2023 IT Examiner School

Information Technology Risk Examination

Information Technology Profile

5. Evaluate the institution’s use of a managed security service provider (MSSP). In addition to the standard vendor management controls in the core modules, consider the following:  Type and frequency of security reports  Quality of logs  Separate client logs  Security information and event management reports  In-house expertise to manage MSSP  Conformance with institution’s information security program  Responsiveness to audit findings (e.g., penetration test, vulnerability assessment, SSAE 16)  Clear assignment of responsibilities and accountability  Incident response  Security alerts  Forensic

 Service availability  Disaster recovery  Secure handling of sensitive data

If additional examination procedures are necessary, refer to the FFIEC IT Examination Handbook Outsourcing - Technology Services Booklet, Appendix D: Managed Security Service Providers.

Decision Factor 4 ▲

Click here to enter comment

6. In addition to the vendor management controls outlined in the core module, evaluate the adequacy of additional oversight and controls relating to foreign-based technology service providers (FBTSP). Consider the following:  Familiarity of FBTSP with U.S. banking laws and regulations  Contract elements specifically addressing:  Access to and location of data  Choice of governing law (U.S. law is preferred)  Right of U.S. regulators to audit  Inclusion of FBTSPs in the institution’s vendor management program Decision Factor 5 ▲ Click here to enter comment 7. For development or other IT-related contracts, incentives embedded in contracts might encourage the service provider to take imprudent risks, resulting in reputational damage, increased litigation, or other risks to the institution. Evaluate the process to review and approve any incentive compensation in contracts. Decision Factor 6 ▲ Click here to enter comment

50