This document outlines best practices for healthcare facilities to follow when moving IT operations to a managed service provider (MSP). It discusses defining board and management responsibilities, conducting risk assessments, defining the scope of outsourced services, selecting an MSP through a rigorous RFP and due diligence process, implementing service level agreements, and ongoing monitoring requirements. Key aspects include tailoring oversight to criticality of services, documenting all procedures, conducting thorough legal reviews of contracts, ensuring adequate performance standards, security, reporting, and business continuity plans are in place.
Буренко Ірина, Лавріненко Вікторія, Янчук Анна ЕЕП - 206
Ми підготували презентацію про Стіва Джобса – американського підприємця і винахідника, який у двадцятирічному віці заснував компанію відому по всьому світу. Він є яскравим прикладом лідера пристрасно захопленого своєю справою.
En nuestro proyecto Alicia en el país de MIS maravillas, la protagonista se adentra en nuestro colegio. Debemos descubrir la realidad, pues se mueve en un mundo mucho más pequeño.
Outsourcing Strategy Risks Outsourcing strategy is the process of .pdfaparnaagenciestvm
Outsourcing Strategy Risks
Outsourcing strategy is the process of determining whether or not to outsource and, if so, what
to outsource.
Outsourcing Selection Risks
Outsourcing selection is the process of finding and evaluating potential outsourcing partners.
Outsourcing Implementation Risks
Outsourcing implementation is where the relationship between outsourcing partners is defined
and established.
Outsourcing Management Risks
Outsourcing management is the monitoring and evolution of the ongoing relationship.
Future Trends in Outsourcing
The Supply Chain Consortium will examine more of the risks of outsourcing within specific
levels of the supply chain in the future. Already, the consortium has administered surveys to its
member companies on the outsourcing of transportation and distribution center (DC) operations.
Among the findings:
The use of service providers to perform operational functions presents various risks to financial
institutions. Some risks are inherent to the outsourced activity itself, whereas others are
introduced with the involvement of a service provider. If not managed effectively, the use of
service providers may expose financial institutions to risks that can result in regulatory action,
financial loss, litigation, and loss of reputation. Financial institutions should consider the
following risks before entering into and while managing outsourcing arrangements.
• Compliance risks arise when the services, products, or activities of a service provider fail to
comply with applicable U.S. laws and regulations.
• Concentration risks arise when outsourced services or products are provided by a limited
number of service providers or are concentrated in limited geographic locations.
• Reputational risks arise when actions or poor performance of a service provider causes the
public to form a negative opinion about a financial institution.
Country risks arise when a financial institution engages a foreign-based service provider,
exposing the institution to possible economic, social, and political conditions and events from the
country where the provider is located.
• Operational risks arise when a service provider exposes a financial institution to losses due to
inadequate or failed internal processes or systems or from external events and human error.
• Legal risks arise when a service provider exposes a financial institution to legal expenses and
possible lawsuits.
who should be held liable for any breaches that occur
The use of service providers does not relieve a financial institution\'s board of directors and
senior management of their responsibility to ensure that outsourced activities are conducted in a
safe-and-sound manner and in compliance with applicable laws and regulations. Policies
governing the use of service providers should be established and approved by the board of
directors, or an executive committee of the board. These policies should establish a service
provider risk management program that addresses risk a.
Staying in compliance with rules and regulations may be a daunting task for organisations of all sizes. Noncompliance can have serious consequences, ranging from large penalties and court battles to reputational damage. This is where the worth of a "Compliance Audit Service" becomes clear. A Compliance Audit Service is a third-party supplier that supports organisations in ensuring compliance with all necessary legislation and norms. Companies can find piece of mind by employing the services of a Compliance Audit Service, knowing that they are meeting all legal standards and avoiding any penalties and legal entanglements. In this blog post, we will look at why a reliable Compliance Audit Service provider is essential in today's corporate scene. We will also highlight the distinguishing characteristics that set a supplier apart from the competitors. So, if you want to keep ahead of the curve and secure your company's continued compliance, check out the parts below!
Companies typically find the demands of application management overly complex. As a result, more and more companies are turning to outsourcing application management functions. The fundamental value proposition offers service improvement and cost reduction from sharing the outsourcing provider’s technical resources.
