To properly mitigate risk, institutions should have a comprehensive Outsourcing Risk Management Program to govern TSP risks. This Program includes:
- Risk assessment and requirements definition – risks associated with the functions outsourced, location of the IT vendor, and the technology are identified and assessed.
- Selection – requirements are defined in a formal RFP and due diligence is performed for each TSP.
- Contract Review – the contract is reviewed for adequate and measurable service level agreements and appropriate clauses (right to audit, confidentiality, etc.).
- Monitoring - the relationship is monitored through key service level agreement metrics and an internal process is created for the review of TSP SSAE16 and SOC 2 reports.
- Cloud Relationships – the type of payment, service, and deployment model is chosen and the inherent risks associated with the model are mitigated through appropriate controls.
InfoSight provides an Outsourced Vendor Management Program Development/Assessment (FI) to develop and/or assess a Program that is usually part of the overall Vendor Management Program aligned with the FFIEC Handbook. Our Outsourced Vendor Management Requirements (TSP) provide consultation to third-party service providers in meeting FFIEC requirements.
In 2015 the FFIEC update the BCP handbook with appendix J which now calls for ensuring your providers are resilient with respect to cyber threats. The FFIEC "Outsourcing Technology Service Booklet" provides guidance in evaluating an institution’s risk management processes to establish, manage, and monitor IT outsourcing relationships. Through outsourcing management is able to gain operational or financial efficiencies, increase their focus on core business functions, and allocate limited internal resources on core functions. However, outsourcing does not reduce the risks associated with information technology that include the potential loss of funds, competitive advantage, damaged reputation, and improper disclosure of information. It is a fact, that resource challenged institutions place to much reliance on TSPs and do not properly monitor them.