Assessing Risk: Outsourced Service Providers

It is common for community financial institutions to outsource some of their most critical systems, including their core system and Internet banking sites. Outsourcing helps keep the data center footprint small and can be incredible cost effective compared to hiring and retaining expensive IT staff.

But outsourcing does not eliminate the responsibility of the institution to ensure that the outsourced systems are secure. This week, we will look at some security-related topics that you should make sure are part of your risk assessment process for outsourced systems:

1. Make sure you understand how the service provider segregates institutions: Different outsourcing models provide different levels of segregation. In some models, a provider will have completely separate systems for each institution. More commonly, there will be places where systems will be shared between institutions. In these cases, the institution needs to thoroughly understand how the provider keeps their customer information safe.
   
   
2. Make sure you know where the data really is located: While you might believe that a service provider will store and process your data on systems that they manage, in today’s cloud-based environment they may actually be using someone else’s cloud. Be sure to ask what subcontractors the service provider uses to store or process your customer data, and to perform due diligence on those providers also.
   
   
3. Review 3^rd party audits and reviews: You may not have the resources to perform your own audit of your service provider, but you should have access to and be carefully reviewing any audit or exam reports provided to the service provider. Do not be afraid to ask for clarification on any items that appear abnormal.
   
   
4. Understand business continuity standards: Institutions are often surprised to learn that their service provider does not have the ability to quickly recover their systems. Because of the scale that service providers operate at, they often will take longer to recover your systems than if you managed them yourselves. Make sure that you understand how long it will take to recover your systems. Your internal BCP plans that take these recovery times into consideration.
   
   
5. Understand what internal controls your service provider utilizes: The employees of the service provider should not have unmonitored access to your data. Your risk assessment of your service provider should review the controls that your vendor has in place to ensure that your customer data is secured and that any access is monitored.

If you find yourself in need of help assessing the risk of internal or externally outsourced systems reach out via call or email and we'll be sure you to help you make the best choice.