third party vendor management presented by: jay bowman, cisa, cism director september 22, 2011
TRANSCRIPT
![Page 1: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/1.jpg)
Third Party Vendor Management
Presented by: Jay Bowman, CISA, CISM
Director
September 22, 2011
![Page 2: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/2.jpg)
Vendor Management
• Frequent regulatory findings:
– Lack of policy and procedures
– Risk assessment not performed
– Lack of ranking scheme
– Due diligence findings
– Vendor oversight issues
– Lack of senior management and Board oversight
1
![Page 3: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/3.jpg)
A Few Questions
• Does your bank have a vendor management policy? A defined program?
• Is responsibility for vendors centralized?
• How many vendors does the bank rely upon for products and services?
• Are there review processes for selecting new vendors and evaluating current ones?
2
![Page 4: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/4.jpg)
A Few Questions
3
![Page 5: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/5.jpg)
Finding a Starting Point…
4
![Page 6: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/6.jpg)
Finding a Starting Point…
5
![Page 7: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/7.jpg)
Finding a Starting Point…
6
![Page 8: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/8.jpg)
Finding a Starting Point…
7
![Page 9: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/9.jpg)
Finding a Starting Point…
8
![Page 10: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/10.jpg)
Finding a Starting Point…
9
![Page 11: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/11.jpg)
Finding a Starting Point…
10
![Page 12: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/12.jpg)
Vendor Management Topics
• Policy
• Responsibility
• Risk Assessment
• Selection of New Vendors
• Oversight of Current Vendors
• Reporting
11
![Page 13: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/13.jpg)
Vendor Management Policy
• Establishes:
– Responsibility for program activities
– Triggering thresholds or characteristics
– Risk assessment requirements
– Procedures for selecting new vendors
– Procedures for evaluating current vendors
– Reporting requirements
12
![Page 14: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/14.jpg)
Responsibility for Vendor Management
• Chief Financial Officer
• Chief Information Officer
• Purchasing Manager
• Legal
• Shared
• Other
13
The VM policy should fix accountability & responsibility.
![Page 15: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/15.jpg)
Risk Assessment
(pre-decision to outsource)
• Potential impact on strategic goals
• Management oversight and evaluation
• Contingency plans
• Regulatory requirements & guidance
14
![Page 16: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/16.jpg)
Risk Assessment
• Potential impact on strategic goals:
– Most vendors will not affect goal attainment
– Factors
• Unique product or service
• Key individuals
• “Significant” portion of revenues/profits
• Reputation
15
![Page 17: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/17.jpg)
Risk Assessment
• Management oversight
– Does Management have the competence?
– Does Management have the time?
• Contingency plans
– Do others offer this product/service?
– Can it be brought in-house?
• Regulatory guidance
– What additional requirements are imposed?16
![Page 18: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/18.jpg)
Vendor Selection Process
• Identification of potential vendors
• Due diligence and selection
• Contract negotiation and award
17
![Page 19: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/19.jpg)
Identification of Potential Vendors
• Trade literature
• Current vendors
• Other institutions
• Internet
• Trade association
• Other
18
Policy should lay out requirements.
![Page 20: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/20.jpg)
Due Diligence and Selection
• Evaluation criteria
– Ranking
– Subjective vs. Objective
– Binary vs. Weighted
• Request for Proposal (RFP)
• Evaluation team
• Documentation
• Approval19
![Page 21: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/21.jpg)
Request for Proposal (RFP)
Advantages:
• Fosters agreement on:
– Scope of services
– Selection criteria
• All vendors on “level playing field”
• Easier to reach selection decision
• Easier to defend selection decision
20
![Page 22: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/22.jpg)
Request for Proposal (RFP)
Tips:
• Evaluation criteria:
– “Mandatory” versus “most important”
– Weighting schemes vs. subjective
• Boilerplate
• Deadline extensions
21
![Page 23: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/23.jpg)
Contract Award & Negotiation
• Scope of Services
• Term
• Price
• Service Level Agreement (SLA)
• Key Personnel
• Termination
• Audit Rights
• Other22
![Page 24: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/24.jpg)
Service Level Agreements
• Specific, measureable, auditable
• Scope of services
• Requirements of service quality
• Measurement of service quality
• Credits/penalties for achieving/failing performance targets
• Institution’s responsibilities
• Vendor’s responsibilities
23
![Page 25: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/25.jpg)
Current Vendor Evaluation
Frequency and scope depend on vendor rankings and characteristics:
•Critical vendors: full scope/annually
•Important vendors: limited scope/annually
•“Commodity vendors:” may be exempt
24
![Page 26: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/26.jpg)
Rankings Considerations
• Annual expenditures
• Processing of critical functions
• Uniqueness of product or service
• Access to customer information
• Management discretion
• Other
25
![Page 27: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/27.jpg)
Vendor Evaluation Topics
• Financial stability
• Performance against SLAs
• Key personnel turnover
• Insurance coverage
• SAS 70/SSAE 16 (service providers)
• Disaster recovery testing & results
• Protection of customer information
26
![Page 28: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/28.jpg)
Vendor Evaluations
Tips:
• Base evaluations on:
– Why the vendor is important
– The dimensions that carry greatest risk
• Provide for Management discretion
• Document evaluations/maintain files
27
![Page 29: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/29.jpg)
Reporting
• Annual summary on vendor management
• Prepared by Management
• Presented to Board (or Committee)
• Covers:
– VM policy (any recommended changes)
– New critical vendors
– Summary of review of current vendors
– Other key information28
![Page 30: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/30.jpg)
Vendor Management Framework
29
• FIL-44-2008 “Managing Third Party Risk”
• FFIEC “Risk Management of Outsourced Technology Services” November 2000
• SR 00-4(SUP) February 2000 “Outsourcing of Information and Transaction Processing”
• Institution’s ”Vendor Management Policy”
![Page 31: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/31.jpg)
Questions and Answers
30
![Page 32: Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649d8b5503460f94a727de/html5/thumbnails/32.jpg)
Contacts
31
Jay BowmanDirector, Mid-Atlantic4900 Ritter RoadSuite 222Mechanicsburg, PA 17055Phone: [email protected]
For more information, please contact: