CUNA Comment Letter

BITS Revised Framework on IT Outsourcing

October 28, 2003

Ms. Faith Boettger
Senior Consultant
BITS
1001 Pennsylvania Ave., N.W.
Suite 500 South
Washington, D.C. 20004

RE: Revised BITS Framework: Managing Risk for Information Technology (IT) Service Providers/td>

Dear Ms. Boettger:

The Credit Union National Association appreciates this opportunity to comment on the revised BITS Framework: Managing Technology Risk for Information Technology (IT) Service Provider Relationships (Framework). The Framework, which was originally published in October 2001, provides guidelines for selecting and managing information technology (IT) service provider relationships. To address regulatory and industry changes since that time, the Working Group has updated the Framework with further guidance for the following topics: disaster recovery; security audits and assessments; ongoing vendor management; and cross-border considerations. CUNA has been actively involved in the original Framework as well as the revision through our participation in the BITS IT Service Providers Working Group. We strongly believe the revisions make the Framework an even more helpful document for credit unions and other financial service companies. CUNA, a national trade association, represents more than 90 percent of the nation’s 10,000 state and federal credit unions.

CUNA supports the proposed revisions to update the Framework regarding requirements for risk analysis, recovery objectives, planning, testing, event management, governance and insurance, particularly in the Disaster Recovery and Business Continuity Matrix. We agree with the inclusion of high level expectations for security providers that deal with the protection of a financial service company’s information and security assets.

However, there are three changes in Section 8 (Relationship Management and Changes in the Outsourced Environment) that we would like to see implemented based on feedback from some member credit unions. Section 8.2.4 notes items to be encompassed in a formal review with service providers. In particular, it indicates that an institution should review its “Service Provider’s change-control processes, ensuring the Service Provider has processes in place to identify and access new control exposures resulting from a change.” We believe this recommendation should identify those changes that would call for a review by the institution. A minor change in a process should not trigger the need for a comprehensive review of a service provider’s change control records.

Section 8.2.4 also indicates that formal reviews should encompass a current third-party Statement of Auditing Standards (SAS) 70 report. A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. Since a SAS 70 would likely cover areas such as segregation of duties, firewalls and intrusion detection systems, disaster recovery and business continuity planning and results of vulnerability assessment /penetration testing performed on its systems, it would be redundant for the institution to repeat reviews of service providers in those areas. We recommend this section clarify that it is unnecessary for institutions to perform reviews in the areas already covered in the SAS 70 report on the service provider.

Finally, the Framework should provide guidance stating that institutions should review the risks and controls involving system connectivity with service providers. Specifically, during the due diligence process, institutions should assess how the service provider systems are connected with their client institutions as well as the sharing of processes and procedures. At the annual review stage, institutions should assess whether the risks have changed regarding the transmission of data, and whether a change in controls is necessitated. For example, institutions could review a sample of transactions that have gone through the service party provider to see whether their policies have been followed.

Thank you for the opportunity to share our comments. If you have questions about this letter, please feel free to contact CUNA’s Associate General Counsel Mary Dunn or Senior Regulatory Counsel Catherine Orr at (202) 508-6736.

Sincerely,

Mary Mitchell Dunn
Associate General Counsel
and Senior Vice President

Catherine A. Orr
Senior Regulatory Counsel