Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.

Published byKaitlyn Crowhurst Modified over 10 years ago

Similar presentations

Presentation on theme: "Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA."— Presentation transcript:

1 Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA

2 Overview Introduction Introduction Reasons for Outsourcing Reasons for Outsourcing Due Diligence Due Diligence Risk Considerations Risk Considerations Management Considerations Management Considerations Conclusion Conclusion References References

3 Philip Romero, CISSP, CISA Vice President, ISSA-SVC Vice President, ISSA-SVC Information Systems Auditor Information Systems Auditor

4 What is an Outsourced Service Provider? Any person or entity that maintains, processes, or otherwise is permitted access to perform services for a company, but is not directly employed by the company.

5 Responsibilities … …senior management should establish and approve risk- based policies to govern the outsourcing process. The policies should recognize the risk to the institution from outsourcing relationships and should be appropriate to the size and complexity of the institution. – FFIEC

6 Due Diligence Company financial & business standing Company financial & business standing Review of audits (SAS 70 or others) Review of audits (SAS 70 or others) Client interviews or visits Client interviews or visits Risk assessment Risk assessment

7 Company Financial & Business Standing How long has the company been in business? How long has the company been in business? Have they been profitable? Have they been profitable?

8 Review of Independent Audits SAS 70 Type I & II SAS 70 Type I & II Six Sigma Six Sigma Others (e.g. Pen Testing) Others (e.g. Pen Testing)

9 Client Interviews or Site Visits Did the company deliver what they said they would? Did the company deliver what they said they would? Does the product or service function as described? Does the product or service function as described? Did the implementation go as planned? Did the implementation go as planned? Do the security controls operate as defined? Do the security controls operate as defined?

10 Risk Considerations Application Security Application Security Network Security Network Security Physical Security Physical Security System Administration System Administration Business Continuity & Disaster Recovery Planning Business Continuity & Disaster Recovery Planning

11 Management Considerations Contract Negotiations Contract Negotiations Statement of Work Statement of Work IT Strategic Impact IT Strategic Impact Benefits Realization Benefits Realization High Level Monitoring High Level Monitoring Customer Satisfaction Customer Satisfaction Data Security Data Security Network Connectivity & Security Network Connectivity & Security Regulatory Compliance Regulatory Compliance

12 Outsourcing Management Study A 2000 study of 29 major outsourcing engagement over eight years reported that 35% of the arrangements failed. A 2000 study of 29 major outsourcing engagement over eight years reported that 35% of the arrangements failed.

13 Management Considerations Contract Negotiations Contract Negotiations Get it in writing Get it in writing It does not have to be business as usual It does not have to be business as usual Statement of Work Statement of Work Clearly define roles and expectations Clearly define roles and expectations

14 Management Considerations IT Strategic Impact IT Strategic Impact How does the outsourced service effect goals? How does the outsourced service effect goals? Do strategic goals need to be re- evaluated do to the outsourcing of services? Do strategic goals need to be re- evaluated do to the outsourcing of services? Benefits Realization Benefits Realization Are the goals of outsourcing being achieved? Are the goals of outsourcing being achieved?

15 Management Considerations High Level Monitoring High Level Monitoring Review corporate news Review corporate news Review updated audit reports Review updated audit reports Customer Satisfaction Customer Satisfaction Are customers satisfied with the outsourced arrangements Are customers satisfied with the outsourced arrangements Have the arrangements increased or hindered profits? Have the arrangements increased or hindered profits?

16 Management Considerations Data security Data security Has your company classified the information used and managed by the outsourced company? Has your company classified the information used and managed by the outsourced company? Has the appropriate protection been defined? Has the appropriate protection been defined?

17 Management Considerations Network connectivity & security Network connectivity & security How do your companies exchange information? How do your companies exchange information? Are data circuits encrypted? Are data circuits encrypted?

18 Management Considerations Regulatory compliance Regulatory compliance HIPAA HIPAA GLB GLB SOX SOX CA Civil Code 1798.80 – 1798.84 (SB1386) CA Civil Code 1798.80 – 1798.84 (SB1386)

19 Conclusion Reasons for Outsourcing Reasons for Outsourcing Due Diligence Due Diligence Risk Considerations Risk Considerations Management Considerations Management Considerations

20 References IT Governance Institute IT Governance Institute http://www.itgi.org/ http://www.itgi.org/ http://www.itgi.org/ Information Systems Audit and Control Association Information Systems Audit and Control Association http://www.isaca.org/ http://www.isaca.org/ http://www.isaca.org/ NIST Computer Security Resource Center NIST Computer Security Resource Center http://csrc.nist.gov/ http://csrc.nist.gov/ http://csrc.nist.gov/ Federal Financial Institution Examination Council Federal Financial Institution Examination Council http://www.ffiec.gov/ http://www.ffiec.gov/ http://www.ffiec.gov/

Download ppt "Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA."

Similar presentations

Reflections on the White House Privacy Office Peter P. Swire Ohio State University Center for American Progress N.C. State Privacy Day January 29, 2008.

Reflections on the White House Privacy Office Peter P. Swire Ohio State University Center for American Progress N.C. State Privacy Day January 29, 2008.
Module N° 3 – ICAO SARPs related to safety management

Module N° 3 – ICAO SARPs related to safety management
Organizational Governance

Organizational Governance
Www.theiia.org External Quality Assessments Frequently Occurring Findings Observed by The IIA QA Teams.

External Quality Assessments Frequently Occurring Findings Observed by The IIA QA Teams.
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations.

So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.

Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.
1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.

1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.
Security Controls – What Works

Security Controls – What Works
ISS IT Assessment Framework

ISS IT Assessment Framework
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.

9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
IS Audit Function Knowledge

IS Audit Function Knowledge
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
Legal & Administrative Oversight of NGOs Establishing and Monitoring Performance Standards.

Legal & Administrative Oversight of NGOs Establishing and Monitoring Performance Standards.

Similar presentations

Ads by Google