Automating Vendor Management Tuesday 11:30 am – 12:30 pm Roger Chalkley Home Bank S B
Home Bank S B Located in South Central Indiana Three Branches Established in February 1890 $230 Million in Assets OCC Regulated 70 Employees
Governance Policy Access Management Incident Response Asset Management Business Continuity Vendor Management Security Standards AUP Risk Analysis In late 2011, we decided to revamp our whole IT Governance Program and Policies. The consulting firm that helped us with our Risk Assessment, infotex, has actually mapped all of the FFIEC requirements to a policy set that they showed us how to migrate to, with one of the components being Vendor Management.
Accounts Payable Vendors Where we started? Accounts Payable Vendors Created Spreadsheet Eliminated all “Marketing Vendors” Charitable Donations Yearbook Ads Assign Vendor Owners
Definitions Vendor A person or entity that provides a product or service to the bank Risk Rating We risk rate Vendors based on: The amount and sensitivity of customer information to which they have access The extent to which our business would be disrupted if Vendor relationship ends Amount of money spent annually
Definitions Critical Vendors “Hosting” of customer information Access to large volume of customer information or highly sensitive customer information Terminated relationship would cause major disruption Annual payments from bank > $50K Regulated Vendors Vendors who are legally required to comply with federal privacy laws by virtue of being regulated by a federal agency
Critical Vendor Documentation Need Components SAAS 16 Financial Statements Tracking/Reporting on Performance Are they meeting SLAs Reporting and follow up of issues with Vendor
NEW SSAE 16 Standard Replaced old SAS 70 effective June 15, 2011 SOC-1 Financial Reporting Controls Includes written assertion from management on the fairness of the auditor’s presentation of the system description Type 1 also reports on the control design Type 2 reports on the control design AND effectiveness Clarifies that the user auditor evaluates the proper choice of controls SOC-2 Operational Controls Reports on management’s description of a service organizations’ system AND Type 1 also reports on suitability of design of controls Type 2 also reports on suitability of design and operating effectiveness of controls SOC-3 Operational Controls Trust Service Report for Service Organizations CPA’s opinion Most vendors issue SOC-1 type 1; Type 1 = Point in Time; Type 2 = Period of Time
FIS GOVERNANCE SITE INFO HTTPS://GOVERNANCE.FNIS.COM If you do not have access credentials, send request to: FIS.Security.Governance@fisglobal.com Subject Line: “Governance Website Access Request” and following info in email body: First Name: Last Name: Company Name: Contact Phone: Contact E-mail: (must be a company e-mail address) Desired User Name: Please note: It can take up to 24 hours to process your registration once it is received. You will receive an e-mail from FIS.Security.Governance@fnis.com with your login credentials once your registration is processed.
Reviewing a SOC-1 or SOC-2 Report Understand the scope of the review Read the entire report Pay attention to auditor’s opinion Were all controls tested without exception (Type II) If exceptions, are there sufficient controls Review User Control Considerations Document controls you have in place to address areas
Reviewing a SOC-1 or SOC-2 Report Document your Review Conclusion “Based on our review of FIS Charlotte Service Center SOC-1 report for the period of February 1. 2011 to October 31, 2011, the FIS controls upon which Home Bank relies were appropriately designed and operating effectively”
Software Automation Gathering / Storage of Documentation Vendor Owner Assessment Annual Risk Assessment Key Date Notifications SSAE 16 Financial Review Insurance SLA & Performance Wish list for software to automate Vendor Management process.
Automating Vendor Management Roger Chalkley Home Bank S B
Automating Vendor Management Roger Chalkley Home Bank S B