No “one size fits all” managed services solution will ever be ideal for every business. When evaluating prospective providers, consider important services such as monitoring, reporting, backup, remote management and security. Also consider key provider qualifications including location, third-party certifications, customer references, in-house staffing resources and contract items. After outsourcing, you should see immediate results in cost controls and service delivery.
Provider Credentialing Process Flow Chart.pdfScottFeldberg
Provider credentialing is a critical process in the healthcare industry, which involves the verification of a healthcare provider’s credentials, qualifications, and experience to ensure they meet certain standards set by the insurance companies.
Provider Credentialing Process Flow Chart.pptxScottFeldberg
Provider credentialing is a critical process in the healthcare industry, which involves the verification of a healthcare provider’s credentials, qualifications, and experience to ensure they meet certain standards set by the insurance companies
Буренко Ірина, Лавріненко Вікторія, Янчук Анна ЕЕП - 206
Ми підготували презентацію про Стіва Джобса – американського підприємця і винахідника, який у двадцятирічному віці заснував компанію відому по всьому світу. Він є яскравим прикладом лідера пристрасно захопленого своєю справою.
En nuestro proyecto Alicia en el país de MIS maravillas, la protagonista se adentra en nuestro colegio. Debemos descubrir la realidad, pues se mueve en un mundo mucho más pequeño.
Outsourcing Strategy Risks Outsourcing strategy is the process of .pdfaparnaagenciestvm
Outsourcing Strategy Risks
Outsourcing strategy is the process of determining whether or not to outsource and, if so, what
to outsource.
Outsourcing Selection Risks
Outsourcing selection is the process of finding and evaluating potential outsourcing partners.
Outsourcing Implementation Risks
Outsourcing implementation is where the relationship between outsourcing partners is defined
and established.
Outsourcing Management Risks
Outsourcing management is the monitoring and evolution of the ongoing relationship.
Future Trends in Outsourcing
The Supply Chain Consortium will examine more of the risks of outsourcing within specific
levels of the supply chain in the future. Already, the consortium has administered surveys to its
member companies on the outsourcing of transportation and distribution center (DC) operations.
Among the findings:
The use of service providers to perform operational functions presents various risks to financial
institutions. Some risks are inherent to the outsourced activity itself, whereas others are
introduced with the involvement of a service provider. If not managed effectively, the use of
service providers may expose financial institutions to risks that can result in regulatory action,
financial loss, litigation, and loss of reputation. Financial institutions should consider the
following risks before entering into and while managing outsourcing arrangements.
• Compliance risks arise when the services, products, or activities of a service provider fail to
comply with applicable U.S. laws and regulations.
• Concentration risks arise when outsourced services or products are provided by a limited
number of service providers or are concentrated in limited geographic locations.
• Reputational risks arise when actions or poor performance of a service provider causes the
public to form a negative opinion about a financial institution.
Country risks arise when a financial institution engages a foreign-based service provider,
exposing the institution to possible economic, social, and political conditions and events from the
country where the provider is located.
• Operational risks arise when a service provider exposes a financial institution to losses due to
inadequate or failed internal processes or systems or from external events and human error.
• Legal risks arise when a service provider exposes a financial institution to legal expenses and
possible lawsuits.
who should be held liable for any breaches that occur
The use of service providers does not relieve a financial institution\'s board of directors and
senior management of their responsibility to ensure that outsourced activities are conducted in a
safe-and-sound manner and in compliance with applicable laws and regulations. Policies
governing the use of service providers should be established and approved by the board of
directors, or an executive committee of the board. These policies should establish a service
provider risk management program that addresses risk a.
Staying in compliance with rules and regulations may be a daunting task for organisations of all sizes. Noncompliance can have serious consequences, ranging from large penalties and court battles to reputational damage. This is where the worth of a "Compliance Audit Service" becomes clear. A Compliance Audit Service is a third-party supplier that supports organisations in ensuring compliance with all necessary legislation and norms. Companies can find piece of mind by employing the services of a Compliance Audit Service, knowing that they are meeting all legal standards and avoiding any penalties and legal entanglements. In this blog post, we will look at why a reliable Compliance Audit Service provider is essential in today's corporate scene. We will also highlight the distinguishing characteristics that set a supplier apart from the competitors. So, if you want to keep ahead of the curve and secure your company's continued compliance, check out the parts below!
Companies typically find the demands of application management overly complex. As a result, more and more companies are turning to outsourcing application management functions. The fundamental value proposition offers service improvement and cost reduction from sharing the outsourcing provider’s technical resources.
