vendor risk management from a tsp perspective -...

©2015 FIS and/or its subsidiaries. All Rights Reserved.FIS confidential and proprietary information.

Vendor Risk Management from a TSP PerspectiveJohn Dulweber – Deputy CRO

September 2016

2

Regulatory and Internal Risk programs are dictating that financial institutions perform extensive Vendor Risk Management activities to monitor their Technology Service Provider (TSP) partners.

As the largest Technology Service Provider in the world, FIS’ Client Risk Relations program is constantly evolving to address requests from our clients. We have collected some recommendations to help financial institutions complete their VRM activities in a more efficient manner, benefiting both the Financial Institution and Technology Service Provider.

Many TSPs have thousands of financial institution clients and Vendor Risk Management requests from these clients can stretch their resources thin.

A Balancing Act

Recommendations from a TSP perspective

3

1 Understand the Relationship and Risk

2Develop a multi-year plan using a risk-based approach to monitor TSPs

3Utilize proactively provided materials prior to requesting one-on-one assessments or meetings

4 Attend Client Events


4


Many TSP/Financial Institution relationships span multiple

products. These products have different functions and therefore

different relative risk. It is important to risk rank each of

those products and determine your scope of VRM activities using a risk-based approach.

Example: The risk related to running a TSP-hosted core banking application should be considered separately from the risk of licensing software from that same TSP.

In order to fully understand the product’s function and impacts to your own operational risk and compliance programs, include Line of Business, Operational Risk and Compliance associates in the Risk Assessment process.


5





For a more surgical approach to monitoring TSPs, create a multi-year plan and stagger activities based on relative risk, thus maximizing resource time on both sides.



Completing the same procedures on all products every year is inefficient.

6

Year 1

Year 2

Year 3

Year 4

Year 5


7







8

Reading various reports and program documentation prior to engagement will enable your assessors to better risk rate the relationship and product set and plan VRM activities accordingly.

Take advantage of the following assessments and program documentation to maximize efficiency:

Regulatory Reports

Shared Assessments

Certifications (ISO, PCI)

Disaster Recovery Exercise Results

Service Auditor Reports (SSAE16, SOCII)

Risk, Information Security and Compliance program manuals

FIS Vendor Management Resource Center

9

VMRC

Guidebook

SIG

Questionnaires

Regulatory

Materials

Hot Topics

BulletinsMiscellaneous

Assessments &

Certifications

Descriptions of current critical vulnerabilities

FIS’ remediation approach to these vulnerabilities

Recommended client remediation activities

Hot

Topics

Bulletins

Include:

These bulletins are the most downloaded item on the VMRC

Example from FIS


10

VMRC

Guidebook

SIG

Questionnaires

Regulatory

Materials

Hot Topics


Assessments &

Certifications

In the VMRC Guidebook, documentation…

Is tied to Regulatory Guidance.

It provides a description…

Of all collateral located on the VMRC.


11

VMRC

Guidebook

Assessments &

Certifications

SIG

Questionnaires

Regulatory

Materials

Hot Topics


SOC I (SSAE16)

A test of internal controls over financial reporting, including testing of general

computing controls

FIS has one data center-level SOC I report covering 5 data centers

FIS has 22 product-level SOC II reports (25 including international)

SOC II

A test of internal controls over Information Security

FIS has one data center-level SOC II report covering 5 data centers

FIS has 3 product-level SOC II reports (5 including international)

For additional information, refer to the appendix

Assessments


12

VMRC

Guidebook

Assessments &

Certifications

SIG

Questionnaires

Regulatory

Materials

Hot Topics


ISO 22301

An International certification for Business Continuity and Disaster Recovery

Management

FIS is ISO 22301 certified at 11 sites

ISO 27001

An International certification for Information Security

FIS is ISO 27001 certified at 8 sites

For additional information, refer to the appendix

Certifications

Payment Card Industry (PCI)

A proprietary information security standard for organizations that handle branded credit cards from the major card brands


13

VMRC

Guidebook

SIG

Questionnaires

Regulatory

Materials

Hot Topics


Assessments &

Certifications

Organized by data

center

Over 1000 security-

related questions

completed for 16

data centers

Should be the first

response to every

client questionnaire

request*

Shared Assessment Standard Information Gathering

(SIG) Questionnaires

The Shared Assessment

Standard Information Gathering

(SIG) Questionnaire contains a

robust yet easy to use set of

questions to gather and assess

information technology,

operating and security risks

(and their corresponding

controls) in an information

technology environment. The

SIG questions are based on

referenced industry standards

(including, but not limited to,

FFIEC, ISO, COBIT and PCI).

