美国FFIEC技术服务外包IT检查手册英文版.docx
- 文档编号:17894343
- 上传时间:2023-08-04
- 格式:DOCX
- 页数:49
- 大小:44.09KB
美国FFIEC技术服务外包IT检查手册英文版.docx
《美国FFIEC技术服务外包IT检查手册英文版.docx》由会员分享,可在线阅读,更多相关《美国FFIEC技术服务外包IT检查手册英文版.docx(49页珍藏版)》请在冰点文库上搜索。
美国FFIEC技术服务外包IT检查手册英文版
ITBooklets:
OutsourcingTechnologyServices
(美国FFIEC技术服务外包IT检查手册)
Introduction
Thefinancialservicesindustryhaschangedrapidlyanddramatically.Advancesintechnologyenableinstitutionstoprovidecustomerswithanarrayofproducts,services,anddeliverychannels.Oneresultofthesechangesisthatfinancialinstitutionsincreasinglyrelyonexternalserviceprovidersforavarietyoftechnology-relatedservices.Generally,theterm"outsourcing"isusedtodescribethesetypesofarrangements.
TheFederalFinancialInstitutionsExaminationCouncil(FFIEC)InformationTechnologyExaminationHandbook(ITHandbook)"OutsourcingTechnologyServicesBooklet"(booklet)providesguidanceandexaminationprocedurestoassistexaminersandbankersinevaluatingafinancialinstitution'sriskmanagementprocessestoestablish,manage,andmonitorIToutsourcingrelationships.
Theabilitytocontractfortechnologyservicestypicallyenablesaninstitutiontoofferitscustomersenhancedserviceswithoutthevariousexpensesinvolvedinowningtherequiredtechnologyormaintainingthehumancapitalrequiredtodeployandoperateit.Inmanysituations,outsourcingofferstheinstitutionacosteffectivealternativetoin-housecapabilities.Outsourcing,however,doesnotreducethefundamentalrisksassociatedwithinformationtechnologyorthebusinesslinesthatuseit.Riskssuchaslossoffunds,lossofcompetitiveadvantage,damagedreputation,improperdisclosureofinformation,andregulatoryactionremain.Becausethefunctionsareperformedbyanorganizationoutsidethefinancialinstitution,therisksmayberealizedinadifferentmannerthanifthefunctionswereinsidethefinancialinstitutionresultingintheneedforcontrolsdesignedtomonitorsuchrisks.
Financialinstitutionscanoutsourcemanyareasofoperations,includingallorpartofanyservice,process,orsystemoperation.Examplesofinformationtechnology(IT)operationsfrequentlyoutsourcedbyinstitutionsandaddressedinthisbookletinclude:
theorigination,processing,andsettlementofpaymentsandfinancialtransactions;informationprocessingrelatedtocustomeraccountcreationandmaintenance;aswellasotherinformationandtransactionprocessingactivitiesthatsupportcriticalbankingfunctions,suchasloanprocessing,depositprocessing,fiduciaryandtradingactivities;securitymonitoringandtesting;systemdevelopmentandmaintenance;networkoperations;helpdeskoperations;andcallcenters.Thebookletaddressesaninstitution'sresponsibilitytomanagetherisksassociatedwiththeseoutsourcedITservices.
Managementmaychoosetooutsourceoperationsforvariousreasons.Theseinclude:
∙Gainoperationalorfinancialefficiencies;
∙Increasemanagementfocusoncorebusinessfunctions;
∙Refocuslimitedinternalresourcesoncorefunctions;
∙Obtainspecializedexpertise;
∙Increaseavailabilityofservices;
∙Acceleratedeliveryofproductsorservicesthroughnewdeliverychannels;
∙Increaseabilitytoacquireandsupportcurrenttechnologyandavoidobsolescence;and
∙Conservecapitalforotherbusinessventures.
Outsourcingoftechnology-relatedservicesmayimprovequality,reducecosts,strengthencontrols,andachieveanyoftheobjectiveslistedpreviously.Ultimately,thedecisiontooutsourceshouldfitintotheinstitution'soverallstrategicplanandcorporateobjectives.
Beforeconsideringtheoutsourcingofsignificantfunctions,aninstitution'sdirectorsandseniormanagementshouldensuresuchactionsareconsistentwiththeirstrategicplansandshouldevaluateproposalsagainstwell-developedacceptancecriteria.Thedegreeofoversightandreviewofoutsourcedactivitieswilldependonthecriticalityoftheservice,process,orsystemtotheinstitution'soperation.
Financialinstitutionsshouldhaveacomprehensiveoutsourcingriskmanagementprocesstogoverntheirtechnologyserviceprovider(TSP)relationships.Theprocessshouldincluderiskassessment,selectionofserviceproviders,contractreview,andmonitoringofserviceproviders.Outsourcedrelationshipsshouldbesubjecttothesameriskmanagement,security,privacy,andotherpoliciesthatwouldbeexpectedifthefinancialinstitutionwereconductingtheactivitiesin-house.Thisbookletprimarilyfocusesonhowthebankregulatoryagenciesreviewtheriskmanagementprocessemployedbyafinancialinstitutionwhenconsideringorexecutinganoutsourcingrelationship.
