risk assessment vendor contract spreadsheet

8/13/2019 risk assessment vendor contract spreadsheet

http://slidepdf.com/reader/full/risk-assessment-vendor-contract-spreadsheet 1/12

Risk Assessment – Contract Issues

Risk Description Completely

Implemented

Partially

Implemented

Aware,

But Not

Implemented

No

Awareness

Not

Applicable

Risk

Rating

Scope o Ser!ice

1 Does the contract clearly

describe the rights

andresponsibilities ofthe parties to the

contract?

2 Does the contract giveconsideration totimeframes and

activities forimplementationand assignment ofresponsibility?

Implementation provisions shouldtake intoconsideration

other existingsystems orinterrelatedsystems to be

developed bydifferent service

providers (e.g., anInternet banking

system beingintegrated ith

existing coreapplications orsystemscustomi!ation", if

applicable?

# Does the contract give

consideration toservices to be

performed by theservice provider

including dutiessuch as softare

support andmaintenance,training ofemployees or

customer service?

$ Does the contract give

consideration to

the obligations ofthe bank?

% Does the contract give

consideration tothe contracting

parties& rights inmodifying existing

services performed underthe contract?

' Does the contract give



consideration tothe guidelines foradding ne or

different servicesand for contractrenegotiation?

Perormance Standards

) Does the contract include performance

standards definingminimum servicelevel re*uirementsand remedies for

failure to meet thestandards in thecontract? (e.g.,system uptime,

deadlines for processing, processing errors"

Risk Assessment


Implemented

Partially

Implemented

Aware,

But Not

Implemented

No

Awareness

Not

Applicable

Risk

Rating

Security and

Conidentiality

+ Does the contract addressthe service

provider&s

responsibility forsecurity and

confidentiality ofthe bank&s

resources (e.g.,information,

hardare"? Does the contract prohibit

the service provider and itsagents from usingor disclosing the

bank&sinformation,

except asnecessary to or

consistent ith providing the

contractedservices, to protectagainst

unauthori!ed use(e.g., disclosure ofinformation to

bankcompetitors"?

1- Does the contract re*uestthat if the service

provider receivesnonpublic

personalinformation



regarding the bank&s customers,the service

provider illassess theapplicability of the

privacy

regulations?11 Does the contract re*uire

the service provider to fully

disclose breachesin securityresulting inunauthori!ed

intrusions into theservice providerthat maymaterially affect

the bank or itscustomers?

12 Does the contract re*uire

the service provider to reportto the bank hen

material intrusionsoccur, the effect

on the bank, andcorrective actionto respond to theintrusion?

Controls

1# Does the contract give

consideration to provisions

addressing internal

controls to bemaintained by theservice provider?

1$ Does the contract have a provisionaddressingcompliance ith

applicableregulatoryre*uirements?

Risk Assessment


Implemented

Partially

Implemented

Aware,

But Not

Implemented

No

Awareness

Not

Applicable

Risk

Rating

1% Does the contract containa provision forrecords to be

maintained by theservice provider?

1' Does the contract providefor access to the

records by the bank?

1) Does the contract contain



a clause fornotification by theservice provider to

the bank and the bank&s approvalrights regardingmaterial changes

to services,systems, controls,key proect

personnel

allocated to the bank, and neservice locations?

1+ Does the contract contain

controls for thesetting andmonitoring of

parameters

relating to any bank function,such as payment

processing andany extension ofcredit on behalf ofthe bank?

1 Does the contract specify

insurancecoverage is to bemaintained by theservice provider?

Audit

2- Does the contract state the

types of auditreports the bank is

entitled to receive

(e.g., financial,internal controland securityrevies"?

21 Does the contract specifythe auditfre*uency, cost to

the bank, if any, asell as the rightsof the bank and itsagencies to obtain

the results of theaudits in a timely

manner?

22 Does the contract specify

any rights toobtaindocumentationregarding the

resolution of auditdiscloseddeficiencies andinspect the

processingfacilities and

operating practices



of the service provider?

Risk Assessment


Implemented

Partially

Implemented

Aware,

But Not

Implemented

No

Awareness

Not

Applicable

Risk

Rating

2# Does the contract containa provision for

hich bankmanagement mayobtainindependent

internal auditscompleted by theservice provideraudit staff and the

need for externalaudits and revies(e.g., /0/ )-ype I and II

revies"?

2$ Does the contract provideterms re*uiring

periodic audits to

be performed byan independent

party ithsufficient

expertise inInternetrelatedservices? heseaudits could

include penetration

testing, intrusiondetection, and

fireallconfiguration.

he contractshould allo forsufficientlydetailed reports to

be provided to bank managementto ade*uate assesssecurity ithout

compromising the

service provider&ssecurity.

Reports

2% Do the contractual termsreflect the

fre*uency andtype of reports the

bank ill receive(e.g., performance

reports, control



audits, financialstatements,security, and

businessresumption testingreports"?uidelines and

fees for obtainingcustomer reportsshould also bestated.

Business Resumption

and Contingency

Plans

2' Does the contract addressthe service

provider&s

responsibility for backup and record protection,including

e*uipment,

program and datafiles, andmaintenance of

disaster recoveryand contingency

plans?3esponsibilitiesshould includetesting of the plans

and providingresults to the bank.

