News Story by Lucas Mearian


JANUARY 26, 2004 (COMPUTERWORLD) - A consortium of the country's top financial services firms last week published a set of industry guidelines to use in evaluating the security risks of IT outsourcing deals.

The Banking Industry Technology Secretariat (BITS) in Washington released the security guidelines as an addendum to an existing framework for managing business relationships with IT services providers. The group's goal is to help financial services firms streamline the outsourcing evaluation process and better manage the risks of handing over control of key corporate systems to vendors.

The guidelines are based on the International Standards Organization's ISO 17799 code of practice for information security management, which covers categories such as documenting corporate security policies and classifying assets. They also include best practices gathered from BITS members and input from vendors, government agencies and third-party IT auditors, said Faith Boettger, a senior consultant at BITS.

Bob Cedergren, second vice president of information security and business continuity planning at Fortis Inc., a financial services firm with U.S. operations in New York, said security concerns related to outsourcing are getting more attention in corporate boardrooms. "Each time there's a virus outbreak, this gets discussion within our CIO group here at Fortis as well as with the CEOs" of individual business units, Cedergren said.

The BITS guidelines, which are built into a 33-page spreadsheet, provide a single set of rules for evaluating outsourcing and IT services vendors, Cedergren said. He noted that in the past, each of Fortis' operating units had its own vendor evaluation procedures. "This puts it down on paper and creates a common set of expectations for us," he said.

Many of the financial services industry's certification standards, including Statement on Auditing Standards No. 70, SysTrust and WebTrust, don't fully cover what companies have been looking for in a best-practices matrix, according to Boettger. "Financial institutions were deploying their own internal resources or engaging third parties to perform due diligence and ongoing reviews to close that gap in the assessment requirement," she said.

With the added security guidelines, BITS's framework now includes questions to ask IT services vendors during each stage of the outsourcing process, including risk management, planning, testing and governance, Boettger said. The framework was originally published in 2001 and was updated by BITS last November.

One key area that wasn't covered in earlier guidelines was business continuity, which now falls under the umbrella of information security at Fortis because of terrorist attacks around the world and last August's blackout in parts of the northeastern U.S. and Canada, Cedergren said.

He added that Fortis' IT department takes time to understand the security procedures of service providers and then writes into any outsourcing contracts provisions that allow audits and on-site reviews as needed.

What to Ask BITS recommends that IT managers consider the following security-related outsourcing issues: Do IT services firms have appropriate security policies and management procedures in place? Have they developed systems for maintaining an accurate inventory of IT assets? Are outsourcing workers and business partners qualified to fulfill their responsibilities? Are data centers physically protected against access by unauthorized individuals? Have comprehensive business continuity plans been developed and tested?