1 / 46

Vendor Management

Vendor Management. Managing your 3 rd Party Relationships Lisa Huertas Vice President Digital Compliance www.digitalcomply.com. Vendor Management – It’s no longer a choice. Our Climate What does vendor management mean today? Federal Guidelines and Expectations

brad
Download Presentation

Vendor Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vendor Management Managing your 3rd Party Relationships Lisa Huertas Vice PresidentDigital Compliance www.digitalcomply.com

  2. Vendor Management – It’s no longer a choice • Our Climate • What does vendor management mean today? • Federal Guidelines and Expectations • Risk Classifications • What determines my risk? • How should I classify my vendors • New vs. Current Contracts

  3. Vendor Management – It’s no longer a choice • Information Request Selection • What am I supposed to get from my vendors? • Audit / Exam expectations in 2009 • NCUA Exam Questionnaire released Monday, April 14, 2008

  4. Digital Compliance, LLC • Conceived in 2003Our initial focus - providing service to: • Financial Institutions • Companies Who Provide Product/Service to the Financial Sector

  5. Digital Compliance Is the Pioneer • 857 Vendors In our system • 2500 Financial Institutions • 6 years of request and process experience! • As an independent company we do not have any affiliation hurdles

  6. The Threats are different…. A “hold up” is no longer the greatest concern. Information is king… if you can grab the data you may be able to profit from it. …individuals paying top dollar to design new types of attacks… Things Have Changed

  7. Things Have Changedcontinued. • Financial Institutions hold more information than nearly any other industry • What have you been entrusted with? • How are you protecting this information that leaves your control?

  8. Our Climate Information Security Breach On the Rise… Data loss Data stolen Systems hacked Phishing leads to information compromise Legislation to address consumer identity theft

  9. The threat has grown TOTAL number of records containing sensitive personal information involved in security breaches in the U.S. January 2005 – December 2008: 223,756,043 PRIVACY RIGHTS CLEARINGHOUSE Data loss: 8.3 million records alone in Q1 2008 Heartland Payment System’s Breach largest on record – 2009 Identity Fraud Survey Shows ID Theft up 22% The 2008 Toll: 9.9 Million People, $48 billion

  10. The scope has grown Federal Trade Commission For seven years in a row, identity theft tops the list, accounting for 36 percent of the fraud complaints consumers have filed with the agency

  11. Internet Fraud In the United States alone, victims of reported Internet fraud lost $239 million in 2007, with average losses running about $2,530 per complaint recorded by a special Web-based hot line operated by the FBI and the National White Collar Crime Center, a nonprofit corporation focusing on electronic crime. Maturing Data for future use!

  12. Consequences • Consumer Confidence Declines • Data-Security Laws Sprout In Wake of Breaches • Lawsuits already in motion • NCUA, Governing Bodies Respond NCUA Letter to Credit Unions 07-01 NCUA Letter to Credit Unions 08-CU-09Evaluating 3rd Party Relationships Questionnaire NCUA Letter to Credit Unions08-CU-19

  13. NCUAControl Systems and Reporting …. Credit Unions are ultimately responsible for establishing internal controls and audit functions reasonably sufficient to assure them that third parties are appropriately safeguarding member assets, producing reliable reports, and following the terms of the third party arrangement.  Additionally, credit unions should tailor internal controls as necessary to ensure staff observes policy guidance for third party relationships.  Examiners should ensure credit unions have on-going risk management procedures with regard to any material third party relationship.

  14. NCUA Internal PrivacyWhat Do Your Members Know? NCUA Initial privacy notice to consumers required. Initial notice requirement. You must provide a clear and conspicuous notice that accurately reflects your privacy policies and practices to: Member/Consumer no later than when you establish a member relationship before you disclose any nonpublic personal information about the consumer to any nonaffiliated third party How small is your print??

  15. What Can You Do To Manage The Risk When Outsourcing Review the federal expectations FFIEC Guidelineshttp://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html NCUA Exam Questionnaire:http://www.ncua.gov/letters/letters.html

  16. NCUA Exam Questionnaire3rd Party Relationships (10 sections) Background Credit Union Policy and standards when entering into a 3rd Party Relationship

  17. NCUA Exam Questionnaire3rd Party Relationships Planning/Risk Assessment Risk Expectations Staff Expertise Cost Membership Impact Exit Strategy

  18. NCUA Exam Questionnaire3rd Party Relationships Planning/Risk Assessment Has the credit union evaluated the costs of monitoring and providing support to the third party program (i.e., staffing, capital expenditures, communications, and technological investment)? Are Credit Unions monitoring their third party relationships?

  19. NCUA Exam Questionnaire3rd Party Relationships Planning/Risk Assessment Financial Investment/Benefits from outsourcing to 3rd party relationships

  20. NCUA Exam Questionnaire3rd Party Relationships Due Diligence - Background Check Pre-Contract3rd Party experience, referrals, qualifications Business Model, Financials

  21. NCUA Exam Questionnaire3rd Party Relationships Due Diligence – Contract Issues and Legal Review (i)Data security and member confidentiality (including testing and audit);

  22. NCUA Exam Questionnaire3rd Party Relationships Due Diligence – Contract Issues and Legal Review (j) Business resumption or contingency planning;

  23. NCUA Exam Questionnaire3rd Party Relationships Due Diligence – Contract Issues and Legal Review (m) Compliance with regulatory requirements (i.e., Gramm-Leach-Bliley Act (GLBA), Privacy, BSA, etc.)

