Welcome » IT Booklets » Outsourcing Technology Services » Appendix D: Managed Security Service Providers » MSSP Examination Procedures
NOTE: This appendix includes all of the steps in Appendix A, plus unique ones for MSSP's.
EXAMINATION OBJECTIVE: Assess the effectiveness of the institution's risk management process as it relates to the outsourcing of information systems and technology and security services, and the heightened risks specific to the outsourcing of security services to a Managed Security Services Provider (MSSP).
Tier I and Tier II Objectives and Examination Procedures are intended to be a tool set examiners will use when selecting examination procedures for their particular examinations. Examiners should use these procedures as necessary to support examination objectives.
Tier I Objectives and Procedures relate to the institution's implementation of a process for identifying and managing risks related to outsourcing functions to an MSSP.
Tier II Objectives and Procedures provide additional validation and testing techniques, as warranted by risk, to verify the effectiveness of the institution's process on individual MSSP contracts.
TIER I OBJECTIVES AND PROCEDURES
Objective 1: Determine the appropriate scope for the examination.
1. Review past reports for weaknesses involving outsourcing. Consider:
2. Assess management's response to issues raised since the last examination.
Consider:
3. Interview management and review institution information to identify:
Also identify:
o Material service provider subcontractors,
o Affiliated service providers,
o Foreign-based third party providers;
Objective 2: Evaluate the quantity of risk present from the institution's outsourcing arrangements.
1. Assess the level of risk present in outsourcing arrangements. Consider risks pertaining to or associated with:
Objective 3: Evaluate the quality of risk management.
1. Evaluate the outsourcing process for appropriateness, given the size and complexity of the institution. The following elements are particularly important;
2. Evaluate the requirements definition process.
3. Evaluate the service provider selection process to determine if:
4. Evaluate the process for entering into a contract with a service provider.
Consider whether:
o Appropriate MIS reporting commensurate with risk;
o Agreed upon privileged access rights;
o Termination rights and appropriate renewal language;
o Timelines for service implementation and explicit responsibilities of the MSSP and the FI;
o The right to modify existing services performed under the contract;
o A security provision in accordance with the FI's security program; and
o Ownership of data generated by proprietary security or third- party monitoring tools owned by the MSSP;
5. Evaluate the overall governance of the MSSP program.
6. Evaluate the institution's process for monitoring the risk presented by the service provider relationship. Ascertain that monitoring addresses:
7. Review policies regarding periodic ranking of service providers by risk. The decision process should:
8. Evaluate the financial institution's use of user groups and other mechanisms to monitor and influence the service provider.
Objective 4: Discuss corrective action and communicate findings.
1. Determine the need to complete Tier II Procedures for additional validation to support conclusions related to any of the Tier I Objectives.
2. Review preliminary conclusions with the EIC regarding:
3. Discuss findings with management, and obtain proposed corrective action for significant deficiencies.
4. Document conclusions in a memo to the EIC that provides report ready comments for the Report of Examination and guidance to future examiners.
5. Organize work papers to ensure clear support for significant findings by examination objective.
A. IT REQUIREMENTS DEFINITION
1. Review documentation supporting the requirements definition process to ascertain that it appropriately addresses:
B. DUE DILIGENCE
1. Assess the extent to which the institution reviews the financial stability of the service provider:
2. Evaluate whether the institution's due diligence considers the following:
o Experience and ability in the industry;
o Experience and ability in handling situations similar to the Institution's environment and operations;
o Shortcomings in the service provider's expertise that the institution may need to supplement in order to fully mitigate risks;
o Proposed use of third parties, subcontractors, or partners to support the outsourced activities;
o A ability to respond to service disruptions;
o Assigning of Key personnel that would support the institution;
o Ability to comply with appropriate federal and state laws. In particular, ensure management has assessed the providers' ability to comply with federal laws (including GLBA and the USA PATRIOT Act );
3. Evaluate how the FI determines whether the MSSP meets its risk profile. Consider whether the FI:
C. SERVICE CONTRACT
1. Verify that legal counsel reviewed the contract prior to signing. Ensure that:
2. Verify that the contract appropriately addresses:
3. Review service level agreements to ensure they are adequate and measurable. Consider whether:
4. Review the institution's process for verifying billing accuracy and monitoring any contract savings through bundling.
D. MONITORING SERVICE PROVIDER RELATIONSHIP(S)
1. Evaluate the institution's periodic monitoring of the service provider relationship(s), including:
2. Determine if adequate in house expertise exists to manage an MSSP relationship by evaluating:
3. Relative to contingency and event planning between the FI and an MSSP. Evaluate:
4. Relative to ongoing monitoring of an MSSP relationship, the following should be considered:
o Determine if reports include status of security, incidents, business continuity plans, and financial condition.
5. Review risk rankings of service providers to ascertain:
6. Review actions taken by management when risk rankings change, to ensure policy conformance when rankings reflect increased risk.
7. Review any material subcontractor relationships identified by the service provider or in the outsourcing contracts. Ensure:
8. Determine if there is adequate coordination between the FI's security policies and the policies/practices of the MSSP. Consider whether: