Each industry is typically governed by different laws and regulations that evolve with the industry and provide the standards that run your business. We looked intently at the Financial industry a few months back with our webinar, Navigating SharePoint and the Cloud in the Financial Industry with our friends at Webtrends.
Understandably, the financial industry is chocked full of rules and safeguards to help protect your business and your customers. That’s why it’s important when you move to a cloud or managed service that the provider you choose is compliant with these industry regulations. This blog will outline how to choose the right provider and what expectations you should have.
Focuses of your IT Outsourcing Provider agreement:
- Effective oversight and risk management of IT outsourcing arrangements
- Risk assessment and requirements
- Substantiated service provider selection
- Effective contract issues
- Ongoing monitoring
- Secure environment (SSAE16)
- Archiving and recovery capabilities
What is in place to manage risk? There must be effective oversight and risk management of IT outsourcing arrangements. In the case of many financial institutions, certain expectations must be addressed according to the Board of Governors of the Federal Reserve System in their 2004 memo “to the officer in charge of supervision and appropriate supervisory and examination staff at each Federal Reserve Bank and to each domestic and foreign banking organization supervised by the Federal Reserve.”
This extends to the “origination, processing and settlement of payments and financial transactions, information processing related to customer account creation and maintenance, as well as other information and transaction processing activities that support critical banking functions, such as lending, deposit-taking, fiduciary, or trading activities.”
The threat is the same on-premises. Careful risk assessment and organization-mandated requirements must be followed and vetted as diligently with the service provider and with the same resolve as you’d carry out in-house.
When creating your Risk Assessment, be aware of:
- The worst that can happen. Have a worst case scenario and plan for it.
- Threats to availability of systems that support customer transactions
- Integrity and security of customer data
- Integrity of risk management information systems
- What functions and roles the service provider will be expected to handle
- Who else can do it? Have an alternative solution ready if things don’t work out.
- The cost and time involved with switching service providers if needed.
- Any insurance coverage available for particular risks
- The responsibilities, liabilities and conditions of the written contract
Benefit: Operational control, availability and uptime is the responsibility of outsourced provider. They bear this associated risk.
Problem: It’s still your reputation on the line. While the SLA may cover some losses, further damage can be inflicted with an unexpected outage.
Keep in mind: You’re more likely to suffer operational incidents on-premises where resources may not be as state-of-the-art and where operational experience may not be at a premium.
Creating the Iron-clad Contract
This is a very important step. Clearly define your terms and be aware of the responsibilities and liabilities for both parties.
Important terms to consider closely:
- Service level requirements
- Performance standards
- Penalties if needed
- Insurance availability
- Disaster Recovery options
- Ownership and access of the data
- Liabilities for particular risks
- Auditing standards
- Service Provider’s operational and financial condition
- Compliance with regulatory standards
- Provisions for contract changes and termination
Don’t grow complacent. On-going monitoring is an important part of the service provider relationship. This is done to ensure they are continuing to meet the terms of your arrangement. This audit will review the operational and financial condition and performance of the service provider as well as detail the success of the relationship thus far.
How secure are the outsourced facilities? Every service provider should be able to provide internal and external audits that speak to the security, availability and performance of their datacenters. These audits must be comprehensive checks by third party organizations and be internationally-recognized and accepted. SSAE 16 SOC I is a popular, global in-depth datacenter audit of all of their control activities surrounding information technology and related processes.
What is your contingency plan? You won’t get a second chance at disaster recovery so ensure you have the proper business continuity plan in place with your service provider. This process can be performed by most service providers and will address the Recovery Point Objective (maximum period of time you can be without your data) and Recovery Time Objective (maximum period of time it will take to recover and resume business). The RPO and RTO will determine which type of standby recovery option works best for your business. Learn more here.