Are you “at the mercy of your service provider”?

January 2, 2009

We received an email today from a credit union examiner in the eastern United States.  We had the privilege of providing him a week of IT training earlier in the year through our relationship with NASCUS.  He wrote, “So many of these small to medium size shops are at the mercy of the service provider and therefore rely on them for everything… what kind of detail should a vendor provide to the credit union about IT controls?”

The email was predicated upon the regulatory stance that financial institutions, regardless of outsourcing and vendor services, are THE entity ultimately responsible for the security of customer/member information.

At the request and with permission from the credit union he was examining, the examiner sent over a copy of a network diagram that a vendor had provided to the small credit union.  The diagram was completely lacking in detail.  It did not depict firewalls, it did not depict whether VPN technology was deployed, it did not show any domain controller or network server, it did not depict the operating systems in use, and it did not indicate any information about the types of services (TCP/IP ports) in use.  And this small credit union didn’t know how to evaluate the diagram provided for the sufficiency of information provided or the adequacy of the controls.shapeimage_5

In our opinion, the only way a bank or credit union can evaluate the sufficiency of vendor controls is to have a competent and independent person ask the “right” questions and evaluate the information provided.  Many smaller financial institutions (FI) don’t have the competency required on staff.  And some say they can’t afford the services of a specialist like TrustCC.  In these cases we’ve tried to work with the small FIs to provide the required services at very affordable pricing, but sometimes there is “no money in the coffers.”  In this case we’ve advocated the use of a worksheet we’ve created for small entities without the necessary competencies.  See our worksheet titled Security Self Testing Guidelines.PDF.  You can find it by surfing to www.trustcc.com, clicking <resources> and then <checklists and samples>.  (*see note at bottom)

So allow us to answer the question generically, “What kind of detail should a vendor provide to the credit union about IT controls?”  In this example the vendor provided a core banking system that was hosted at the vendor.  The text below could be considered the “bare minimum” and is absolutely not an exhaustive list.  It is, however, a starting point.

The vendor should clearly provide a Service Auditor’s Report (often called SAS70 (be sure it is type II report)).  The SAS70 should provide a “clean opinion” and should clearly articulate the controls that need to be managed by the FI (called the user/client control considerations).  The vendor should also provide a network diagram or other documentation that shows how the vendor has configured systems at the FI that are used to connect to the vendor.  The vendor documentation should explain how the FI is protected from attackers by firewalls and other network controls and these controls should protect the FI from an attack originating from the vendor or any other network connection (including the Internet).  The vendor should articulate how it updates the systems housed at the FI with patches and updates to make sure known vulnerabilities are resolved in a timely manner.  The vendor should explain whether or not data is encrypted in storage or when being transmitted across the network to and from the vendor.  The vendor should explain how reasonable network controls such as complex passwords and audit logging are enforced.  The vendor should explain how FI employee access is established and regulated to only provide the amount of access necessary for job performance.

There is plenty more that could/should be determined depending on the scenario.  Hopefully this post provides a good starting point!

– TrustCC

*Note:  TrustCC does not in any way endorse using the worksheet we’ve provided as a substitute for an audit or assessment by competent and independent personnel.  The worksheet is a helpful tool when a small financial institution cannot allocate any funds to using a team like TrustCC for an appropriate evaluation.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: