Welcome » IT Booklets » Information Security » Security Monitoring » Outsourced Systems
Management is responsible for ensuring the protection of institution and customer data, even when that data is transmitted, processed, stored, or disposed of by a service provider. Service providers should have appropriate security monitoring based on the risk to their organization, their customer institutions, and the institution's customers. Accordingly, management and auditors evaluating TSPs should use the guidance in this booklet in performing initial due diligence, constructing contracts, and exercising ongoing oversight or audit responsibilities. Where indicated by the institution's risk assessment, management is responsible for monitoring the service provider's activities through review of timely audits and test results or other equivalent evaluations.