|
|
|
| BITS IT
Service Provider Expectations Matrix |
|
|
| The BITS IT Service Provider Expectations Matrix was created to promote a common understanding among inte=
rested
parties of the financial services industry’s needs related to
information technology practices, processes and controls. By providing
financial institutions, service providers, and audit and assessment
organizations with a comprehensive set of expectations, the Expectations Matrix helps
financial services companies to identify risks and comply with regulatory
requirements, as well as to eliminate gaps in the audit and assessment
processes. |
|
| Presented
in a spreadsheet, the Expectations Matrix <=
font
class=3D"font9">outlines in detail service-provider practices, processes =
and
controls relevant to financial services industry and regulatory requireme=
nts.
Using ISO 17799 as a guide, the Expectations
Matrix covers ten security control areas: |
| · =
Security Policy |
| · =
Organizational Security |
| · =
Asset Classification and Control |
| · =
Personnel Security =
|
| · =
Physical and Environmental Security |
| · =
Communication and Operations Management |
| · =
Access Control |
| · =
System Development and Maintenance |
| · =
Business Continuity Management |
| · =
Compliance with Legal/Regulatory Requirements |
|
| While
the specific controls and requirements will vary with risk and the nature=
of
the outsourced service, the expectations provide a template for the
information financial institutions need in order to understand and manage
risk. =
|
|
| Background |
| When
applications, systems and services are outsourced, responsibility for
reputation, transactional, regulatory and other risks associated with the
outsourcing relationship remains with the financial institution. To devel=
op
an appropriate risk-mitigation strategy, the institution must be able to
identify and understand the controls on which the service provider relies=
to
address risks associated with outsourced services. |
|
| Using
the Expectations Matrix |
| For
each control area, the Expectations Matrix<=
font
class=3D"font9"> identifies a high-level industry expectation and the doc=
uments
a financial institution or audit/assessment organization may request. Sam=
ple
questions are then listed, along with one or more possible summary questi=
ons,
to provide direction on the specific areas of interest necessary to valid=
ate
the high-level expectation. Answers to these questions will allow the
financial institution to gain the information it requires to evaluate ris=
k,
create mitigation strategies, and satisfy regulatory requirements.=
|
|
| Expectations
Matrix Benefits |
| Increasingly,
financial institutions are deploying their own internal resources or third
parties to perform due diligence and ongoing reviews to fill gaps in their
assessment requirements.
Consequently, service providers, which may have spent considerable
resources preparing audit and assessment reports, often receive additional
and inconsistent demands for information about their operations. The
Expectations Matrix provides financial institutions, service providers, a=
nd
audit and assessment organizations with a tool to help streamline their
processes. For example: |
| · =
Financial institutions can u=
se the Expectations Matrix as they=
develop
internal due-diligence and monitoring questionnaires for service provider
operations. |
| · =
Service providers can use th=
e Expectations Matrix as they=
respond
to financial institution questionnaires and define control objectives for
audits and assessments. |
| · =
Audit and assessment organizations
can use the Expectations Matrix as they work with financial institutions and service pro=
viders
to verify and test controls. |
|
| About BITS |
| BITS
was created in 1996 to foster the growth and development of electronic
financial services and e-commerce for the benefit of financial institutio=
ns
and their customers. A nonprofit industry consortium that shares membersh=
ip
with The Financial Services Roundtable, BITS seeks to sustain consumer
confidence and trust by ensuring the security, privacy and integrity of
financial transactions. BITS works as a strategic brain trust to provide
intellectual capital and address emerging issues where financial services,
technology and commerce intersect. For more information about BITS, go to
www.bitsinfo.org. |
|
| BITS |
| 1001
Pennsylvania Avenue NW |
| Suite
500 South |
| Washington,
DC 20004 |
| (202)
289-4322 |
| www.bitsinfo.org |
|
|
|
------=_NextPart_01C5A89A.7EF40B40
Content-Location: file:///C:/E5382234/1SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet003.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| BITS IT Service Providers Working Group Security
Assessments Project Team |
|
|
|
|
| IT
Service Providers Working Group Co-Chairs |
| Lari
Sue Taylor, FleetBoston Financial Corporation |
| Viveca
Ware, Independent Community Bankers of America |
|
|
| Security Assessments=
Project
Team Chair |
|
| Wayne
Browning, FleetBoston Financial Corporation |
|
|
| BITS Staff |
|
| Faith Boettger, Seni=
or
Consultant |
|
| John Carlson, Senior=
Director |
|
| Margaret Prior, Admi=
nistrative
Assistant |
|
|
|
|
|
| S=
ecurity
Assessments Project Team Participating Institutions |
|
|
| America’s
Community Bankers |
Lauritzen Corporation |
| American
Bankers Association |
M&T Bank Corporation |
| Association
for Payment Clearing Services |
Marshall & Ilsley Corporation |
| Bank of
America Corporation |
MBNA Corporation |
| The Bank
of New York Company, Inc./ |
Mellon Financial Corporation |
Pershing LLC
| National City Corporation |
|
| BANK ONE
CORPORATION |
Nationwide |
| BB&T
Corporation |
The PNC Financial Services Group, Inc. |
| Capital
One Financial Corporation |
Providian Financial Group, Inc. |
| Citigroup
Inc. |
Regions Financial Corporation |
| Comerica
Incorporated |
Sky Financial Group, Inc. |
