CUNA Regulatory Comment Call
October 14, 2003
BITS Framework on Outsourcing Technology
- The Banking Industry Technology Secretariat (BITS), the technology arm of the Financial Services Roundtable, issued industry guidelines in November of 2001 for selecting and managing information technology (IT) service provider relationships. CUNA has been actively involved in the BITS IT Service Providers Working Group as well as the Working Groups Education and Awareness Subcommittee. The BITS Framework for Managing Technology Risk for Information Technology (IT) Service Provider Relationships (Framework) is designed to provide guidelines for control, design and management practices where IT services are under consideration for outsourcing or have already been outsourced. The document can be very useful for the large number of credit unions that regularly use vendors for their technology needs.
- While the original Framework provides an industry approach to outsourcing, additional regulatory and industry pressures and issues have since emerged. To address these changes, the Working Group has updated the Framework with further considerations for the following topics: disaster recovery; security audits and assessments; ongoing vendor management; and cross-border considerations.
- The Framework addresses the regulatory, business and technology risk aspects of financial services companies' relationship with service providers. The Framework is intended for consideration in conjunction with an institutions overall risk-management program; the recommendations in the Framework are to be applied selectively based on an institutions risk-assessment results. The Framework is not meant to be an audit checklist but to be used as a guiding document and set of criteria against which IT service provider relationships can be effectively evaluated and managed.
- Comments on the Framework are due by October 28, 2002. Please submit your comments to CUNA by
October 24, 2003.
Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at
firstname.lastname@example.org or to Senior Regulatory Counsel Catherine Orr at
email@example.com; or mail them to Mary or Catherine c/o
CUNAs Regulatory Advocacy Department, 601 Pennsylvania Ave., N.W., South Building, Suite 600, Washington, D.C.
20004-2601. You may contact CUNA if you would like a copy of the proposed revisions to the Framework or you may
access it on the Internet at the following address:
SUMMARY OF THE PROPOSED REVISED GUIDANCE
GENERAL OVERVIEW OF THE FRAMEWORK
The Framework is divided into the following 9 sections:
- Section 1 provides an overview of the steps a financial institution should take in evaluating a decision to outsource IT services.
- Section 2 provides guidance on which factors management should consider in making a decision to outsource IT services.
- Section 3 enumerates factors to consider in developing the internal control, backup, and recovery requirements for a request for proposal (RFP) for IT services.
- Section 4 addresses verification (due diligence) of how the service provider delivers the requirements specified in Section 3.
- Section 5 covers contractual, service level, and insurance considerations.
- Section 6 discusses procedures supporting specific controls, requirements, and responsibilities of the institution and provider.
- Section 7 addresses transition planning issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services.
- Section 8 provides guidance on ongoing relationship management issues, including changes in the outsourced environment.
- Section 9 provides recommendations for those areas that should be addressed by an institution when embarking on an offshore relationship.
DISASTER RECOVERY/BUSINESS CONTINUITY PLANNING
- The Framework has been updated to include disaster recovery/business continuity planning considerations, which are mentioned throughout the Framework and summarized in Appendix 5 (Disaster Recovery/Business Continuity Matrix). According to the Framework, at each stage of the selection and management process, institutions (receiver companies) and service providers should establish requirements for risk analysis, recovery objectives, planning, testing, event management, governance and insurance.
- The following are the significant planning considerations noted in the Matrix:
- In making the business decision to outsource, institutions should consider how the relationship will affect its disaster recovery/business continuity plans or any related products or services.
- The RFP should require documented continuity plans and supporting recovery strategies. The plans should consider recovery of activities supported by dependent service providers. A periodic maintenance cycle is required, not to exceed \12 months.
- When conducting due diligence review of a service provider, the institution should examine the lists of threats from
possible internal and external sources identified by the provider, along with the assessment of impact and probability of
those threats. The institution should verify that the provider has introduced controls to mitigate those identified
threats, including doing the following:
- Reviewing the written recovery plan to ensure that it is updated annually and that copies are stored at the recovery site as well as additional secure locations.
- Examining the plan for coverage of: remote command center; recovery site; staff relocation plans; recovery teams with defined tasks; critical third parties; and activation/notification methods.
- Verifying that adequate geographic separation exists between the providers primary facility/facilities and storage site(s).
- Verifying that network documentation is maintained for production and recovery configurations.