No “one size fits all” managed services solution will ever be ideal for every business. When evaluating prospective providers, consider important services such as monitoring, reporting, backup, remote management and security. Also consider key provider qualifications including location, third-party certifications, customer references, in-house staffing resources and contract items. After outsourcing, you should see immediate results in cost controls and service delivery.
Provider Credentialing Process Flow Chart.pdfScottFeldberg
Provider credentialing is a critical process in the healthcare industry, which involves the verification of a healthcare provider’s credentials, qualifications, and experience to ensure they meet certain standards set by the insurance companies.
Provider Credentialing Process Flow Chart.pptxScottFeldberg
Provider credentialing is a critical process in the healthcare industry, which involves the verification of a healthcare provider’s credentials, qualifications, and experience to ensure they meet certain standards set by the insurance companies
Enhancing and Sustaining Business Agility through Effective Vendor ResiliencyCognizant
Extracting continuous value from third-party vendors means methodically assessing their ability to remain best-of-breed amid ongoing technological change and ever-elevating customer expectations. Following our three guiding principles -- and proven framework -- can help.
A New Era of Compliance: Innovations in ServiceNow GRC Aelum Consulting
ServiceNow GRC automates various GRC processes, reducing the manual effort and time required for tasks such as risk assessment, audit management, and compliance reporting. This automation not only saves resources but also enhances the speed and accuracy of GRC activities.
Outsourcing Customer Service Operations.pdfHelp ARC
Enhance efficiency & improve satisfaction by outsourcing customer service. Evaluate factors for successful partnership in BPO journey. Get insights now.
DCAA Consulting's Proven Strategies for Confident Contracting.pdfdcaaconsultant
For businesses engaged in government contracting, compliance with Defense Contract Audit Agency (DCAA) regulations is of the utmost importance. DCAA compliance is contingent upon the SF 1408 pre-award audit and the submission and preparation of incurred cost submissions, both of which are essential components.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
1. Moving Operations to Managed Services Provider [MSP] :
1. Define Board and Management Responsibility: [ExpandwithrespecttoITIL
framework].
Ensuringeach MSP relationshipsupportsthe institution’soverall requirementsandstrategic
plans;
Ensuringthe institutionhassufficientexpertise tooversee andmanage the relationship;
Evaluatingprospectiveprovidersbasedonthe scope andcriticalityof managed services;
Tailoringthe enterprise-wide,service providermonitoringprogrambasedon initialandongoing
riskassessmentsof managedservices;
Notifyingitsprimaryregulator[HAAD] regardingmanaged relationships,whenrequiredby
regulator
Here if Healthcare FacilityProviders[HFP] decidestooutsource itsITservicestomanaged
service provider[MSP] thenitmayhave tocheck regulationsprovidedbyHAAD
2. Risk Management :
Establishingseniormanagementandboardawarenessof the risksassociatedwith Managed
Service agreements [MSA] inordertoensure effective riskmanagementpractices;
Ensuringthat an managedService arrangementisprudentfromariskperspective and
consistentwiththe businessobjectivesof the institution;
Systematicallyassessingneedswhile establishingrisk-basedrequirements;
Implementingeffective controlstoaddressidentifiedrisks;
Performingongoingmonitoringtoidentifyandevaluatechangesinriskfromthe initial
assessment;
Documentingprocedures,roles/responsibilities,andreportingmechanisms
a. AccessRisk
Assessthe riskfrommanagedservice;Involve stakeholdersincreatingrisk-based
writtenrequirementstocontrol andmanage service action;
Use the writtenrequirementstoguide andmanage the remainderof the manage
service process.
DocumentRisksassociatedwith:
ReputationRisk:Errors,delays,oromissionsininformationtechnology.
StrategicRisk:—Inadequate managementexperience andexpertisecanleadtoa lackof
understandingandcontrol of keyrisks,inaccurate informationfromTSPscancause the
managementof servicedfinancialinstitutionstomake poorstrategicdecisions.
Compliance (legal)risk:Outsourcedactivitiesthatfail tocomplywithlegal orregulatory
requirementscansubjectthe institutiontolegal actions.[incase of HFPcan leadto
sanctionsor cancellationof license]
Healthcare financing:Processingerrorsrelatedtoinvestmentincome orrepayment
assumptionscouldleadtounwise investmentorliquiditydecisionstherebyincreasing
marketrisks.
