Developing a Successful Service Provider Oversight Program

By Kevin Tsuei, CISA and CISSP, and Vivian Wei, AuditOne LLC

Outsourcing certain technology operations can undoubtedly be a cost-effective means by which an institution meets its needs. However, reliance on a third-party provider is always accompanied by an unknown degree of risk. Not only are effective risk management practices imperative to protecting the security and interests of an institution, they are also an expectation, as the board of directors and senior management bear the full responsibility of the safety and soundness of all activities regardless of whether they are performed in-house or outside.

As an increasing number of community banks are upping their use of cloud computing (one of the many examples of increased reliance on third-party providers), regulators have become more stringent on how management evaluates and monitors outsourced vendors. In this article, we will explain how management can create and implement an effective service provider oversight program. We will also discuss an appropriate response plan for when a vendor is impacted by negative news or regulatory orders.

In 2012, the FFIEC issued a revised IT Examination Booklet on the Supervision of Technology Service Providers (TSP Booklet). A year later, the OCC issued Bulletin 2013-29 which detailed risk management guidance for third-party relationships. The general purpose of the OCC guidance is to help banks implement a proper risk management process to identify risks, conduct appropriate vendor due diligence, inspect written contracts, implement ongoing monitoring, ensure a contingency plan is in place if the relationship terminates, identify appropriate parties to oversee the vendor, retain proper documentation/reporting, and conduct independent reviews of this area.

As with any risk management process, a service provider oversight program should begin with a vendor risk assessment. There are many types of risks to consider when evaluating service providers. However, the risk assessment process need not be overly complex. For example, it can be a simple scoring system based on several inherent risk factors: GLBA, strategic, operational, reputational, compliance/regulatory, and transactional risks.

We will develop a robust methodology for GLBA risks as an example. A typical evaluation of GLBA risks includes the following: What types of sensitive information does the vendor store or have access to? Does the service provider transport the data? We generally recommend management evaluate GLBA risks by using a four-tier risk scoring system:

  • A score of 0 indicates the vendor does not store or have access to any sensitive customer information.
  • A score of 1 indicates the vendor has access to basic customer information such as names and contact information (e.g., marketing companies).
  • A score of 2 indicates the vendor has access to account specific information such as account balances and activities (e.g., statement printing vendor).
  • A score of 3 indicates the vendor has sensitive information such as customer Social Security numbers, birthdays, etc. (e.g., core processor).

The remaining risk factors should be given similar treatment, but due to space limitations, we will not be addressing them in detail.

After the risk scores have been tallied for all service providers, management can classify them into multiple categories (high, medium, or low risk). A risk management program or policy can then be created to minimize residual risk. This policy would address the initial due diligence and ongoing monitoring based on the risk of the vendors.

  • For example, for high-risk vendors, we typically observe that management reviews vendor due diligence materials such as SSAE16 or third-party audit reports, financials, BCP plans, penetration test results, insurance, references, etc.
  • Obtaining other documentation should be considered as well. For example, management should ask for a Red Flags policy from vendors that hold critical customer sensitive information (e.g., core processors). Also, a Certificate of ACH audit should be obtained from ACH service providers. The certificate will ensure the vendor has been audited against NACHA rules.
  • In addition to reviewing materials for initial due diligence and ongoing monitoring, management should review contracts thoroughly. At minimum, a contract should contain common clauses such as confidentiality, service level agreement (SLA), and termination.
  • However, if the service provider stores your data, it is important to search for clauses such as data ownership and security breach monitoring clauses. Data ownership defines who owns the data being stored by your vendor. It should also discuss what will be done with the data upon termination. That is, will the data be returned to its rightful owner? Will it be disposed of securely? Security breach reporting is crucial for vendors that possess your data (e.g., cloud computing provider). The clause should clearly state the timeframe in which the vendor must report the breach.
  • Another important clause to look for in a vendor contract is an auto renewal clause. Many technology vendors have auto renewal clauses, which commonly require a termination letter 90 days prior to contract expiration. Some vendors may even have automatic fee increase clauses: if termination is not sent 90 days prior to the contract renewal date, fees are automatically increased.
  • Lastly, it is important to determine whether the Bank has the right to obtain audit reports or inspect the service provider’s environment. This clause is often overlooked but can be important as part of your vendor due diligence.

In recent years, a few technology vendors have been faced with regulatory orders. A C&D order was issued against Fundtech Corporation and BServ, Inc. just in December. When responding to such an order, it is important for the Bank to document the process leading up to the decision of parting or remaining with the technology vendor. If management decides to stay with the vendor, document reasons and ways in which it will affect the Bank. It is recommended that the analysis be submitted to both the IT Steering Committee and the Board for review.

To decrease audit and regulatory risks, it is important for banks to document their initial due diligence and ongoing monitoring of vendors. For example, a contract clauses checklist can aid management in documenting the review to ensure the consistency of the process. When reviewing due diligence material, it is important to record the analysis and report it in your annual Information Security Report.


Published in Western Independent Bankers Association’s Technology & Security Digest, Issue 21 – March 2014.


Protecting Your Infrastructure from Modern Malware, Insider Misuse and Miscellaneous Error

By Robert Kluba, CISM, MCSE and Kevin Tsuei, CISA, CISSP, AuditOne LLC

According to a 2014 Verizon data breach investigation report, 17 percent of all data breach incidents against the financial services industry fall under either insider misuse, miscellaneous error, crimeware (malware) or cyber espionage. The remaining 83 percent includes web application attacks, denial of service, payment card skimmer, theft/loss, point of sales intrusion and everything else. While web app attacks, payment card skimmer and denial of service make up the top three data breach incident sources, these topics will not be our focus today since most community banks outsource their informational website and online banking platforms to third-party service providers. Our focus will be on the first four categories – the 17 percent – since they directly impact smaller banks’ internal IT infrastructure.

