Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vendor Management & Business Value

Published byHadian Sutedja Modified over 5 years ago

Similar presentations

Presentation on theme: "Vendor Management & Business Value"— Presentation transcript:

1 Vendor Management & Business Value
9/16/2018 © 2012 Rick Hebert & Associates

2 Vendor Management Risk Assessment
5 step process for selection, review and oversight of vendors. Risk Assessment Due Diligence in Selection of New Vendors Contract Review Vendor Oversight Examiner Supervision 9/16/2018

3 © 2012 Rick Hebert & Associates
Risk Assessment For new high risk vendors, an in-depth assessment is conducted. Whether high risk or not an assessment may be conducted if the vendor may have a substantial impact on business or are offering a new service that has not been previously offered 9/16/2018 © 2012 Rick Hebert & Associates

4 © 2012 Rick Hebert & Associates
SSAE, SOC SOC3 A certification of controls Reviews the controls as in SOC1 and SOC2 but will also provide certification that the controls are adequate and appropriate for a vendor. 9/16/2018 © 2012 Rick Hebert & Associates

5 © 2012 Rick Hebert & Associates
SSAE, SOC A few other alternatives E-Security Cyber Trust Certification PCI (Payment Card Industry) Compliance along Ample auditing and reporting 3rd Party Reviews IT Risk Assessment Examination Results Others 9/16/2018 © 2012 Rick Hebert & Associates

6 © 2012 Rick Hebert & Associates
Program Vendor Management Program & Policy High Risk Vendors Vendor Risk Assessment Ratings Matrix New Vendor Risk Assessments New High Risk Vendors 9/16/2018 © 2012 Rick Hebert & Associates

7 © 2012 Rick Hebert & Associates
Program Vendor Risk Assessments should ongoing Vendor Management should be incorporated in the GLBA or customer confidentiality Policy Vendor Management should be incorporated in the Red Flags/Identity Theft Policy 9/16/2018 © 2012 Rick Hebert & Associates

8 © 2012 Rick Hebert & Associates
Program Vendor Financials Vendor Relationship Fraud Contract Review Policy Third Party Service Provider Standards 9/16/2018 © 2012 Rick Hebert & Associates

9 © 2012 Rick Hebert & Associates
9/16/2018 © 2012 Rick Hebert & Associates

10 © 2012 Rick Hebert & Associates
Program Due Diligence is a process of reviewing the vendor and determining if the organizations can work well together. This may be accomplished with a strict format or through management interview. If accomplished through management interview the VM process will require completion and decisions may change. 9/16/2018 © 2012 Rick Hebert & Associates

11 © 2012 Rick Hebert & Associates
Program Financial Stability An assessment of the company’s financials will be dependent upon the risk the company poses. A high risk vendor may require a more careful examination of financials. A low risk vendor may be of less concern. 9/16/2018 © 2012 Rick Hebert & Associates

12 © 2012 Rick Hebert & Associates
Program Strategic Approach Determine if the vendor’s strategic approach fit your organization’s need? Controls in Place at Vendor Controls Required by Organization 9/16/2018 © 2012 Rick Hebert & Associates

13 © 2012 Rick Hebert & Associates
Vendor Management System Overview Risk Present: Transactional, Operational, Reputational, Financial, etc… Risk Critical Risk Level of Concern Sensitive Customer Data Stored or Transmitted by vendor Employee data stored or transmitted by vendor Onsite/Remote Connection Work Required 9/16/2018 © 2012 Rick Hebert & Associates

14 © 2012 Rick Hebert & Associates
3rd Party Requirements Technical Considerations, some examples of Standards https, ssl, 128 bit encryption – required when software is transmitting data outside of the network Multi-factor authentication requirements will be considered on a per system basis Firewall rules – must be clearly defined and documented prior to opening any specific ports or services for the vendor Others 9/16/2018 © 2012 Rick Hebert & Associates

15 © 2012 Rick Hebert & Associates
Contract Review In addition to a review conducted by a lawyer, a review is conducted internally and shall examine the existence of the following items in each contract. A determination will made as to the depth of the vendor relationship and the need to require items not included. 9/16/2018 © 2012 Rick Hebert & Associates