2. b. QuantifyRiskConsideration
Riskspertainingtothe functionof managedservice include:
- Sensitivityof dataaccessed,protected,orcontrolledbythe service provider;
- Volume of transactions;and
- Criticalitytothe financial institution’sbusiness.
Riskspertainingtothe service providerinclude:
- Strengthof financial condition;
- Turnoverof managementandemployees;
- Abilitytomaintainbusinesscontinuity;
- Abilitytoprovide accurate,relevant,andtimely ManagementInformationSystems
(MIS);
- Experience withthe functionoutsourced;
- Reliance onsubcontractors;
- Location,particularlyif cross-border(See Appendix C,Foreign-BasedThird-Party
Service Providers);and
- Redundancyandreliabilityof communicationlines.Riskspertainingtothe technology
usedinclude:
- Reliability;
- Security;and
- Scalabilitytoaccommodate growth
c. RequirementDefinitionof Risk
Stakeholderinvolvement—All organizationalgroupswhowill be directlyinvolvedwith
the service providerorinusingthe contractedservice shouldbe representedinthe
developmentof productandservice requirements.
Integration—Thedevelopmentshouldresultinrequirementsthatsupportthe
subsequentstepsof solicitation,selection,contracting,andmonitoring.
Documentation—Documentationwill greatlyassistinensuringthatthe service
contractedand deliveredmeetsthe institution’srequirements.Documentationwill also
allowforsubsequentreviewsof the processes’adequacyandintegrity.
3. ServicesToBe OutsourcedtomanagedService Provider
a. Define scope andnature of
Service description;
Technology
Customersupport.
b. Standardsand service levels
Availabilityandperformance;Change management;Financialreporting; Qualityof
service; Security;andBusinesscontinuity.
c. Minimumacceptable service providercharacteristics
Industryexperience; Managementexperience; Technologyandsystemsarchitecture;
Processcontrols; Financial condition; Reputation,includingreferences;Degreeof
reliance onthirdparties,subcontractors,orpartners; Legal,regulatory,andcompliance
history;and Abilitytomeetfuture needs.
3. d. Monitoringandreporting
Measurementsandreportingcriteria; Righttoaudit;Third-partyreports;and
Coordinationof responsestosecurityevents.
e. Transitionrequirements
Initial migrationof datato the service provider; Implementationof necessary
communicationsmechanisms; Migrationof data fromthe service providerat
terminationof contract;and Staff training
f. Contract duration,termination,andassignment
Start and term; Conditionsandrightto cancel; Ownershipof data;Timelyreturnof
data inmachine-readable format; Costsof transition; Limitations,asappropriate,
governingassignmenttothirdparty; Dispute resolution;and Confidentialityof
institutiondata.
g. Contractual protectionsagainstliability
Indemnification; Limitationof liability;and Insurance.
4. Service ProviderSelection
a. RequestForProposal
Evaluate service providerproposalsinlightof the institution’sneeds,includingany
differencesbetweenthe institution’ssolicitationandthe service providerproposal;
b. Due Diligence
Performdue diligence onthe prospective service providers;
Ensure that selectionof affiliatedpartiesasservice providersisdone atarmslengthin
accordance withregulationsandguidance issuedbythe institution’sprimaryregulator;
and Evaluate foreign-basedthird-partyservice providersinlightof the guidance found
inthissection
and inAppendix C,Foreign-BasedThird-PartyService Providers.
c. Due Diligence aboutManagedService ProviderHistory
Existence andcorporate history;Qualifications,backgrounds,andreputationsof
companyprincipals,includingcriminal backgroundcheckswhere appropriate; Other
companiesusingsimilarservicesfromthe providerthatmaybe contactedfor reference;
Financial status,includingreviewsof auditedfinancial statements;Strategyand
reputation; Service deliverycapability,status,andeffectiveness; Technologyand
systemsarchitecture; Internal controlsenvironment,securityhistory,andaudit
coverage; Legal and regulatorycomplianceincludinganycomplaints,litigation,or
regulatoryactions; Reliance onandsuccessindealingwiththirdpartyservice providers;
Insurance coverage;and Abilitytomeetdisasterrecoveryandbusinesscontinuity
requirements
5. Resolve andImplementContracts
Ensure the contract clearlydefinesthe rightsandresponsibilitiesof bothparties; Ensure the
contract containsadequate andmeasurable service levelagreements;Ensure contracts with
affiliatesclearlyreflectanarms-lengthrelationshipandcostsand servicesare atleastas
favorable tothe institutionasthose available fromanon-affiliatedprovider; Choose the most
appropriate pricingmethodforthe financial institution’s needs; Ensure the contract doesnot
4. containprovisionsorinducementsthatmayhave a significant,adverse affectonthe institution;
Engage legal counsel toreviewthe contract;andEvaluate foreign-basedthird-partyservice
providersinlightof the guidance foundinthissection
a. Verifythe accuracyof the descriptionof the outsourcingrelationshipinthe contract;
b. Ensure the contract is clearlywrittenandcontainssufficientdetailtodefine the rights
and responsibilitiesof eachpartycomprehensively.
