Outsourcing the Business Continuity Function

In addition to ensuring that outsourced financial and technology services include appropriate business continuity plans; financial institutions that outsource all or a portion of their business continuity capability should consider the following factors.

■ Staffing—The provider should have sufficient and knowledgeable staff available to provide appropriate onsite technical support to ensure timely resumption of operations at the recovery site.

■ Processing Time Availability—The provider should allocate sufficient processing time, resources, and security controls to accommodate the potential for multiple clients. The institution should ensure it could process normal volumes of work within appropriate time requirements.

■ Access Rights—The provider should disclose any access limitations. The provider should guarantee the institution’s right to use the site in case of an emergency. Alternatively, the institution should understand any priority arrangements. For example, some sites operate on a first-come, first-serve basis until the site is at full capacity, but others have pre-arranged priorities based on contractual agreements.

■ Hardware and Software—The recovery site should have compatible hardware and software. The institution should monitor the compatibility of the site to handle its specific computer hardware and software requirements. To facilitate the monitoring, the provider should be required by contract to notify the institution of any changes in the hardware, software, and equipment at the recovery site.

■ Security Controls—The institution should ensure it can maintain adequate physical and logical security controls at the recovery site.

■ Testing—The service provider contract should address access to the recovery site for periodic testing. At a minimum, the institution needs sufficient access to perform at least one full-scale test of the recovery site annually, including verification of telecommunications capabilities. Similarly, the institution should ensure the service provider also performs periodic tests of its own BCP and submits test results to customer financial institutions.

■ Confidentiality of Data—The institution should ensure the provider can maintain the confidentiality of its business and customer data. The service provider should maintain controls sufficient to ensure the security and confidentiality of the information assets consistent with the institution’s information security program. Confidentiality of data is particularly important when multiple clients operate from the same recovery site. Institution management should establish whether the service provider has addressed these issues in its contract, particularly the provisions concerning the Interagency Guidelines Establishing Standards for Safeguarding Customer Information.[1]

■ Telecommunications—The institution should review telecommunications redundancy and capacity at the recovery site, including how communications from the institutions to the recovery site will be established. Hie service provider should take steps to ensure the recovery site will have adequate telecommunications services (both voice and data) for all of its clients.

■ Reciprocal Agreements—Financial institutions contracting with another institution for a recovery site should consider the above issues of staffing, processing availability, access rights for recovery or testing, compatibility, security, capacity, etc. Both institutions should ensure they maintain sufficient capacity to meet recovery time objectives and minimum service levels in the event one institution needs to recover operations

■ Space—The recovery site should have adequate space to accommodate the affected institution’s recovery staff.

■ Printing Capacityl Capability—The recovery site should maintain adequate printing capacity to meet the demand of the affected institution under acceptable levels of service.

■ Contacts—Institution management should know the procedures for declaring a disaster including who has the authority to declare a disaster and initiate use of the recovery site. Also, the institution should maintain an updated list of contacts names and numbers for the recovery site provider and know the procedures for communicating with the provider.

Outsourced business continuity arrangements can be cost-effective for smaller institutions when compared to establishing and maintaining dedicated alternate recovery sites. Institutions should periodically conduct a thorough test of outsourced disaster recovery services (at least annually).

Information Security/Safeguarding

Information assets are valuable, and institutions should ensure these assets are adequately protected in outsourcing relationships. Financial institutions have a legal responsibility to ensure service providers take appropriate measures designed to meet the objectives of the information security guidelines, and comply with GLBA 501 (b). Those measures should result from the institution’s security process and should be included or referenced in the contract between the institution and the service provider. Refer to the IT Handbook’s “Information Security Booklet” for additional information on the information security process.

In choosing service providers, management should exercise appropriate due diligence to ensure the protection of both financial institution and customer assets. Before entering into outsourcing contracts, and throughout the life of the relationship, institutions should ensure the service provider’s physical and data security standards meet or exceed standards required by the institution. Institutions should also implement adequate protections to ensure service providers and vendors are only given access to the information and systems that they need to perform their function. Management should restrict their access to financial institution systems, and appropriate access controls and monitoring should be in place between service provider’s systems and the institution.

Multiple Service Provider Relationships

A multiple service provider relationship is an environment where two or more service providers collaborate to deliver an end-to-end solution to the financial institution.

An institution can select from two techniques to manage this relationship, but remains responsible for understanding and monitoring the control environment of all servicers that have access to the financial institution’s systems, records, or resources. Tire first technique involves the use of a lead service provider to manage the institution’s various technology providers. The second technique, which may present its own set of implementation challenges, involves the use of operational agreements between each of the service providers or stand-alone contracts. If the first technique is employed, management should ensure its primary service provider has a contractual obligation to notify the financial institution of any concerns (controls/ performance) associated with any of its outsourced activities. Management should also ensure the service provider’s control environment meets or exceeds the institution’s expectations, including the control environment of organizations that the primary service provider utilizes.

Stand-alone contracts with each service provider require increased management of each provider. Contracting for a technology solution by using one lead provider may lessen the need for the institution to become directly involved if subcontractors fail to perform, but it does not diminish the responsibility for monitoring the internal and security controls of subcontractors through the primary service provider relationship. Because the institution has less control using the lead provider approach, management should require by contract that TSPs notify the institution of all subcontractor relationships.

Outsourcing to Foreign Service Providers

Some institutions develop outsourcing relationships with service providers located in foreign countries. These arrangements can provide cost, expertise, and other advantages to the institutions and should be subject to the same due diligence and assessment as domestic outsourcing relationships. In addition, foreign outsourcing relationships result in unique strategic, reputation, credit, liquidity, transactional, geographic, and compliance risks that institutions should identify, assess, prevent, and control. See Appendix C for additional detail.

  • [1] See 66 Federal Register 8616 (Feb. 1, 2001): 12 CFR Part 30, app. B (OCC); 12 CFR Part 208, app. D-2 and Part 225, app. F. (Board); 12 CFR Part 364, app. B (FDIC); 12 CFR Part 570, app. B (OTS). See 66 Federal Register 8152 (Jan. 30, 2001); 12 CFR Part 748, app. A (NCUA).
< Prev   CONTENTS   Source   Next >