Transcript Document
Automating Vendor Management Tuesday 11:30 am – 12:30 pm Roger Chalkley Home Bank S B Home Bank S B • • • • • • Located in South Central Indiana Three Branches Established in February 1890 $230 Million in Assets OCC Regulated 70 Employees Access Management Risk Analysis Incident Response Governance Policy AUP Security Standards Asset Management Business Continuity Vendor Management Where we started? • Accounts Payable Vendors – Created Spreadsheet • Eliminated all “Marketing Vendors” – Charitable Donations – Yearbook Ads – Assign Vendor Owners Definitions • Vendor – A person or entity that provides a product or service to the bank • Risk Rating – We risk rate Vendors based on: • The amount and sensitivity of customer information to which they have access • The extent to which our business would be disrupted if Vendor relationship ends • Amount of money spent annually Definitions • Critical Vendors – “Hosting” of customer information – Access to large volume of customer information or highly sensitive customer information – Terminated relationship would cause major disruption – Annual payments from bank > $50K • Regulated Vendors – Vendors who are legally required to comply with federal privacy laws by virtue of being regulated by a federal agency Critical Vendor Documentation Need Components • SAAS 16 • Financial Statements • Tracking/Reporting on Performance – Are they meeting SLAs • Reporting and follow up of issues with Vendor NEW SSAE 16 Standard Replaced old SAS 70 effective June 15, 2011 • SOC-1 Financial Reporting Controls – Includes written assertion from management on the fairness of the auditor’s presentation of the system description • Type 1 also reports on the control design • Type 2 reports on the control design AND effectiveness – Clarifies that the user auditor evaluates the proper choice of controls • SOC-2 Operational Controls – Reports on management’s description of a service organizations’ system AND • Type 1 also reports on suitability of design of controls • Type 2 also reports on suitability of design and operating effectiveness of controls • SOC-3 Operational Controls – Trust Service Report for Service Organizations – CPA’s opinion FIS GOVERNANCE SITE INFO • • HTTPS://GOVERNANCE.FNIS.COM If you do not have access credentials, send request to: [email protected] – • Subject Line: “Governance Website Access Request” and following info in email body: • First Name: • Last Name: • Company Name: • Contact Phone: • Contact E-mail: (must be a company e-mail address) • Desired User Name: Please note: It can take up to 24 hours to process your registration once it is received. You will receive an e-mail from [email protected] with your login credentials once your registration is processed. Reviewing a SOC-1 or SOC-2 Report • Understand the scope of the review – Read the entire report – Pay attention to auditor’s opinion • Were all controls tested without exception (Type II) • If exceptions, are there sufficient controls • Review User Control Considerations – Document controls you have in place to address areas Reviewing a SOC-1 or SOC-2 Report • Document your Review • Conclusion – “Based on our review of FIS Charlotte Service Center SOC-1 report for the period of February 1. 2011 to October 31, 2011, the FIS controls upon which Home Bank relies were appropriately designed and operating effectively” Software Automation SSAE 16 Financial Review Insurance SLA & Performance Gathering / Storage of Documentation Vendor Owner Assessment Annual Risk Assessment Key Date Notifications Automating Vendor Management Roger Chalkley Home Bank S B Automating Vendor Management Roger Chalkley Home Bank S B