c. Engage legal counsel earlyinthe processtohelpprepare andreview the proposed
contract.
d. Scope of Service.The contractshouldclearlydescribethe rightsandresponsibilitiesof
the partiesto the contract.
Considerationsshouldinclude:
i. Descriptionsof requiredactivities,timeframesfortheirimplementation,and
assignmentof responsibilities.Implementationprovisionsshouldtake into
considerationotherexistingsystemsorinterrelatedsystemstobe developedby
differentservice providers(e.g.,anInternetbankingsystembeingintegrated
withexistingcore applicationsorsystemscustomization).
ii. Obligationsof,andservicestobe performedby,the service providerincluding
software supportandmaintenance,trainingof employees,orcustomer service.
iii. Obligationsof the financialinstitution.
iv. The contracting parties’rightsinmodifyingexistingservicesperformedunder
the contract.
v. Guidelinesforaddingnew ordifferentservicesandforcontract renegotiation.
e. Performance Standards.
Institutionsshouldinclude performance standardsthatdefine minimumservice level
requirementsandremediesforfailuretomeetstandardsinthe contract.For example,
commonservice levelmetricsinclude percentsystemuptime,deadlinesforcompleting
batch processing,ornumberof processingerrors.Industrystandardsforservice levels
may provide areference point.The institutionshouldperiodicallyreview overall
performance standardstoensure consistencywithitsgoalsandobjectives.
f. Securityand Confidentiality
g. Controls.
Service providerinternal controls; Compliance withapplicable regulatoryrequirements;
Recordmaintenance requirementsforthe service provider; Accesstothe records by
the institution; Notificationrequirementsandapproval rightsforanymaterial changes
to services,systems,controls,keyprojectpersonnel,andservice locations; Settingand
monitoringparametersforfinancial functionsincludingpaymentsprocessingor
extensionsof creditonbehalf of the institution;andInsurance coverage maintainedby
the service provider.
h. Audit.:The institutionshouldincludeinthe contractthe typesof auditreportsitis
entitledtoreceive(e.g.,financial,internal control,andsecurityreviews).
5. i. Reports.:Contractual termsshouldincludethe frequencyandtype of reportsthe
institutionwill receive(e.g.,performance reports,control audits,financial statements,
security,andbusinessresumptiontestingreports).
j. BusinessResumptionandContingencyPlans.
The contract should addressthe service provider’sresponsibilityforbackupandrecord
protection,includingequipment,programanddata files,andmaintenance of disaster
recoveryandcontingencyplans.
k. Sub-contractingandMultiple Service ProviderRelationships.
Some service providersmaycontractwiththirdpartiesinprovidingservicestothe
healthinstitution.Institutionsshouldbe aware of andapprove all subcontractors.To
provide accountability,the financial institutionshoulddesignate the primarycontracting
service providerinthe contract.The contract shouldalsospecifythatthe primary
contractingservice providerisresponsible forthe servicesoutlinedinthe contract
regardlessof whichentityactuallyconductsthe operations.The institutionshouldalso
considerincludingnotificationandapproval requirementsregardingchangestothe
service provider’ssignificantsubcontractors.
l. Define Pricingmethods
The contract shouldfullydescribe the calculationof feesforbase services,includingany
development, conversion,andrecurringservices,aswell asanychargesbasedupon
volume of activityorfor special requests.Contractsshouldalsoaddressthe
responsibilityandadditional costforpurchasingandmaintaininghardware and
software.Anyconditionsunderwhichthe coststructure maybe changedshouldbe
addressedindetail includinglimitsonanycost increases.
m. Bundling
n. Contract induce concerns
o. OwnershipandLicense: contractshouldaddressthe ownership,rightsto,andallowable
use of the institution’sdata,equipment/hardware,systemdocumentation,systemand
applicationsoftware,andotherintellectual propertyrights.
p. Duration.: shouldconsiderthe appropriate lengthof time requiredtonotifythe service
providerof the institutions’intentnot torenew the contractprior to expiration.
