Download - risk assessment vendor contract spreadsheet
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 1/12
Risk Assessment – Contract Issues
Risk Description Completely
Implemented
Partially
Implemented
Aware,
But Not
Implemented
No
Awareness
Not
Applicable
Risk
Rating
Scope o Ser!ice
1 Does the contract clearly
describe the rights
andresponsibilities ofthe parties to the
contract?
2 Does the contract giveconsideration totimeframes and
activities forimplementationand assignment ofresponsibility?
Implementation provisions shouldtake intoconsideration
other existingsystems orinterrelatedsystems to be
developed bydifferent service
providers (e.g., anInternet banking
system beingintegrated ith
existing coreapplications orsystemscustomi!ation", if
applicable?
# Does the contract give
consideration toservices to be
performed by theservice provider
including dutiessuch as softare
support andmaintenance,training ofemployees or
customer service?
$ Does the contract give
consideration to
the obligations ofthe bank?
% Does the contract give
consideration tothe contracting
parties& rights inmodifying existing
services performed underthe contract?
' Does the contract give
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 2/12
consideration tothe guidelines foradding ne or
different servicesand for contractrenegotiation?
Perormance Standards
) Does the contract include performance
standards definingminimum servicelevel re*uirementsand remedies for
failure to meet thestandards in thecontract? (e.g.,system uptime,
deadlines for processing, processing errors"
Risk Assessment
Risk Description Completely
Implemented
Partially
Implemented
Aware,
But Not
Implemented
No
Awareness
Not
Applicable
Risk
Rating
Security and
Conidentiality
+ Does the contract addressthe service
provider&s
responsibility forsecurity and
confidentiality ofthe bank&s
resources (e.g.,information,
hardare"? Does the contract prohibit
the service provider and itsagents from usingor disclosing the
bank&sinformation,
except asnecessary to or
consistent ith providing the
contractedservices, to protectagainst
unauthori!ed use(e.g., disclosure ofinformation to
bankcompetitors"?
1- Does the contract re*uestthat if the service
provider receivesnonpublic
personalinformation
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 3/12
regarding the bank&s customers,the service
provider illassess theapplicability of the
privacy
regulations?11 Does the contract re*uire
the service provider to fully
disclose breachesin securityresulting inunauthori!ed
intrusions into theservice providerthat maymaterially affect
the bank or itscustomers?
12 Does the contract re*uire
the service provider to reportto the bank hen
material intrusionsoccur, the effect
on the bank, andcorrective actionto respond to theintrusion?
Controls
1# Does the contract give
consideration to provisions
addressing internal
controls to bemaintained by theservice provider?
1$ Does the contract have a provisionaddressingcompliance ith
applicableregulatoryre*uirements?
Risk Assessment
Risk Description Completely
Implemented
Partially
Implemented
Aware,
But Not
Implemented
No
Awareness
Not
Applicable
Risk
Rating
1% Does the contract containa provision forrecords to be
maintained by theservice provider?
1' Does the contract providefor access to the
records by the bank?
1) Does the contract contain
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 4/12
a clause fornotification by theservice provider to
the bank and the bank&s approvalrights regardingmaterial changes
to services,systems, controls,key proect
personnel
allocated to the bank, and neservice locations?
1+ Does the contract contain
controls for thesetting andmonitoring of
parameters
relating to any bank function,such as payment
processing andany extension ofcredit on behalf ofthe bank?
1 Does the contract specify
insurancecoverage is to bemaintained by theservice provider?
Audit
2- Does the contract state the
types of auditreports the bank is
entitled to receive
(e.g., financial,internal controland securityrevies"?
21 Does the contract specifythe auditfre*uency, cost to
the bank, if any, asell as the rightsof the bank and itsagencies to obtain
the results of theaudits in a timely
manner?
22 Does the contract specify
any rights toobtaindocumentationregarding the
resolution of auditdiscloseddeficiencies andinspect the
processingfacilities and
operating practices
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 5/12
of the service provider?
Risk Assessment
Risk Description Completely
Implemented
Partially
Implemented
Aware,
But Not
Implemented
No
Awareness
Not
Applicable
Risk
Rating
2# Does the contract containa provision for
hich bankmanagement mayobtainindependent
internal auditscompleted by theservice provideraudit staff and the
need for externalaudits and revies(e.g., /0/ )-ype I and II
revies"?
2$ Does the contract provideterms re*uiring
periodic audits to
be performed byan independent
party ithsufficient
expertise inInternetrelatedservices? heseaudits could
include penetration
testing, intrusiondetection, and
fireallconfiguration.
he contractshould allo forsufficientlydetailed reports to
be provided to bank managementto ade*uate assesssecurity ithout
compromising the
service provider&ssecurity.
Reports
2% Do the contractual termsreflect the
fre*uency andtype of reports the
bank ill receive(e.g., performance
reports, control
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 6/12
audits, financialstatements,security, and
businessresumption testingreports"?uidelines and
fees for obtainingcustomer reportsshould also bestated.
Business Resumption
and Contingency
Plans
2' Does the contract addressthe service
provider&s
responsibility for backup and record protection,including
e*uipment,
program and datafiles, andmaintenance of
disaster recoveryand contingency
plans?3esponsibilitiesshould includetesting of the plans
and providingresults to the bank.
