Welcome » IT Booklets » Outsourcing Technology Services » Related Topics » Information Security/Safeguarding
Information assets are valuable, and institutions should ensure
these assets are adequately protected in outsourcing relationships.
Financial institutions have a legal responsibility to ensure
service providers take appropriate measures designed to meet the
objectives of the information security guidelines, and comply with
GLBA 501 (b). Those measures should result from the institution's
security process and should be included or referenced in the
contract between the institution and the service provider. Refer to
the IT Handbook's "Information Security Booklet" for additional
information on the information security process.
In choosing service providers, management should exercise
appropriate due diligence to ensure the protection of both
financial institution and customer assets. Before entering into
outsourcing contracts, and throughout the life of the relationship,
institutions should ensure the service provider's physical and data
security standards meet or exceed standards required by the
institution. Institutions should also implement adequate
protections to ensure service providers and vendors are only given
access to the information and systems that they need to perform
their function. Management should restrict their access to
financial institution systems, and appropriate access controls and
monitoring should be in place between service provider's systems
and the institution.