Institutionsshouldconsidercoordinatingthe expirationdatesof contractsforinter-
relatedservices(e.g.,website,telecommunications,programming,networksupport)so
that theycoincide,where practical.Suchcoordinationcanminimize the riskof
terminatingacontract earlyandincurringpenaltiesasaresultof necessarytermination
of anotherrelatedservicecontract
q. Dispute Resolution: The institutionshouldconsiderincludingaprovisionforadispute
resolutionprocessthatattemptstoresolve problemsinanexpeditiousmanneraswell
as a provisionforcontinuationof servicesduringthe dispute resolutionperiod.
r. Indemnification: Indemnificationprovisionsshouldrequirethe service providertohold
the financial institutionharmlessfromliabilityforthe negligence of the serviceprovider.
s. Limitationof Liability:If the institutionisconsideringsuchacontract, management
shouldassesswhetherthe damage limitationbearsanadequate relationship tothe
6. amountof lossthe financial institutionmightreasonablyexperience asaresultof the
service provider’sfailure toperformitsobligations
t. Termination.:Managementshouldassessthe timelinessandexpense of contract
terminationprovisions.
u. Assignment:The institutionshouldconsidercontractprovisionsthatprohibit
assignmentof the contractto a thirdparty withoutthe institution’sconsent.
v. Foreign-basedservice providers
w. Institutionsenteringintocontractswithforeign-basedservice providersshouldconsider
a numberof additional contractissuesandprovisions.
x. RegulatoryCompliance.: Financial institutionsshouldensure thatcontractswithservice
providersincludeanagreementthatthe service provideranditsserviceswill comply
withapplicable regulatoryguidanceandrequirements
6. Service Level AgreementSLA
a. Availabilityandtimelinessof services;
b. Confidentialityandintegrityof data;
c. Change control;
d. Securitystandardscompliance,includingvulnerabilityandpenetrationmanagement;
Businesscontinuitycompliance;and
e. Helpdesksupport.
7. Pricingmethods:
Cost plus,Fixedprice,variableprice,unitprice,incentive basedpricing.
Bundling:
The providermayentice the institutiontopurchase more thanone system, process,orservice
for a single price –referredtoas “bundling.”
8. Contract InducementConcerns:
The service providerpurchasescertainassets(e.g.,computerequipmentorforeclosedreal
estate) atbookvalue (whichexceedsmarketvalue) orpurchasescapital stockfromthe
institution. The service providerofferscashbonusestothe institutionuponcompletionof the
conversion.The service provideroffersup-frontcashtothe institution.The providerstatesthat
the institutionacquiresthe righttofuture cost savingsorprofitenhancementsthatwill accrue
to the institutionbecauseof greateroperational efficiencies.These improvementsare usually
withoutmeasurable benchmarks. The institutiondefersexpensesforconversioncostsor
processingfeesunderthe termsof the contract. Low installationandconversioncostsin
exchange forhigherfuture systemssupportandmaintenance costs.
9. OngoingMonitoring
a. KeyService Level Agreementsand contractprovisions
A formal policythatdefinesthe SLA program; AnSLA monitoringprocess;A recourse
processfor non-performance;Anescalationprocess; A dispute resolutionprocess;and
A terminationprocess.
b. Financial conditionstoService Providers
Payingoff the servicer’screditor(s) andhiringoutside specialiststooperate the center;
7. Obtainingrequiredequipmentandsoftware forin-house processing;and Transferring
data filestoanotherprovider.
c. General Control Environmentof the Service Provider
The practicalityof the service providerhavinganinternal auditor,andthe auditor'slevel
of trainingandexperience; The service providersexternal auditors’trainingand
background;and Internal ITaudittechniquesof the service provider.