- Determining if processing can be accomplished from the recovery site using normal production processes.
- The contract with the service provider should require evidence of a written disaster recovery/business continuity plan and include requirements for updating the plan. The service provider should provider the institution with proof of business continuity plans that addresses any outage that would affect the service providers ability to provider service to the institution. The plans should include defined strategies for: standby and workaround procedures; production failures, facility shutdowns, personnel shortages or reduced staff; supply-chain issues; impact on members/customers; and work backlog. Procedures for returning to normalization should also be included as part of the plan.
- Institutions should verify that controls are in place for the storage and handling plans, including records management and offsite storage.
- With regard to the transition planning issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services, the institution should expect to maintain its existing disaster recovery and business continuity plans and resources until after verification that the service provider is fully operational. The institution should verify that the service provider is documenting appropriate disaster recovery and business continuity plans.
- In terms of ongoing relationship management, the institution should verify that established recovery service levels are being met and exceptions are being documented, with actions taken accordingly. The institution should verify that business continuity/disaster recovery plans are maintained annually and/or updated following major system enhancements.
SECURITY AUDITS AND ASSESSMENTS
- The second area in which the Framework has been updated involves security audits and assessments. The Working Group has developed an Expectations Matrix to give service providers an outline with which to document their practices, processes and controls in relation to industry and regulatory requirements. High-level expectations for each control area from the Expectations Matrix appear in Appendix 6 (Security Assessment Expectations Matrix: High-Level Expectations). Appendix 6 strongly recommends that all service providers establish and adhere to a written comprehensive set of information security documents, which acts as the rules and guidelines for dealing with the protection of information and security assets.
- The Appendix lays out the following areas that should be covered in those information security documents:
- Organizational Security Service providers should have and adhere to a policy to control third-party access to the institutions information or information system, including logical and physical access.
- Asset Classification and Control Service providers should have an appropriate asset-control policy structure, including appropriate ownership, management, licensing and other controls, addressing the following asset types: information assets; software assets; physical assets; and services.
- Personnel Security Service providers should have and adhere to policies and procedures in place to perform background checks for those individuals who will be administering systems or have access to the institutions information. These policies should ensure that personnel responsible for the design, development, implementation and operation are qualified to fulfill their responsibilities. All employees and contractors should be aware of procedures for reporting different types of security incidents.
- Physical and Environmental Security The service providers business information processing, storage or distribution facilities should be housed in secure areas, protected by a defined security perimeter, with appropriate security barriers and entry controls.
- Communications and Operations Management Service providers should develop appropriate operating instructions and changing control and incident-response procedures for all information-processing facilities. This includes: system planning and acceptance; protection against malicious software; routing backup procedures; network management; media handling and security; and exchanges of information and software.
- Access Control The access-control policy of service providers should employ methods designed to physically and logically restrict access to equipment, ensure the identification and authentication of individuals who access computing resources, and restrict an individuals access to information once the individual has accessed a system.
- Systems Development and Maintenance Service providers should establish and adhere to a process for developing secure infrastructure, systems and or applications, including using internationally or nationally accepted cryptographic controls.
- Business Continuity Management Service providers are expected to have comprehensive business continuity plans, including having technology solutions that ensure recovery of services to the institution. These plans should be tested at least annually, and the results of the tests should be made available to the institution.
- Compliance With Legal Requirements Service providers should establish and adhere to policies to ensure compliance with applicable legal and regulatory requirements, including agency legal opinions and guidelines. Based on the risk assessment of the services to be outsourced, an annual service provider assessment by an independent auditor or assessor, including testing of controls and onsite testing and validation, may be required.
ONGOING RELATIONSHIP MANAGEMENT
- The third area in which the Framework has been updated involves ongoing relationship management. Section 8 (Relationship Management and Changes in the Outsourced Environment) has been considerably enhanced from the original version. The revision suggests that a formal vendor management program should be established to ensure there is a consistent approach throughout the organization through the implementation of corporate policies, procedures, tools and training.
- An effective vendor management program takes into account the following considerations:
- A vendor management policy or series of policies to defining organizational and regulatory expectations and requirements for establishing and maintaining the institutions outsourcing relationships should be in place. The policy or series of policies should be supported by procedures that identify requirements for establishing a business case, defining risk, conducting assessments and feasibility studies, performing vendor selection and due diligence, assigning organizational responsibilities, contract development and ongoing oversight of the outsourced activities.
