Date post: | 15-Jun-2018 |
Category: |
Documents |
Upload: | truongnhan |
View: | 222 times |
Download: | 1 times |
©2015 FIS and/or its subsidiaries. All Rights Reserved.FIS confidential and proprietary information.
Vendor Risk Management from a TSP PerspectiveJohn Dulweber – Deputy CRO
September 2016
2
Regulatory and Internal Risk programs are dictating that financial institutions perform extensive Vendor Risk Management activities to monitor their Technology Service Provider (TSP) partners.
As the largest Technology Service Provider in the world, FIS’ Client Risk Relations program is constantly evolving to address requests from our clients. We have collected some recommendations to help financial institutions complete their VRM activities in a more efficient manner, benefiting both the Financial Institution and Technology Service Provider.
Many TSPs have thousands of financial institution clients and Vendor Risk Management requests from these clients can stretch their resources thin.
A Balancing Act
Recommendations from a TSP perspective
3
1 Understand the Relationship and Risk
2Develop a multi-year plan using a risk-based approach to monitor TSPs
3Utilize proactively provided materials prior to requesting one-on-one assessments or meetings
4 Attend Client Events
Recommendations from a TSP perspective
4
1 Understand the Relationship and Risk
Many TSP/Financial Institution relationships span multiple
products. These products have different functions and therefore
different relative risk. It is important to risk rank each of
those products and determine your scope of VRM activities using a risk-based approach.
Example: The risk related to running a TSP-hosted core banking application should be considered separately from the risk of licensing software from that same TSP.
In order to fully understand the product’s function and impacts to your own operational risk and compliance programs, include Line of Business, Operational Risk and Compliance associates in the Risk Assessment process.
Recommendations from a TSP perspective
5
1 Understand the Relationship and Risk
3Utilize proactively provided materials prior to requesting one-on-one assessments or meetings
4 Attend Client Events
2Develop a multi-year plan using a risk-based approach to monitor TSPs
For a more surgical approach to monitoring TSPs, create a multi-year plan and stagger activities based on relative risk, thus maximizing resource time on both sides.
Recommendations from a TSP perspective
2Develop a multi-year plan using a risk-based approach to monitor TSPs
Completing the same procedures on all products every year is inefficient.
6
Year 1
Year 2
Year 3
Year 4
Year 5
Recommendations from a TSP perspective
7
1 Understand the Relationship and Risk
3Utilize proactively provided materials prior to requesting one-on-one assessments or meetings
4 Attend Client Events
2Develop a multi-year plan using a risk-based approach to monitor TSPs
3Utilize proactively provided materials prior to requesting one-on-one assessments or meetings
Recommendations from a TSP perspective
8
Reading various reports and program documentation prior to engagement will enable your assessors to better risk rate the relationship and product set and plan VRM activities accordingly.
Take advantage of the following assessments and program documentation to maximize efficiency:
Regulatory Reports
Shared Assessments
Certifications (ISO, PCI)
Disaster Recovery Exercise Results
Service Auditor Reports (SSAE16, SOCII)
Risk, Information Security and Compliance program manuals
FIS Vendor Management Resource Center
9
VMRC
Guidebook
SIG
Questionnaires
Regulatory
Materials
Hot Topics
BulletinsMiscellaneous
Assessments &
Certifications
Descriptions of current critical vulnerabilities
FIS’ remediation approach to these vulnerabilities
Recommended client remediation activities
Hot
Topics
Bulletins
Include:
These bulletins are the most downloaded item on the VMRC
Example from FIS
FIS Vendor Management Resource Center
10
VMRC
Guidebook
SIG
Questionnaires
Regulatory
Materials
Hot Topics
BulletinsMiscellaneous
Assessments &
Certifications
In the VMRC Guidebook, documentation…
Is tied to Regulatory Guidance.
It provides a description…
Of all collateral located on the VMRC.
FIS Vendor Management Resource Center
11
VMRC
Guidebook
Assessments &
Certifications
SIG
Questionnaires
Regulatory
Materials
Hot Topics
BulletinsMiscellaneous
SOC I (SSAE16)
A test of internal controls over financial reporting, including testing of general
computing controls
FIS has one data center-level SOC I report covering 5 data centers
FIS has 22 product-level SOC II reports (25 including international)
SOC II
A test of internal controls over Information Security
FIS has one data center-level SOC II report covering 5 data centers
FIS has 3 product-level SOC II reports (5 including international)
For additional information, refer to the appendix
Assessments
FIS Vendor Management Resource Center
12
VMRC
Guidebook
Assessments &
Certifications
SIG
Questionnaires
Regulatory
Materials
Hot Topics
BulletinsMiscellaneous
ISO 22301
An International certification for Business Continuity and Disaster Recovery
Management
FIS is ISO 22301 certified at 11 sites
ISO 27001
An International certification for Information Security
FIS is ISO 27001 certified at 8 sites
For additional information, refer to the appendix
Certifications
Payment Card Industry (PCI)
A proprietary information security standard for organizations that handle branded credit cards from the major card brands
FIS Vendor Management Resource Center
13
VMRC
Guidebook
SIG
Questionnaires
Regulatory
Materials
Hot Topics
BulletinsMiscellaneous
Assessments &
Certifications
Organized by data
center
Over 1000 security-
related questions
completed for 16
data centers
Should be the first
response to every
client questionnaire
request*
Shared Assessment Standard Information Gathering
(SIG) Questionnaires
The Shared Assessment
Standard Information Gathering
(SIG) Questionnaire contains a
robust yet easy to use set of
questions to gather and assess
information technology,
operating and security risks
(and their corresponding
controls) in an information
technology environment. The
SIG questions are based on
referenced industry standards
(including, but not limited to,
FFIEC, ISO, COBIT and PCI).
