RISK II - No Key Needed Download
ensure contractually that the third party uses sound information management practices. the third party should be able to demonstrate adequate procedures and controls to manage information in a manner that assures confidentiality, integrity and availability of your information. for instance, does the third party have a written information security plan? are the systems used to protect information robust enough to meet the bank's needs? are information security policies and procedures posted and available for review? do employees understand and comply with those policies and procedures?
provide on-site access. in some cases, providing more on-site access to third parties will improve the quality of the services delivered to your institution and provide you with better oversight of the agreement. periodically tour the third party site to ensure there are no service interruptions or additional contract requirements, and that management has a thorough understanding of the services provided. if appropriate, the bank should be able to have personnel directly manage the work performed by the third party.
establish and maintain appropriate security requirements. in general, banks should have a written contract with their third-party partner that clearly defines their security requirements. the contract should contain information about when additional services are required, how the bank's security requirements will be assessed by the third party, how the third parties security obligations will be enforced, the cost for each security level, and key milestones which must be met in order for the bank to transition to the next level. the contract should also require the third party to comply with its security requirements.