d. Potential Changesdue toExternal Environment
10. Businesscontinuityplanning:
Regularlyreviewthe businesscontinuityplansof the service providerorvendortoensure any
servicesconsidered“missioncritical”forthe financial institutioncouldbe restoredwithinan
acceptable timeframe. Review the service provider’sprogramforcontingencyplantesting.For
critical services,annual ormore frequenttestsof the contingencyplanare required. Assess
service provider/vendorinterdependenciesformission critical servicesandapplications.
a. Outsourcingthe businesscontinuityFunction
i. Staffing—Theprovidershouldhave sufficientandknowledgeable staff available
to provide appropriate onsite technical supporttoensure timelyresumptionof
operationsatthe recoverysite.
ii. ProcessingTime Availability—The providershouldallocate sufficientprocessing
time,resources,andsecuritycontrolstoaccommodate the potentialfor
multiple clients.The institutionshouldensure itcouldprocessnormal volumes
of workwithinappropriate timerequirements.
iii. AccessRights—The providershoulddiscloseanyaccesslimitations.The provider
shouldguarantee the institution’srighttouse the site incase of an emergency.
Alternatively,the institutionshouldunderstandany priorityarrangements.For
example,some sitesoperateonafirst-come,first-serve basisuntilthe site isat
full capacity,butothershave pre-arrangedprioritiesbasedoncontractual
agreements.
iv. Hardware and Software—The recoverysite shouldhave compatiblehardware
and software.The institutionshouldmonitorthe compatibilityof the site to
handle itsspecificcomputerhardware andsoftware requirements.Tofacilitate
the monitoring,the providershouldbe requiredbycontractto notifythe
institutionof anychangesinthe hardware,software,and equipmentatthe
recoverysite.
v. SecurityControls—Theinstitutionshouldensureitcanmaintainadequate
physical andlogical securitycontrolsatthe recoverysite.
vi. Testing—The service providercontractshouldaddressaccesstothe recovery
site forperiodictesting.Ataminimum, the institutionneedssufficientaccessto
performat leastone full-scale testof the recoverysite annually,including
verificationof telecommunicationscapabilities
vii. Confidentialityof Data—The institutionshouldensurethe providercanmaintain
the confidentialityof itsbusinessandcustomerdata.
8. viii. Telecommunications—The institutionshouldreviewtelecommunications
redundancyandcapacityat the recoverysite,includinghow communications
fromthe institutionstothe recoverysite willbe established
ix. Reciprocal Agreements—Financial institutionscontractingwithanother
institutionforarecoverysite shouldconsiderthe above issuesof staffing,
processingavailability,accessrightsforrecoveryortesting,compatibility,
security,capacity,etc
x. Space—The recoverysite shouldhave adequate space toaccommodate the
affectedinstitution'srecoverystaff.
xi. PrintingCapacity/Capability—The recoverysite shouldmaintainadequate
printingcapacityto meetthe demandof the affectedinstitutionunder
acceptable levelsof service
xii. Contacts—Institutionmanagementshouldknow the proceduresfordeclaringa
disasterincludingwhohasthe authoritytodeclare a disasterandinitiate use of
the recoverysite.
11. InformationSecurityandsafeguards
12. Multiple service Providerrelationship
13. OutsourcingToforeignService Provider
a. RiskManagement:Country,compliance risk
b. Due Diligence: Contracts(Security,ConfidentialityandOwnershipof Data)
c. RegulatoryAuthorityof othercountry.
d. Choice of Law
APENDIX:
USE ITIL For Movingto ManagedServices:
1. Define Standardsusedtomanage Service ProviderandITIL.
2. Create Service strategytomove towardsManagedServicesModel.
3. Fix Service DesignToMove towardsmanagedServices.
4. Use Service transitioningdefine :
transitionplanning,serviceassetsandconfigurationmanagement,ChangeManagement,
Service ValidationandTesting,reduceresolutiontime populating Knowledgemanagement,
Define deploymentstrategyandinfrastructure,Evaluatereproductionto3rd
party provider.
5. Use OperationModule todefine supportstructure replicatingHAADrequirements.
define followingfor3rd
party to maintainforoperationsstandards:
Service Desk,IncidentManagement(thingslikeescalationmatrix),EventManagement,Request
Fullfillment,Problemmanagement,AccessManagementfrom3rd
party, Application
management,ITOperationManagement,Technical Management.
6. Continual Management:forQualitymanagedat3rd
party site.
Define QualityStandardsneededtomaintainedat3rd
party
Service Management
Service Reporting