  24. NCUA Exam Questionnaire3rd Party Relationships Due Diligence – Accounting Considerations

  25. NCUA Exam Questionnaire3rd Party Relationships Risk Measurement, Monitoring and Control Has the credit union assigned appropriate staff to oversee the third party relationship to monitor performance and compliance with contracts?

  26. NCUA Exam Questionnaire3rd Party Relationships Does the credit union’s policies appropriately address the third party relationship?“Credit Unions which outsource products and services must continue to maintain adequate controls over these functions.”

  27. NCUA Exam Questionnaire3rd Party Relationships Controls over Member Data Does the communication method ensure member data is protected? How does the credit union communicate with the third party? Email in/out box

  28. Where Are YOU Today? Do you have a Program Today?Where Do you Start?Where Do you Finish?

  29. Which Vendors? Rule of thumb – Risk Classification • Require full due diligence reviews for any vendor that has access to: • Member Information • Employee Data • Institution Networks • Or for any vendor that provides services critical to maintaining operations

  30. Core Processors Internet Banking/ Bill Payment/ Brokerage/ Cash Management/ Etc Providers Credit/Debit Card Processors Check Printers Statement Printers Network Security Consultants ATM Networks Network Security Providers Web Site/Email Hosts CRM Providers MCIF Providers Credit Bureaus Payroll Processors Etc. Highest Risk Vendors

  31. Critical To Operations • Some suggested vendors that may be critical to the operation of an institution • Telecommunications/Network Providers • IT Providers • Software Providers (i.e. loan/deposit/acct/etc.) • One patch away from disaster….

  32. Request Tug of War Knowing What You Need Vs. Providing What You asked for!

  33. Where Do I start? Understand Where You Are Today! • Product/Service/Vendors you do business withDo you have a classification system in place? If so, how are your vendors classified? If not, what is the defining line? • What due diligence is required for each vendor * is there a list? • How are my Third Party relationships managed? Who won the vendor management lotto this year? • What documentation you have requested/received in the past?Success/difficulty your institution has had How does our information stack up? • IS THERE HELP?

  34. Compliance Classification Mission Critical Classification Compliance Classification

  35. The List? Vendor Compliance Request List • Corporate contact information • Listing of products and services provided to client. • Listing of pertinent data center locations where client’s data is stored, processed, and/or located in physical or electronic form • Annual report or audited financial report • Business insurance certificate, including, but not limited to General Liability, Errors & Omissions

  36. The List? 6. Client Confidentiality Agreement and/or Privacy Policy 7. Human Resource Policies & Procedures, including, but not limited to: Background Checks Employee Confidentiality Termination Procedures as they relate to physical and data security 8. Information Security Policies and Procedures, including, but not limited to: Physical Security Environmental Controls 9. Logical Security Policies and Procedures, including, but not limited to: User ID and Password Access Authentication Access Rights Authority Levels Data Back-up

  37. The List? 10. Infrastructure Change Management and Control Policies and Procedures, including, but not limited to: Planning Oversight Project Management Testing Implementation 11. Records Management Policies and Procedures, including, but not limited to: Electronic and hard-copy (paper) formats Retention Policies Destruction Procedures

  38. The List? 12. Infrastructure Incident Response Policies and Procedures, including, but not limited to: Security Breach Virus or Network Attacks Data Tampering Unauthorized Access 13. Network Penetration Testing Results, to include: Date of Most Recent Test Noted Exceptions Exceptions Addressed Date of Next Test i.e. Cybertrust, TruSecure, other Certifications 14. High-Level Network Diagram Illustrate or describe firewall protection, not to include IP addresses

  39. The List? 15 Business Continuity and/or Disaster Recovery Policies and Procedures (Executive Summary) 16 Disaster Recovery Testing Results, to include: Date of Most Recent Simulation Noted Exceptions Exceptions Addressed Date of Next Simulation 17 Related maintenance contracts covering hardware and software, including, but not limited to: Contracts with third-party technology providers that keep infrastructure operational and functioning

  40. The List? 18 Related Vendor Service Level Agreements (SLAs) –Please identify anythird-party relationships engaged to facilitate, service, maintain or impact the product or service provided our Credit Union 19 All relevant SAS 70 review documentation

  41. Documentation Review IF I GET it, I have to READ it? Maintain, Update, ReviewWhat is your vendor update cycle? How often do they test? Were there exceptions? Were they fixed?

  42. What Is Your Response? Proactive vs. Reactive Is there Help? Software Consultants Digital Compliance

  43. What is VCMS?? • A single point and click source to access complete vendor compliance packages in mere seconds. • Gathering, receiving, documenting, digital conversion, updating and secure access to your vendor compliance documentation.

  44. Tailored Request List A tailored approach to the request list Asking for documentation that makes sense for the product/service provided

  45. VCMS Financial Process Discovery Authorization Request/Receipt Document Review, Report, Notify Digital Upload Access Reporting Update/Manage Renewal

  46. Questions? Lisa Huertas Vice President, Vendor Solutions Digital Compliance, LLC www.digitalcomply.com lhuertas@digitalcomply.com 406-325-9737

More Related