarding security responsibilities, controls, and reporting
  3. Nondisclosure agreements regarding the institution’s systems and data
  4. Independent review of the service provider’s security though appropriate audits and tests
  5. Coordination of incident response policies and contractual notification requirements

Resources

See also: Sample Third Party Security Awareness Standard