Outsourcing – What Financial Institutions Must Know
Created: 13 Apr 2009 | Updated: 13 Nov 2013 | 1 comment
As resources in the financial services industry continue to become even more strapped, institutions are turning to outsourcing as a way to reduce costs.
Sure, outsourcing sounds like a good plan, but how do you know you can trust your outsourcing partner? Often times, when entering into a third-party service contract, security is an afterthought. To ensure your institution is not the next to make headlines due to a data breach, I have included below a list of best practices to help you get ready to enter that third-party vendor agreement:
Get your own house in order – review and revamp your own security strategy before locking down the vendor chain.
Classify your data and apply the right controls – all data in an institution must be profiled and classified. Institutions will need to know and understand their data, as well as set classifications for more sensitive information, such as credit card numbers or passwords.
Know your vendors and make sure you are a good match – institutions must do a risk assessment of each vendor and understand their operations and share the institution’s commitment to security and compliance.
Get control of compliance – vendors have to agree to an institution’s governance strategy. Automated compliance monitoring technology and reporting capabilities are essential for complying with the many industry regulations. Institutions will also need to have a full view of the security landscape across the vendor chain as multiple vendors interact with one another regarding the institution at hand. Security requirements must be nailed down before a vendor contract is signed.
Set the right security example – it is imperative for institutions to commit completely to their security and compliance initiatives - vendors will follow your lead.
When financial institutions consider outsourcing, security must be built into the plan from the beginning. Customers are an institution’s most valuable asset – measures need to be taken to guarantee their information is safe. Compromised information due to lack of third-party security controls is simply not an option.
For more best practices on managing your vendor ecosystem, download this BankInfoSecurity whitepaper: Vendor Exposure in the Financial Sector: Ten Best Practices for Mitigating Risk