Risk Assessment

Risk Description CompletelyImplemented

PartiallyImplemented

Aware,But Not

Implemented

NoAwareness

NotApplicable

RiskRating

2) Does the contract consider

interdependenciesamong service

providers hendetermining

businessresumption testing

re*uirements?

2+ Does the contract state

that the service provider ill provide the bank

ith operating procedures theservice provider

and the bank areto implement in

the event businessresumption

contingency plansare implemented?

2 Does the contract includespecific provisions



for businessrecoverytimeframes that

meet the bank&s businessre*uirements?

#- 4as management ensured

that the contractdoes not contain

any provisionsthat ould excuse

the service provider fromimplementing itscontingency

plans?

Sub"contracting and

#ultiple Ser!ice

Pro!ider

Relations$ips

#1 If in the event that the

service provider

subcontracts iththirdparties, doesthe contract

provide foraccountability, anagreement, and adesignation for the

primarycontracting service

provider?

#2 Does the contract provide

a provisionspecifying that thecontracting service

provider is

responsible for theservice providedto the bankregardless of

hich entity isactuallyconducting theoperations?

## Does the contract providea provision fornotification andapproval from

bank managementregarding changes

to the service provider&s

significantsubcontractors?

Risk Assessment


Implemented

Partially

Implemented

Aware,

But Not

Implemented

No

Awareness

Not

Applicable

Risk

Rating



Cost

#$ Does the contract fullydescribe fees andcalculations for

base service,

including anydevelopment,

conversion, andrecurring services,

as ell as anycharges basedupon volume ofactivity and for

special re*uests?

#% Is the cost andresponsibility for

purchase and

maintenance ofhardare andsoftare identifiedin the contract?

#' Does the contract state any

conditions underhich the coststructure may be

changed in detailincluding limits onany costincreases?

%wners$ip and &icense

#) Does the contract address

onership andalloable use by

the service provider of the

bank&s data,

e*uipment5hardare, systemdocumentation,

system andapplicationsoftare, andother intellectual

property rights?6ther intellectual

property rightsmay include the

bank&s name andlogo7 its trademarkor copyrightedmaterial7 domain

names7 eb sitedesigns7 and otherork productsdeveloped by the

service providerfor the bank?

#+ he contract should notcontain

unnecessarylimitations on the



return of itemsoned by the

bank?

# 4as the contract allo forescro

agreements pertaining to the

purchase ofsoftare by the

bank?

Risk Assessment


Implemented

Partially

Implemented

Aware,

But Not

Implemented

No

Awareness

Not

Applicable

Risk

Rating

$- Do the escro agreements provide for the

folloing8 bankaccess to source

programs undercertain conditions(e.g., insolvencyof the vendor",

documentation of programming andsystems, andverification of

updated sourcecode?

Duration

$1 Does the contract consider

the type oftechnology and

current state of theindustry henidentifying thelength of the

contract and itsreneal periods?

$2 Does the contract specifythe appropriate

length of timere*uired to notify

the service provider of the

bank&s intent notto rene the

contract prior toexpiration?

$# Does the contract specify penalties for early

termination?

Dispute Resolution



$$ Does the contract providea provision for adispute resolution

process thatattempts to resolve

problems in anexpeditious

manner as ell as provide forcontinuation ofservices during the

dispute resolution period?

Indemniication

$% Does the contract have anindemnification

provision that

re*uires the bankto hold the service

provider harmlessfrom liability for

the negligence of

the bank, and viceversa? If so, this

provision should

be revieed indepth to reduce

the likelihood of potential situations

in hich the bankmay be liable for

claims arising as aresult of thenegligence of theservice provider.

Risk Assessment


Implemented

Partially

Implemented

Aware,

But Not

Implemented

No

Awareness

Not

Applicable

Risk

Rating

&imitation o &iability

$' If the contract has alimitation ofliability clause

limiting theamount of liabilitythat can beincurred by the

service provider,

does the damagelimitation bear anade*uate

relationship to theamount of loss the

bank mightreasonablyexperience as aresult of the

service provider&s



failure to performits obligation?

'ermination

$) Does the contract providefor flexibility of

termination rights?9ontracts for

technologiessubect for rapid

change, forexample, may

benefit fromgreater flexibility

in terminationrights.

$+ Do the termination rightscover such itemsas change incontrol (e.g.,

ac*uisitions andmergers",

convenience,

substantialincrease in cost,repeated failure to

meet servicelevels, failure to

provide criticalservices,

bankruptcy,company closure,and insolvency?

$ Do the contract permit the

bank to terminatethe contract in a

timely manner and

ithout prohibitiveexpense? hecontract shouldspecify

termination andnotificationre*uirements ithtime frames to

allo the orderlyconversion toanother provider.

%- Does the contract provide

for the return ofthe bank&s data, as

ell as other bankresources, in a

timely manner andin machinereadable format?

%1 Does the contract clearlystate any costsassociated ith

transitionassistance?



Risk Assessment


Implemented

Partially

Implemented

Aware,

But Not

Implemented

No

Awareness

Not

Applicable

Risk

Rating

Assignment

%2 Does the contract contain provisions that prohibit

assignment of thecontract to a third

party ithout the bank&s consent,

including changesto subcontractors?

%!erall Rating

risk assessment vendor contract spreadsheet

Documents