Risk Assessment
Risk Description CompletelyImplemented
PartiallyImplemented
Aware,But Not
Implemented
NoAwareness
NotApplicable
RiskRating
2) Does the contract consider
interdependenciesamong service
providers hendetermining
businessresumption testing
re*uirements?
2+ Does the contract state
that the service provider ill provide the bank
ith operating procedures theservice provider
and the bank areto implement in
the event businessresumption
contingency plansare implemented?
2 Does the contract includespecific provisions
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 7/12
for businessrecoverytimeframes that
meet the bank&s businessre*uirements?
#- 4as management ensured
that the contractdoes not contain
any provisionsthat ould excuse
the service provider fromimplementing itscontingency
plans?
Sub"contracting and
#ultiple Ser!ice
Pro!ider
Relations$ips
#1 If in the event that the
service provider
subcontracts iththirdparties, doesthe contract
provide foraccountability, anagreement, and adesignation for the
primarycontracting service
provider?
#2 Does the contract provide
a provisionspecifying that thecontracting service
provider is
responsible for theservice providedto the bankregardless of
hich entity isactuallyconducting theoperations?
## Does the contract providea provision fornotification andapproval from
bank managementregarding changes
to the service provider&s
significantsubcontractors?
Risk Assessment
Risk Description Completely
Implemented
Partially
Implemented
Aware,
But Not
Implemented
No
Awareness
Not
Applicable
Risk
Rating
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 8/12
Cost
#$ Does the contract fullydescribe fees andcalculations for
base service,
including anydevelopment,
conversion, andrecurring services,
as ell as anycharges basedupon volume ofactivity and for
special re*uests?
#% Is the cost andresponsibility for
purchase and
maintenance ofhardare andsoftare identifiedin the contract?
#' Does the contract state any
conditions underhich the coststructure may be
changed in detailincluding limits onany costincreases?
%wners$ip and &icense
#) Does the contract address
onership andalloable use by
the service provider of the
bank&s data,
e*uipment5hardare, systemdocumentation,
system andapplicationsoftare, andother intellectual
property rights?6ther intellectual
property rightsmay include the
bank&s name andlogo7 its trademarkor copyrightedmaterial7 domain
names7 eb sitedesigns7 and otherork productsdeveloped by the
service providerfor the bank?
#+ he contract should notcontain
unnecessarylimitations on the
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 9/12
return of itemsoned by the
bank?
# 4as the contract allo forescro
agreements pertaining to the
purchase ofsoftare by the
bank?
Risk Assessment
Risk Description Completely
Implemented
Partially
Implemented
Aware,
But Not
Implemented
No
Awareness
Not
Applicable
Risk
Rating
$- Do the escro agreements provide for the
folloing8 bankaccess to source
programs undercertain conditions(e.g., insolvencyof the vendor",
documentation of programming andsystems, andverification of
updated sourcecode?
Duration
$1 Does the contract consider
the type oftechnology and
current state of theindustry henidentifying thelength of the
contract and itsreneal periods?
$2 Does the contract specifythe appropriate
length of timere*uired to notify
the service provider of the
bank&s intent notto rene the
contract prior toexpiration?
$# Does the contract specify penalties for early
termination?
Dispute Resolution
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 10/12
$$ Does the contract providea provision for adispute resolution
process thatattempts to resolve
problems in anexpeditious
manner as ell as provide forcontinuation ofservices during the
dispute resolution period?
Indemniication
$% Does the contract have anindemnification
provision that
re*uires the bankto hold the service
provider harmlessfrom liability for
the negligence of
the bank, and viceversa? If so, this
provision should
be revieed indepth to reduce
the likelihood of potential situations
in hich the bankmay be liable for
claims arising as aresult of thenegligence of theservice provider.
Risk Assessment
Risk Description Completely
Implemented
Partially
Implemented
Aware,
But Not
Implemented
No
Awareness
Not
Applicable
Risk
Rating
&imitation o &iability
$' If the contract has alimitation ofliability clause
limiting theamount of liabilitythat can beincurred by the
service provider,
does the damagelimitation bear anade*uate
relationship to theamount of loss the
bank mightreasonablyexperience as aresult of the
service provider&s
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 11/12
failure to performits obligation?
'ermination
$) Does the contract providefor flexibility of
termination rights?9ontracts for
technologiessubect for rapid
change, forexample, may
benefit fromgreater flexibility
in terminationrights.
$+ Do the termination rightscover such itemsas change incontrol (e.g.,
ac*uisitions andmergers",
convenience,
substantialincrease in cost,repeated failure to
meet servicelevels, failure to
provide criticalservices,
bankruptcy,company closure,and insolvency?
$ Do the contract permit the
bank to terminatethe contract in a
timely manner and
ithout prohibitiveexpense? hecontract shouldspecify
termination andnotificationre*uirements ithtime frames to
allo the orderlyconversion toanother provider.
%- Does the contract provide
for the return ofthe bank&s data, as
ell as other bankresources, in a
timely manner andin machinereadable format?
%1 Does the contract clearlystate any costsassociated ith
transitionassistance?
8/13/2019 risk assessment vendor contract spreadsheet
http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 12/12
Risk Assessment
Risk Description Completely
Implemented
Partially
Implemented
Aware,
But Not
Implemented
No
Awareness
Not
Applicable
Risk
Rating
Assignment
%2 Does the contract contain provisions that prohibit
assignment of thecontract to a third
party ithout the bank&s consent,
including changesto subcontractors?
%!erall Rating