Tohelpensurefinancialinstitutionsoperateinasafeandsoundmanner,theservicesperformedbyTSPsaresubjecttoregulationandexamination.[1]Thefederalfinancialregulatorshavethestatutoryauthoritytosupervisealloftheactivitiesandrecordsofthefinancialinstitutionwhetherperformedormaintainedbytheinstitutionorbyathirdpartyonoroffofthepremisesofthefinancialinstitution.Accordingly,theexaminationandsupervisionofafinancialinstitutionshouldnotbehinderedbyatransferoftheinstitution'srecordstoanotherorganizationorbyhavinganotherorganizationcarryoutallorpartofthefinancialinstitution'sfunctions.[2]
Manyofthegeneralprinciplesoneffectivemanagementofoutsourcingrelationshipsdiscussedinthisbookletcanandshouldbeappliedtomanagingtheoutsourcingofsoftwaredevelopment.OutsourcingofactivitiesrelatedtosoftwaredevelopmentisaddressedintheITHandbook's,"DevelopmentandAcquisitionBooklet."
ThisbookletrescindsandreplacesChapter22ofthe1996FFIECInformationSystemsExaminationHandbook,ISServicing-ProviderandReceiver.
BoardandManagementResponsibilities
ActionSummary
Thefinancialinstitution'sboardandseniormanagementshouldestablishandapproverisk-basedpoliciestogoverntheoutsourcingprocess.Thepoliciesshouldrecognizetherisktotheinstitutionfromoutsourcingrelationshipsandshouldbeappropriatetothesizeandcomplexityoftheinstitution.
Theresponsibilityforproperlyoverseeingoutsourcedrelationshipslieswiththeinstitution'sboardofdirectorsandseniormanagement.Althoughthetechnologyneededtosupportbusinessobjectivesisoftenacriticalfactorindecidingtooutsource,managingsuchrelationshipsismorethanjustatechnologyissue;itisanenterprise-widecorporatemanagementissue.Aneffectiveoutsourcingoversightprogramshouldprovidetheframeworkformanagementtoidentify,measure,monitor,andcontroltherisksassociatedwithoutsourcing.Theboardandseniormanagementshoulddevelopandimplemententerprise-widepoliciestogoverntheoutsourcingprocessconsistently.Thesepoliciesshouldaddressoutsourcedrelationshipsfromanend-to-endperspective,includingestablishingservicingrequirementsandstrategies;selectingaprovider;negotiatingthecontract;andmonitoring,changing,anddiscontinuingtheoutsourcedrelationship.
Factorsinstitutionsshouldconsiderinclude:
∙Ensuringeachoutsourcingrelationshipsupportstheinstitution'soverallrequirementsandstrategicplans;
∙Ensuringtheinstitutionhassufficientexpertisetooverseeandmanagetherelationship;
∙Evaluatingprospectiveprovidersbasedonthescopeandcriticalityofoutsourcedservices;
∙Tailoringtheenterprise-wide,serviceprovidermonitoringprogrambasedoninitialandongoingriskassessmentsofoutsourcedservices;and
∙Notifyingitsprimaryregulatorregardingoutsourcedrelationships,whenrequiredbythatregulator.[1]
Thetimeandresourcesdevotedtomanagingoutsourcingrelationshipsshouldbebasedontherisktherelationshippresentstotheinstitution.Toillustrate,outsourcingprocessingofasmallcreditcardportfoliowillrequireadifferentlevelofoversightthanoutsourcingprocessingofallloanapplications.Additionally,smallerandlesscomplexinstitutionsmayhavelessflexibilitythanlargerinstitutionsinnegotiatingforservicesthatmeettheirspecificneedsandinmonitoringtheirserviceproviders.
RiskManagement
Riskmanagementistheprocessofidentifying,measuring,monitoring,andmanagingrisk.Riskexistswhethertheinstitutionmaintainsinformationandtechnologyservicesinternallyorelectstooutsourcethem.Regardlessofwhichalternativetheychoose,managementisresponsibleformanagingriskinalloutsourcingrelationships.Accordingly,institutionsshouldestablishandmaintainaneffectiveriskmanagementprocessforinitiatingandoverseeingalloutsourcedoperations.
Aneffectiveriskmanagementprocessinvolvesseveralkeyfactors:
∙Establishingseniormanagementandboardawarenessoftherisksassociatedwithoutsourcingagreementsinordertoensureeffectiveriskmanagementpractices;
∙Ensuringthatanoutsourcingarrangementisprudentfromariskperspectiveandconsistentwiththebusinessobjectivesoftheinstitution;
∙Systematicallyassessingneedswhileestablishingrisk-basedrequirements;
∙Implementingeffectivecontrolstoaddressidentifiedrisks;
∙Performingongoingmonitoringtoidentifyandevaluatechangesinriskfromtheinitialassessment;and
∙Documentingprocedures,roles/responsibilities,andreportingmechanisms.
Typically,thisprocessincorporatesthefollowingactivities:
∙Riskassessmentandrequirementsdefinition;
∙Duediligenceinselectingaserviceprovider;
∙Contractnegotiationandimplementation;and
∙Ongoingmonitoring.
Theprecedingcommentsfocusonriskelementsspecificallyassociatedwithoutsourcing.ForabroaderperspectiveonITtransactionalandoperationalrisk,refertotheITHandbook's"SupervisionofTechnologyServiceProviders(TSP)Booklet,"whichaddressesoutsourcingriskfromtheserviceproviderperspective.
Subsections
RiskAssessmentandRequirements
ActionSummary
Managementshould:
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 美国 FFIEC 技术服务 外包 IT 检查 手册 英文
![提示](https://static.bingdoc.com/images/bang_tan.gif)