*Many clients don’t realize that their own questionnaires are based on the SIG
FIS Vendor Management Resource Center
14
VMRC
Guidebook
SIG
Questionnaires
Regulatory
Materials
Hot Topics
BulletinsMiscellaneous
Assessments &
Certifications
Did you know….The number-one finding from Regulatory
Agencies related to Vendor Risk
Management is the failure to review their
critical vendors’ regulatory reports.
Regulated Financial Institution clients have access to the following documentation pertinent to
regulatory matters:
+ Security and Risk Strategic Update
Details FIS’ action plan against current Matters Requiring Attention
+ Board Presentation
A non-branded presentation of FIS status against Matters Requiring Attention, including the
Security and Risk Strategic Update, to be used by clients when presenting to their boards
FIS Vendor Management Resource Center
15
VMRC
Guidebook
SIG
Questionnaires
Regulatory
Materials
Hot Topics
BulletinsMiscellaneous
Assessments &
Certifications
Results of Disaster Recovery Exercises
RISC program manual documents
Financial health information
Business overview
Governance structure information
FIS Policy summaries
Recommendations from a TSP perspective
16
1 Understand the Relationship and Risk
3Utilize proactively provided materials prior to requesting one-on-one assessments or meetings
4 Attend Client Events
2Develop a multi-year plan using a risk-based approach to monitor TSPs
4 Attend Client Events
Recommendations from a TSP perspective
17
+ TSP provided Vendor Risk Management conferences
+ User Groups and Advisory Councils+ Product conferences
Some examples of events that give additional insight into the client’s VRM needs include:
Benefits of attending client events: Better understand the TSP’s programs and controls Meet and network with other clients of the TSP to discuss Vendor Risk Management matters Further develop relationships with your TSP
Risk & Security as a Service
Founded on FIS’ Principles. Driven by FIS’ People, Process, and Technology.
• Configurable, comprehensive Risk Scoring
• Configurable Inherent Risk Scoring (Completion, Monitoring, and Support)
• Global Watch List Checks (incl. Country and Geopolitical risks)
• Ongoing Financial Health Monitoring (Public and Private Sectors)
• Regulatory (OCC) and Industry (PCI/CFPB) Compliance Monitoring
• Annual Control Survey and Audit Review Completion/Support
• Real time access to FIS Professional Risk Support Services
• Daily External Vulnerability Identification
• Configurable Vulnerability Risk Scoring and Prioritization
• User-defined, configurable Risk Remediation Timelines
• Vulnerability Management notifications and workflows
• Custom Scan, Vulnerability and End User Reports
• Real time access to FIS Professional Security Support Services
• Weekly Internal Device Vulnerability Identification
• Ongoing Device End Point Control Compliance Monitoring
• Custom Vulnerability Risk Scoring and Prioritization
• Custom Risk Remediation Timelines• Vulnerability Management notifications
and workflows• Custom Scan, Vulnerability and End
User Reports• Real time access to FIS Professional
Security Support Services
Vendor Risk Manager Perimeter Defense Internal Defense
Contact Tariq Bokhari – [email protected]
Identifying and prioritizing vulnerabilities that are exposed to the public internet daily
Discovering and monitoring IT assets, internal vulnerabilities, and end point controls
Centralizing the due diligence of third party risk via FIS’ people, process and platform end-to-
end
Example from FIS
FIS Vendor Risk Manager as a Service (VRMaaS)
19
Anatomy of a Complete Vendor Risk SolutionInherent Risk
ExposureWatchlists
Financial Health
Regulatory Compliance
Industry Compliance
Control Effectiveness
Consistent, quantitative, and defensible inherent risk score for every vendor based on the unique characteristics of each relationship
Screening & monitoring of over 300 watch lists around the globe, including historical values and related entities
Data feeds from multiple sources of industry financial and credit data to identify at risk vendors and impact risk scoring for a complete picture of vendor financial health
Monitoring of CFPB consumer complaints, regulatory penalties and findings, all included in the quantitative risk scoring model
Monitoring industry compliance, including PCI compliance, SSAE16, SOC 2, and ISO27001
Dynamic, relationship specific internal control reviews utilizing proven methodologies, trained operational experts, and leveraging platform automation
Not Just One Time… In Real Time with Alerts & Warnings
Example from FIS
20
Two days of presentations regarding FIS’ Risk, Information Security, Compliance and Internal Audit programs
Access to FIS Executives who govern these programs during the conference and at lunch and dinner
Ability to ask questions and satisfy the “onsite” review
Opportunity to network with peer Financial Institutions
Tour of our Brown Deer facility to view physical and environmental controls
Example from FIS