*Many clients don’t realize that their own questionnaires are based on the SIG


14

VMRC

Guidebook

SIG

Questionnaires

Regulatory

Materials

Hot Topics


Assessments &

Certifications

Did you know….The number-one finding from Regulatory

Agencies related to Vendor Risk

Management is the failure to review their

critical vendors’ regulatory reports.

Regulated Financial Institution clients have access to the following documentation pertinent to

regulatory matters:

+ Security and Risk Strategic Update

Details FIS’ action plan against current Matters Requiring Attention

+ Board Presentation

A non-branded presentation of FIS status against Matters Requiring Attention, including the

Security and Risk Strategic Update, to be used by clients when presenting to their boards


15

VMRC

Guidebook

SIG

Questionnaires

Regulatory

Materials

Hot Topics


Assessments &

Certifications

Results of Disaster Recovery Exercises

RISC program manual documents

Financial health information

Business overview

Governance structure information

FIS Policy summaries


16







17

+ TSP provided Vendor Risk Management conferences

+ User Groups and Advisory Councils+ Product conferences

Some examples of events that give additional insight into the client’s VRM needs include:

Benefits of attending client events: Better understand the TSP’s programs and controls Meet and network with other clients of the TSP to discuss Vendor Risk Management matters Further develop relationships with your TSP

Risk & Security as a Service

Founded on FIS’ Principles. Driven by FIS’ People, Process, and Technology.

• Configurable, comprehensive Risk Scoring

• Configurable Inherent Risk Scoring (Completion, Monitoring, and Support)

• Global Watch List Checks (incl. Country and Geopolitical risks)

• Ongoing Financial Health Monitoring (Public and Private Sectors)

• Regulatory (OCC) and Industry (PCI/CFPB) Compliance Monitoring

• Annual Control Survey and Audit Review Completion/Support

• Real time access to FIS Professional Risk Support Services

• Daily External Vulnerability Identification

• Configurable Vulnerability Risk Scoring and Prioritization

• User-defined, configurable Risk Remediation Timelines

• Vulnerability Management notifications and workflows

• Custom Scan, Vulnerability and End User Reports

• Real time access to FIS Professional Security Support Services

• Weekly Internal Device Vulnerability Identification

• Ongoing Device End Point Control Compliance Monitoring

• Custom Vulnerability Risk Scoring and Prioritization

• Custom Risk Remediation Timelines• Vulnerability Management notifications

and workflows• Custom Scan, Vulnerability and End

User Reports• Real time access to FIS Professional

Security Support Services

Vendor Risk Manager Perimeter Defense Internal Defense

Contact Tariq Bokhari – [email protected]

Identifying and prioritizing vulnerabilities that are exposed to the public internet daily

Discovering and monitoring IT assets, internal vulnerabilities, and end point controls

Centralizing the due diligence of third party risk via FIS’ people, process and platform end-to-

end

Example from FIS

mailto:[email protected]

FIS Vendor Risk Manager as a Service (VRMaaS)

19

Anatomy of a Complete Vendor Risk SolutionInherent Risk

ExposureWatchlists

Financial Health

Regulatory Compliance

Industry Compliance

Control Effectiveness

Consistent, quantitative, and defensible inherent risk score for every vendor based on the unique characteristics of each relationship

Screening & monitoring of over 300 watch lists around the globe, including historical values and related entities

Data feeds from multiple sources of industry financial and credit data to identify at risk vendors and impact risk scoring for a complete picture of vendor financial health

Monitoring of CFPB consumer complaints, regulatory penalties and findings, all included in the quantitative risk scoring model

Monitoring industry compliance, including PCI compliance, SSAE16, SOC 2, and ISO27001

Dynamic, relationship specific internal control reviews utilizing proven methodologies, trained operational experts, and leveraging platform automation

Not Just One Time… In Real Time with Alerts & Warnings

Example from FIS

20

Two days of presentations regarding FIS’ Risk, Information Security, Compliance and Internal Audit programs

Access to FIS Executives who govern these programs during the conference and at lunch and dinner

Ability to ask questions and satisfy the “onsite” review

Opportunity to network with peer Financial Institutions

Tour of our Brown Deer facility to view physical and environmental controls

Example from FIS

vendor risk management from a tsp perspective -...

Documents