Welcome » IT Booklets » Information Security » Security Controls Implementation » Service Provider Oversight
Financial institutions should exercise their security responsibilities for outsourced operations through
Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost-effective means to support the institution's technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under the 501(b) guidelines to ensure service providers have implemented adequate security controls to safeguard customer information. The guidelines require institutions to
In addition to the privacy requirements, financial institutions should implement the above-mentioned precautions in all TSP relationships, based on the level of access to systems or data for safety and soundness reasons.
Financial institutions should evaluate the following security considerations when selecting a service provider:
Financial institutions should ensure TSPs implement and maintain controls sufficient to appropriately mitigate risks. In higher-risk relationships, the institution's contract may prescribe minimum control and reporting standards, ensure the right to require changes to standards as external and internal environments change, and obtain access to the TSP for institution or independent third-party evaluations of the TSP's performance against the standard. In lower-risk relationships, the institution may prescribe the use of standardized reports, such as an AICPA Statement on Standards for Attestation Engagements[1] report.
See the Third-Party Reviews of Technology Service Providers section of the IT Audit Booklet of the FFIEC IT Examination Handbook for more detailed information on this topic.
[1] For example, AICPA's SSAE-16 Type I and Type II, SOC 2 Type I and Type II, SOC 3 (Web Trust). See:
http://www.aicpa.org/_catalogs/masterpage/Search.aspx?S=soc+1