- The institution should ensure that proper resources are assigned to oversee the outsourced service with key departments represented and with responsibility for oversight clearly defined between business units.
- The institution should establish a process for properly maintaining vendor contract files.
- The contract-management process should include functionality to notify management of the following events: scheduled risk assessments; scheduled performance reviews; scheduled financial reviews; contract reviews, contracts due for renewal, and contracts about to expire.
- Institution management should conduct oversight planning of the service providers before a new provider contract is executed. Oversight planning includes all activities involved in identifying, defining and negotiating the levels of service expected in a vendor relationship prior to signing a contract or agreement -- review of SLAs and reporting requirements, review of change control requirements, and review of notification requirements.
- Institution management should conduct day-to-day oversight of the service provider(s).
- Significant events at the service provider or the institution may affect the outsourcing relationship. These events can include: business changes, such as acquisitions, organizational shifts, volume growth or contractions; regulatory changes; or technology changes, such as application and operating system upgrades, hardware changes and network and other changes in the technology environment. Key contract terms that should be reviewed are: improvements in negotiated SLAs, appropriate remedies for non-performance, appropriate notifications and change control requirements, appropriate insurance requirements, appropriate termination language, and any changes in legal or regulatory requirements.
- Scheduling formal providers reviews are least once a year is generally appropriate. The scheduled review period is also an appropriate time to review key contract terms to ensure they continue to meet business requirements and current contract standards. A corrective action plan should be developed for any service provider performance issues, with appropriate monitoring and follow-through.
- Institutions should consider requirements for developing exit strategies and implementation plans. Such plans might be implemented due to vendor performance issues or a management decision to move to an alternate service provider, or to move the service in-house. The business continuity plan should be updated to include manual workarounds should termination of service be required. An escalation process should be in place for mission-critical service providers with a heightened level of risk due to financial condition or deterioration of performance.
CROSS-BORDER OUTSOURCING CONSIDERATIONS
- Some larger financial institutions have entered into relationships with cross-border vendors for application development as well as business process outsourcing.
- Some considerations that institutions contemplating entering into such arrangements should keep in mind are:
- Corporate and cultural differences;
- Potential language barriers;
- Time-zone differences;
- Geographic distance;
- Compliance requirements to ensure continued adherence with U.S. laws and regulations;
- Legal jurisdiction and governing law for the contract;
- Political and economic stability of the foreign country;
- Infrastructure issues in the foreign country;
- Availability of disaster recovery/business continuity resources and options;
- Knowledge transfer;
- Impact on performance risk;
- Challenges of quantifying total costs; and
- Reputational risks.
COMPARISON OF BITS FRAMEWORK WITH NCUA GUIDELINES
Finally, Appendix 2 (Framework Map to Federal Banking Agency Guidelines) now has an added section concerning how NCUAs Letter to Credit Unions Regarding Due Diligence Over Third Party Service Providers (No. 01- CU-20) compares with the various sections of the Framework. The Letter to Credit Unions can be found on NCUAs website at http://www.ncua.gov/letters/2001/01-CU-20.pdf.
QUESTIONS ON THE PROPOSED REVISED FRAMEWORK
- Do you agree with the requirements for risk analysis, recovery objectives, planning, testing, event management, governance
and insurance in the Disaster Recovery and Business Continuity Matrix?
Yes ______ No ______
If not, which requirements should be added/deleted?
- Do you agree with the high level expectations for security providers that deal with the protection of the financial
institutions information and security assets?
Yes ______ No ______
If not, why not?
- Are there issues that have been overlooked in the enhanced Section 8 regarding ongoing vendor relationship management
that you feel should be included?
Yes ______ No ______
If so, what specific points would you like to see included?
- Should Section 8 be expanded to include the concept of the institution establishing a Steering Committee to
regularly meet to review the outsourcing service and address open issues?
If so, what points about the Steering Committee should be emphasized?
- Are there additional letters or other guidance issued by NCUA that you believe should be included in Appendix 2:
Framework Map to Federal Banking Agency Guidelines?
Yes ______ No ______
If so, what additional NCUA guidance should be included in the appendix?
- Are there concerns or processes with regard to credit union technology outsourcing that you believe still need to
be addressed in the Framework?
Yes ______ No ______
If so, what are those concerns or processes?
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Catherine Orr Senior Regulatory Counsel (202) 508-6743 email@example.com