16 © 2012 Rick Hebert & Associates
Contract Review GLBA, CMR 201 clauses (sensitive or confidential data) Protection controls related to the protection of sensitive and confidential data Appropriate disposal of confidential and proprietary data Notification of breach in logical or physical security and a description of anticipated losses Confidentiality agreement and terms related to any use of bank premises, equipment or employees. Fraud Notification of successful or attempted fraud Timeframe End of contract and automatic renewal information will be understood prior to signing a contract. 9/16/2018 © 2012 Rick Hebert & Associates

17 © 2012 Rick Hebert & Associates
Services Description of frequency (how often), format (type) and specifications (details) of any service provided. Details should be appropriate for the service provided. Services provided such as Software support and maintenance, training of employees and customer service during implementation and after the sale. 9/16/2018 © 2012 Rick Hebert & Associates

18 © 2012 Rick Hebert & Associates
Legal Responsibilities and Compliance A statement of the third party’s compliance with laws, regulations, and regulatory guidance. Authorization for Sample Bank and the appropriate federal and state regulatory agency to have access to records of the third party to evaluate compliance with laws, rules and regulations. Identification of required customer disclosures and which party is responsible for providing such disclosures. Insurance Insurance coverage maintained by the third party Sub-Contractors Use of subcontractors and the process used to determine suitability of the subcontractor with respect to the relationship with Organization. 9/16/2018 © 2012 Rick Hebert & Associates

19 © 2012 Rick Hebert & Associates
 Monitoring Statement of authorization for the institution to monitor and periodically review the vendor’s compliance with the contract or agreements established. Indemnification Indemnification verbiage should describe claims that may be issued and the monetary and legal risk assumed by the bank and by the Vendor. This verbiage may explain potential damages and losses that could be caused by the vendor relationship and expenses that may be incurred should be considered and incorporated into the contract, where possible. 9/16/2018 © 2012 Rick Hebert & Associates

20 © 2012 Rick Hebert & Associates
Initial Risk Rating Vendor Risk Rating Low Vendors with a risk rating of Low - “1” expose the bank to low, or no, potential for: financial or customer information loss. The services or products they provide are not considered mission-critical, and if the vendor fails to perform, they can be easily replaced or provided by other vendors, with little or no disruption in the bank’s operations, resulting in little or not adverse financial impact on the bank. Further due diligence is not required. * Vendor Risk Rating Moderate Vendors with a risk rating of Moderate - “2” expose the bank to a moderate potential for financial loss. The services or products they provide are not considered mission-critical, and if the vendor fails to perform, they can be replaced or provided by other vendors, but at the cost of a moderate disruption in the bank’s operations, resulting in moderately adverse financial impact on the bank. Further due diligence is recommended. * Vendor Risk Rating High Vendors with a risk rating of High - “3” expose the bank to a high potential for financial loss. The services or products they provide are considered mission-critical, and if the vendor fails to perform, they can not be easily replaced or provided by other vendors, without significant disruption in the bank’s operations, resulting in a significant adverse financial impact on the bank. Further due diligence is required. * * For GLBA Vendors or those covered by State law, complete the Information Security Risk Assessment by either utilizing an SSAE, or an industry accepted source following pre-determined guidelines. 9/16/2018 © 2012 Rick Hebert & Associates

21 © 2012 Rick Hebert & Associates
Vendor Type Rating Description Critical 1 Low – not mission critical, easily replaced, no financial impact 2 Medium – not mission critical, easily replaced but important relationship, may have moderate financial impact 3 High – mission critical, have customer/employee data, operationally significant, financial impact of change or failure could be significant Concern No Longer Used, Not within Scope No data shared and access governed by internal controls Data shared – not significant financially and/or potential reputation exposure for customers and employees is minimal Onsite access to sensitive data but risk mitigated by internal controls 4 Sensitive Information access either onsite or remotely 5 Highest concern – Customer Data shared and/or transmitted 9/16/2018 © 2012 Rick Hebert & Associates

