Outsourcing Step-By-Step Guidelines Checklist
Most jurisdictions have rules on outsourcing rules/regulations for examp[le
- European Banking Authority (EBA) guidelines
- JFSC Outsourcing Policy - March 2017
- FCA SYSC 13.9 Outsourcing
AND In light of the above the Comsure has put together the following step-by-step guide to what financial institutions should be checking their outsourcing requirements
Organisations should check that:
- They have correctly identified all their “outsourcing” arrangements and all the arrangements that affect “critical and important processing”.
- No one can implement new cloud computing outsourcing arrangements without following the correct procedures.
- In particular, it is recommended to check for the use of free, personal (as opposed to company-owned) and low-cost services that may have been put through on expenses.
- The risk assessments are up to date, accurate, and include all necessary documentation.
- Contracts have been reviewed and updated in line with the requirements.
- Documentation is up to date, accurate, and that all the documentation is correctly aligned with no gaps or conflicts.
- Incident response playbooks have been updated and tested.
- Incidents must be both recognised and reported quickly, while also ensuring that they do not interrupt normal business activities.
- There are appropriate audit trails to demonstrate management oversight of the decision-making process and cloud computing arrangements.
- Each outsourcing arrangement has a documented owner who is aware of their responsibilities.
- Appropriate training has been provided recently to ensure everyone understands the requirements and what they need to do personally to comply with them.
- It is also worth ensuring that people who have recently joined or changed roles have received the appropriate information and training.
- Where the company withdraws a cloud computing arrangement; the following should be considered.
- Where appropriate, evidence such as data deletion certificates or audit reports should be held to prove that the arrangement has ended, and
- the cloud services provider has securely erased and/or returned the organisation’s data.