Monitoring Service Provider Compliance with Information Security Requirements
by Mary Beth Guard, BOL Guru
The two charts in this section have also been reformatted in two formats -- .pdf and .doc -- and placed in the Security Power Tools section of Banker Tools.
You've got your information security program in place. You're diligently working to ensure it is being properly implemented internally. That's great, but that's not enough. If your bank provides customer information to any service providers or any service providers have access to customer information through service provided directly to the bank, you have three obligations:
- You must conduct appropriate due diligence in your initial selection of service providers, taking into consideration information security;
- You must, by July 1, 2003, require your service providers by contract to implement appropriate information security programs and measures (or as of July 1, 2001 if contracts were entered into after March 5, 2001);
- Where appropriate based on risk, you must monitor your service providers to confirm that they are maintaining appropriate security measures to safeguard the bank's customer information. That could entail conducting or reviewing the results of audits, security reviews or tests, or other evaluations.
So, how do you begin to determine what risk is posed by a service provider and whether it is appropriate or necessary to monitor the service provider's information security procedures?
You look at two main factors:
- How sensitive is the information the service provider is given or has access to? and
- Is the service provider already directly bound by the information security guidelines, or is the service provider required to maintain the confidentiality and security of the information under some other professional code of conduct, such as the codes of conduct binding upon CPAs and attorneys, for example?
By weighing both the sensitivity of the information and the level of protection the service provider might reasonably be anticipated to provide for the information, you can evaluate how necessary it might be for you to monitor their information security safeguards. For example, if the service provider is a correspondent bank, it will already be directly subject to the information security guidelines and will have regulatory examinations and oversight in the area of information security, so the risk would be small. A local mom and pop shredding company, on the other hand, would probably not be bound by a code of professional responsibility relating to privacy and would not be examined by bank regulators, so the risk to information security would be greater, and, depending upon the level of sensitivity of the information provided to the shredding company, you may need to do some monitoring.
I developed a risk assessment matrix to help you internally document, for each service provider who will have access to customer information, the risk posed by that service provider so you can assess which ones will need to be monitored. We've received positive feedback from the regulators we've spoken to about this tool and encourage you to customize it as you see fit, use it, and keep your completed matrix in the file for your records.
Instructions for using the Risk Assessment Matrix:
This matrix is intended to allow you to show where you believe a service provider fits, based upon two criteria: l) their existing information security obligations under law or a code of conduct; and 2) the level of sensitivity of customer information available to the service provider.
Sensitivity of customer information is based upon a scale of 1 to 5. If a service provider only has access to publicly available information, do not include them on the matrix. Make a separate list of such service providers. Remember, however, that even the fact that an individual is a customer will be considered nonpublic personal information, unless the information is publicly available. For example, if Charlie gets a mortgage loan from you, the fact that he is a mortgage loan customer will be public because it is reflected in the real estate mortgage filings. On the other hand, if Linda purchases a CD, there is likely to be no public record and therefore the mere fact that she is a CD holder at your bank is nonpublic personal information that must be safeguarded.
1 = very basic customer information, such as name and contact information.
2 = isolated information about particular transactions
3 = information about type of account, as well as identification details
4 = transaction history, high balance, low balance, credit limits, or account number
5 = full account/loan information.
Risk Assessment Matrix Service Provider is not bound by a code of conduct or the infosec guidelines. Service provider is bound by a code of conduct relating to privacy/confidentiality. Service provider is directly bound by the infosec guidelines. Sensitivity Level = 1 Zone of least danger. Because of low data sensitivity and direct application of the infosec guidelines, service providers who fall within this category should not require your monitoring. Sensitivity Level = 2 Sensitivity Level = 3 Sensitivity Level = 4 Sensitivity Level = 5 Zone of greatest danger - you should plan to monitor any service provider who fits here on the matrix. Write the service provider's name in the appropriate box. There will be some boxes that will have multiple names.
I suggest you color code the boxes and decide, as a matter of internal policy, what your level of monitoring will be. Maybe you could adopt a variation on the alert levels of the Office of Homeland Security. A service provider with access to customer data with a sensitivity level of 5 who is not bound by a code of conduct and not directly subject to the information security guidelines would be red; a service provider who accesses customer information with a sensitivity level of 1 and who is directly bound by the information security guidelines would be green.
Once you decide which colors will go where, you need to decide what action, if any, you need to take for service providers who fall within each color zone. Do you need to conduct your own security reviews or tests? Will they have audit results and test results that you can review? What frequency of monitoring is appropriate?
Then, create a legend to go with your matrix. The legend should explain what the color codes mean and the action you intend to take on service providers within each color region.
Each time you add a new service provider, remember to add them to the matrix.
This second chart will help you track whether you have added the appropriate contract language.
Monitoring Chart for InfoSec Contract Provisions on Service Providers
Name of Service Provider Date of the original contract <?font>
Information security safeguards contract language should already be in place for contracts entered into after March 5, 2001
Information security safeguards contract language must be added by July 1, 2003 for contracts entered into BEFORE March 5, 2001 that were grandfathered in. InfoSec contract language is in place
Yes or No
If no, indicate who has responsibility for getting it done by the deadline You will list your service providers down the left side. You can omit any that you have already included on your list of service providers who do not have access to nonpublic personal information on your customers. (We described that list above in connection with the risk assessment matrix.)
When noting the date of the original contract in the second column, keep in mind that not all of your contracts with service providers will necessarily be in writing. That does not mean there is not a contract - it just means the contract may be oral, rather than written.
The contractual provision you are required to add that obligates the service provider to implement and maintain an information security program designed to achieve the objectives of the guidelines does have to be in writing.
Review what you put in the second column. Get out a highlighter and highlight the rows corresponding to contracts that were grandfathered in and will need to be brought into compliance by July 1, 2003. Make sure a specific person has responsibility for this task and their responsibility is noted on the form, so the assignment doesn't fall through the cracks.
The original version appeared in the May 2002 edition of the Oklahoma Bankers Association Compliance Informer.
First published on BankersOnline.com 9/30/02
First published on 09/30/2002