Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.

Similar presentations


Presentation on theme: "Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA."— Presentation transcript:

1 Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA

2 Overview Introduction Introduction Reasons for Outsourcing Reasons for Outsourcing Due Diligence Due Diligence Risk Considerations Risk Considerations Management Considerations Management Considerations Conclusion Conclusion References References

3 Philip Romero, CISSP, CISA Vice President, ISSA-SVC Vice President, ISSA-SVC Information Systems Auditor Information Systems Auditor

4 What is an Outsourced Service Provider? Any person or entity that maintains, processes, or otherwise is permitted access to perform services for a company, but is not directly employed by the company.

5 Responsibilities … …senior management should establish and approve risk- based policies to govern the outsourcing process. The policies should recognize the risk to the institution from outsourcing relationships and should be appropriate to the size and complexity of the institution. – FFIEC

6 Due Diligence Company financial & business standing Company financial & business standing Review of audits (SAS 70 or others) Review of audits (SAS 70 or others) Client interviews or visits Client interviews or visits Risk assessment Risk assessment

7 Company Financial & Business Standing How long has the company been in business? How long has the company been in business? Have they been profitable? Have they been profitable?

8 Review of Independent Audits SAS 70 Type I & II SAS 70 Type I & II Six Sigma Six Sigma Others (e.g. Pen Testing) Others (e.g. Pen Testing)

9 Client Interviews or Site Visits Did the company deliver what they said they would? Did the company deliver what they said they would? Does the product or service function as described? Does the product or service function as described? Did the implementation go as planned? Did the implementation go as planned? Do the security controls operate as defined? Do the security controls operate as defined?

10 Risk Considerations Application Security Application Security Network Security Network Security Physical Security Physical Security System Administration System Administration Business Continuity & Disaster Recovery Planning Business Continuity & Disaster Recovery Planning

11 Management Considerations Contract Negotiations Contract Negotiations Statement of Work Statement of Work IT Strategic Impact IT Strategic Impact Benefits Realization Benefits Realization High Level Monitoring High Level Monitoring Customer Satisfaction Customer Satisfaction Data Security Data Security Network Connectivity & Security Network Connectivity & Security Regulatory Compliance Regulatory Compliance

12 Outsourcing Management Study A 2000 study of 29 major outsourcing engagement over eight years reported that 35% of the arrangements failed. A 2000 study of 29 major outsourcing engagement over eight years reported that 35% of the arrangements failed.

13 Management Considerations Contract Negotiations Contract Negotiations Get it in writing Get it in writing It does not have to be business as usual It does not have to be business as usual Statement of Work Statement of Work Clearly define roles and expectations Clearly define roles and expectations

14 Management Considerations IT Strategic Impact IT Strategic Impact How does the outsourced service effect goals? How does the outsourced service effect goals? Do strategic goals need to be re- evaluated do to the outsourcing of services? Do strategic goals need to be re- evaluated do to the outsourcing of services? Benefits Realization Benefits Realization Are the goals of outsourcing being achieved? Are the goals of outsourcing being achieved?

15 Management Considerations High Level Monitoring High Level Monitoring Review corporate news Review corporate news Review updated audit reports Review updated audit reports Customer Satisfaction Customer Satisfaction Are customers satisfied with the outsourced arrangements Are customers satisfied with the outsourced arrangements Have the arrangements increased or hindered profits? Have the arrangements increased or hindered profits?

16 Management Considerations Data security Data security Has your company classified the information used and managed by the outsourced company? Has your company classified the information used and managed by the outsourced company? Has the appropriate protection been defined? Has the appropriate protection been defined?

17 Management Considerations Network connectivity & security Network connectivity & security How do your companies exchange information? How do your companies exchange information? Are data circuits encrypted? Are data circuits encrypted?

18 Management Considerations Regulatory compliance Regulatory compliance HIPAA HIPAA GLB GLB SOX SOX CA Civil Code – (SB1386) CA Civil Code – (SB1386)

19 Conclusion Reasons for Outsourcing Reasons for Outsourcing Due Diligence Due Diligence Risk Considerations Risk Considerations Management Considerations Management Considerations

20 References IT Governance Institute IT Governance Institute Information Systems Audit and Control Association Information Systems Audit and Control Association NIST Computer Security Resource Center NIST Computer Security Resource Center Federal Financial Institution Examination Council Federal Financial Institution Examination Council


Download ppt "Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA."

Similar presentations


Ads by Google