|
Booklet:
Outsourcing
Technology Services Section: Related Topics Subsection: Information Security/Safeguarding |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Information
assets are valuable, and institutions should ensure these assets are adequately
protected in outsourcing relationships. Financial institutions have a
legal responsibility to ensure service providers take appropriate measures
designed to meet the objectives of the information security guidelines,
and comply with GLBA 501 (b). Those measures should result from the institution’s
security process and should be included or referenced in the contract
between the institution and the service provider. Refer to the IT Handbook’s
“Information Security Booklet” for additional information
on the information security process.
In choosing service providers, management should exercise appropriate
due diligence to ensure the protection of both financial institution and
customer assets. Before entering into outsourcing contracts, and throughout
the life of the relationship, institutions should ensure the service provider’s
physical and data security standards meet or exceed standards required
by the institution. Institutions should also implement adequate protections
to ensure service providers and vendors are only given access to the information
and systems that they need to perform their function. Management should
restrict their access to financial institution systems, and appropriate
access controls and monitoring should be in place between service provider’s
systems and the institution.