The trick will be to get contracts that make your monitoring of service providers easy for you. In the long run I do not think it will be a significant problem, at least as far as service providers that do work for several banks. Specifically ask your service providers what they are going to do to aid you in your monitoring task. Smart service providers who get it will see the new requirements for information security monitoring as an opportunity to distinguish their services from competitors.
These service providers will want to adopt recognized industry best practices, or at least establish an information security program which has security levels equal to the security levels of any bank it works for. Additionally, the service provider will want to adopt a reporting program which will satisfy its most demanding bank customer. This will allow the service provider to maintain one level of security across all of its systems, one reporting cycle (hopefully at least 4 times a year) and the reports it generates for its bank customers could all be the same.
Once the service providers have time to figure out what the new Information Security Guidelines mean in regard to their relationships with their bank customers, I believe we will find most service providers offering reports which are both in quality and timeliness more than adequate to allow banks to perform their monitoring duties.
For a lot more detailed & excellent discussion of the relevant issues see:
Technology Outsourcing Information Documents from the FDIC. These include three new documents intended to assist community bankers:
- Effective Practices for Selecting a Service Provider,
- Tools to Manage Technology Providers' Performance Risk: Service Level Agreements, and
- Techniques for Managing Multiple Service Providers
First published on BankersOnline.com 7/2/01