22 © 2012 Rick Hebert & Associates
For Vendors Rated 3 that submit or possess information including customer, employee or other sensitive data obtain the following: Confidentiality Agreement Confirm Confidentiality Agreement / Non-disclosure between vendor and CMB is in contract or on file or profession already regulated by other entities. SSAE 16/SOC 1 or Equivalent SSAE 16/SOC 1 report, if available Or Internal audit reports or CPA Management letter, including management response and actions taken, if available, vendor documentation of internal controls. FFIEC Exam Report If available, regulatory examination report, including management response and actions taken, if applicable. User Controls Compliance Verify Bank’s ability to comply with ‘User Controls’ section of SSAE report. Vendor BCP Testing Results of vendor’s test of it’s BCP. Detailed Risk Assessment Detailed description of vendor along with assessment of Financial Stability Risk Credit Risk Compliance Risk Financial Risk Operational/Transactional Risk Reputation Risk Strategic Risk Provide Detailed Risk Score Business Value Describes the value of the vendor to Sample, what the vendor provides or offers that will have some value to the bank. Fee Income Access to Data/Automation Reduction of Cost Competitive Pricing New Business Operational Improvements Competitive Offering Other Value, Savings, Efficiency Financial Audited financial statements, Dun & Bradstreet report. 9/16/2018 © 2012 Rick Hebert & Associates

23 © 2012 Rick Hebert & Associates
Steps No data shared and access governed by internal controls Send Cover Letter Send Confidentiality Agreement 9/16/2018 © 2012 Rick Hebert & Associates

24 © 2012 Rick Hebert & Associates
Steps Data shared – not significant financially and/or potential reputation exposure for customers and employees is minimal Send Cover Letter Send Confidentiality Agreement 9/16/2018 © 2012 Rick Hebert & Associates

25 © 2012 Rick Hebert & Associates
Steps Onsite access to sensitive data - risk mitigated by internal controls Send Cover Letter Send Confidentiality Agreement Conduct Red Flag Review of Vendor using red flag software Obtain W-9 9/16/2018 © 2012 Rick Hebert & Associates

26 © 2012 Rick Hebert & Associates
Steps Sensitive Information access either onsite or remotely Send Cover Letter Send Confidentiality Agreement Conduct Red Flag Review of Vendor using bank’s red flag software Request document from Company describing data protection procedures as relates to scope of services provided. Request documentation either through letter or other format the stability of company – Examples of criteria to be used; bank management may provide alternative documentation, as appropriate to the scope of the services provided to the bank: Number of companies/banks currently serviced Annual cash flow Reference letter from customer 9/16/2018 © 2012 Rick Hebert & Associates

27 Risk Assessment/Due Diligence May Include
Detailed description of vendor along with assessment of Financial Stability Risk Credit Risk Compliance Risk Financial Risk Operational/Transactional Risk Reputation Risk Strategic Risk Provide Detailed Risk Score 9/16/2018 © 2012 Rick Hebert & Associates

28 © 2012 Rick Hebert & Associates
Vendor Management Business Value – Appetite (or Tolerance) Fee Income Access to Data/Automation Compliance Operational Improvements Reduction of Cost Competitive Pricing New Business Competitive Offering Other Value, Savings, Efficiency, etc… as determined by Management 9/16/2018 © 2012 Rick Hebert & Associates

29 © 2012 Rick Hebert & Associates
Presenter Denise Butler Phone (207) 9/16/2018 © 2012 Rick Hebert & Associates

Download ppt "Vendor Management & Business Value"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Auditing Computer Systems

Auditing Computer Systems
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Security Controls – What Works

Security Controls – What Works
ISO General Awareness Training

ISO General Awareness Training
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
3rd Party Risk Categorization Process

3rd Party Risk Categorization Process
Vendor Management Frequent regulatory findings:

Vendor Management Frequent regulatory findings:
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Network security policy: best practices

Network security policy: best practices
1 Jersey Funds Association Educational training session – 22 June 2010.

1 Jersey Funds Association Educational training session – 22 June 2010.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Similar presentations

Ads by Google