There are a number of steps community banks can take to limit the inherent risk of these incidents. A layered approach is one of the most effective ways to protect your institution. Such an approach includes not only malware protection on the end-point workstations, servers and web gateways but also, with user training, security measures and access controls.

Web Security Gateway
To block malware from reaching servers and workstations, the first layer should be a web security gateway. An effective gateway can scan for malicious URLs and malware before it reaches the internal network. According to a 2014 report published by Osterman Research, nearly three in four organizations have experienced malware infiltration through web surfing in the past year. A bank can configure a web security gateway to scan Internet requests and stop employees from downloading malware or accessing potentially dangerous websites. A proactive web security gateway provider can also scan web traffic to identify legitimate websites that may have been infected with malicious links.

Mail Security
The second most common type of malware infiltration is through email. According to Osterman Research, this is where 64 percent of malware infiltration occurs. Banks should ensure that mail is scanned for malware at the gateway level before reaching the mail server. The mail server should also have an antivirus client installed to scan for malicious attachments. In addition, management should consider restricting employees from accessing their personal webmail. Personal webmail is not scanned as rigorously as the bank’s inbound emails, so the chance of opening an infected attachment or an email with malicious links is greater.

Reduce the Attack Surface
In order to reduce the attack surface, or targets available for malware to exploit, management can take a number of steps. A bank should conduct a vulnerability assessment periodically in addition to its annual penetration test. This can help management identify the attack surface and reduce potential vulnerabilities. The IT department should also periodically review firewalls, security appliances, network devices and its server to ensure these devices are configured properly and updated periodically. We have conducted a number of penetration tests where we observed that unnecessary inbound firewall rules exposed critical server resources to the public Internet. In addition to reviewing device configurations, management should employ a hardening checklist to ensure all devices are configured with the same standards. The complexity of the checklist can be based on the institution’s risk profile. Lastly, a proper change management system can help detect unauthorized changes and misconfiguration done by IT personnel.

Ensure All OSs, Applications and Browsers are Patched
Banks should ensure they have a patch management program in place which is audited on a regular basis. Operating system and application vendors release hotfixes, service packs and security patches to correct known defects. These defects are known not only to the vendors but also to malicious hackers who design malware to exploit these vulnerabilities. Your managed service provider or internal IT personnel need to have a plan to test and apply patches when they are released. According to Trustwave’s 2013 Global Security Report, the top three client vulnerabilities are from Microsoft Internet Explorer, Adobe Flash and Oracle Java. Since many malware attacks occur with web browsing activities, it is critical that attackers are not able to exploit weaknesses with these web-based software programs. This can be done by keeping the browsers and plug-ins up-to-date or better yet by disabling unnecessary plug-ins when possible. In addition, application whitelisting can also help reduce the number of attack vectors. We observed from many of our clients that some of the vulnerabilities are a result of unapproved third-party browsers and software installations.

Restrict User Accounts
According to an article published by Avecto, a company specializing in Windows privilege management, removing local administrative rights on users’ workstations can mitigate 92 percent of critical Microsoft vulnerabilities. The research is based on Avecto’s analysis of all of the security bulletins issued by Microsoft in 2013. In fact, the most frequent online attack vector is Internet Explorer, and based on Avecto’s assessment, 100 percent of all vulnerabilities within Internet Explorer could have been stopped by removing access rights.

Data Loss Protection and Autorun
Another solution to stop common malware attacks is to disable autorun within Microsoft Directory Services and limit the use of portable storage devices. Disabling autorun stops malware from executing when a USB drive or CD/DVD media is accessed on the workstation. Malware can easily spread from these portable devices because they bypass the layered security that you have in place for Internet based malware. To limit the exposure of critical data, management should also enforce security group permissions and data classification so they can restrict who can access each type of data at the bank. In addition, periodic reviews of user accounts can help limit attack vectors. This includes reviewing for terminated users and vendor accounts; eliminating any generic, shared and default accounts; reviewing user and group access; and enacting unique and complex password policies across different applications.

Centralized Log Collection and Analysis
Management should also consider employing a SIEM device. A SIEM (Security Information Event Management) system can collect logs from firewalls, intrusion prevention systems, network devices, servers and workstations. The log collection is analyzed against a set of rules to help identify unusual activities and security events. In addition to implementing a SIEM system to monitor real-time security events, management should review the setting periodically to ensure data is being captured and the system is fine-tuned to eliminate noise and identify critical security events.

Educate Users
Many current malware attacks use social engineering. Management should provide information security training on a regular basis which explains the various social engineering threats and steps that can be taken to prevent a malware attack at the bank. Creating a security-aware culture at a bank requires time and involvement by senior management.

Often, a bank invests in door locks and security guards to deter the security threats it faces. Similarly, a bank can implement the methods highlighted above in order to deter malware security threats. Creating a multi-layered approach, reducing the number of attack vectors, maintaining your systems, restricting user access and administrative capabilities, blocking portable devices, and providing effective education are key steps to securing your bank from potential malware attacks.

Published in Western Independent Bankers Association’s Technology & Security Digest, Issue 22 – June 2014.