Vendor audit and monitoring contractual rights

All of the authorities -- bank regulatory rules and guidance, the PCI Data Security Standard (PCI DSS) and state data security laws -- strongly emphasize the need to conduct pre-contract due diligence and, to some extent, ongoing monitoring of a vendor's security measures as part of the financial institution's vendor risk assessment obligations. Therefore, if a contract doesn't specifically contain vendor audit and monitoring rights, and the vendor is uncooperative, a financial institution may not be able to meet is compliance obligations.

The FDIC's Guidance on Managing Third-Party Risk and OCC Bulletin 2001-47, as well as the FFIEC's Outsourcing Technology Service IT Examination Handbook, all explicitly provide that important vendor contracts must reserve the right to audit or obtain suitable independent audit reports (such as a SAS 70) on the vendor's controls and performance under the contract. The OCC Bulletin, for example, states, "[r]eports should also include a review of the third party's security program and business continuity program." The FFIEC handbook goes even further, stating that where the services contracted for involve access to open networks such as the Internet, the institution should consider "contract terms requiring periodic control reviews performed by an independent party with sufficient expertise. These reviews may include penetration testing, intrusion detection, reviews of firewall configuration, and other independent control reviews. The institution should receive sufficiently detailed reports on the findings of these ongoing audits to assess security adequately without compromising the service provider's security."

Accordin...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Business partner and vendor security issues New vendor risk assessment tools address cloud computing Don't forget the cleaning crew in your vendor management program Vendor contract management: Regulatory guidance is risk-based Data breach protection: Implementing vendor breach safeguards Vendor risk management: process and documentation How to manage security risks in vendor contracts Download presentations from Financial Information Security Decisions 2009 Advocacy group looks to foster trust in foreign service providers Shared Assessments aims to ease third-party security evaluations Security questions to ask SaaS vendors when outsourcing services Compliance and Governance Digest Seven GRC best practices for information security Shifting to a flexible information security framework Vendor contract management: Regulatory guidance is risk-based Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Red Flags Rule and preparing for new regulations Companies lagging in PA DSS compliance Social media: Risk management strategies for financial institutions FFIEC guidance on RDC: Guidance overview FFIEC guidance on RDC: Risk management basics Auditing, testing and assessment for financial services compliance Audit requirements drive demand for privileged account management Regulatory reform will require much work ahead Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment Federal examiners need to pay more attention to IT risks PCI certification isn't always the right answer Forensic accounting success depends on information security support The truth about vendor management Opinion: Why you should document your security policies Financial firms fight cyberthreats, brace for difficult year

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Shared Assessments Program  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

gly, a well-written vendor audit provision should give the financial institution the ability to audit the vendor's security program and data environment at least annually and, where the vendor has possession of a significant amount of sensitive data, should permit onsite visits to the data environment as well as testing of security measures and controls. If the vendor has possession of cardholder data as defined by PCI DSS, the financial firm's audit rights should also encompass yearly validation of PCI DSS compliance.

Some vendors may balk at this audit requirement and complain that it risks disruption to their business or compromise of other clients' data in a shared hosting environment. Such arguments should be treated skeptically. Companies that build a business around providing outsourced transaction and/or data storage services to regulated organizations should expect and be equipped to deal with vendor audit and vendor monitoring requests; indeed, compliance is an essential part of the product they are marketing. Moreover, the language quoted above from the FFIEC handbook clearly contemplates rigorous auditing and testing of controls in higher-risk relationships. With respect to shared hosting environments, Requirement 2.4 and Appendix A of PCI DSS prescribe specific logical separation requirements for such settings in order to minimize the risk that one customer's access and use of its data will impinge upon another customer's data access or security.

Where there is an impasse with a vendor over audit rights, obtaining audit reports, such as SAS 70's from the vendor's own independent auditors, may be a workable compromise, provided that the auditor is suitably qualified in the information security field, the audits are conducted at least annually, and all relevant network and system protections and controls are contained within the scope of the audits.

About the author:
Andrew M. Baer is an attorney with long experience in technology, e-commerce and information security matters relating to the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. He can be contacted at andrew@baerbizlaw.com.