Information assets are valuable, and institutions should ensure these assets are adequately protected in outsourcing relationships. Financial institutions have a legal responsibility to ensure service providers take appropriate measures designed to meet the objectives of the information security guidelines, and comply with GLBA 501 (b). Those measures should result from the institution's security process and should be included or referenced in the contract between the institution and the service provider. Refer to the IT Handbook's "Information Security Booklet" for additional information on the information security process.
In choosing service providers, management should exercise appropriate due diligence to ensure the protection of both financial institution and customer assets. Before entering into outsourcing contracts, and throughout the life of the relationship, institutions should ensure the service provider's physical and data security standards meet or exceed standards required by the institution. Institutions should also implement adequate protections to ensure service providers and vendors are only given access to the information and systems that they need to perform their function. Management should restrict their access to financial institution systems, and appropriate access controls and monitoring should be in place between service provider's systems and the institution.
Outsourcing the Business Continuity Function
Multiple Service Provider Relationships