Compliance Insight with David Schneier

Vendor Management: Services are Invisible - Until They Don't Work

I started scoping out my next blog entry with PCI in mind (and how it will likely find its way into the community-bank/credit union space in a few years) and was blind-sided by one of my favorite nits to pick recently: the risks presented by poorly managed third-party vendor relationships.

ThePlanet, an ISP based in Texas, suffered a small explosion on May 31, knocking out a large number of hosted websites. According to the Houston Chronicle, "about 7,500 customers were impacted by the fire at ThePlanet's facility. By Sunday, a few thousand customers remained without service. The company was told not use its backup generators because of fire safety issues, officials said." Upon reading this story, I immediately thought of the community banks and credit unions I work with, the majority of whom use hosted solutions for their external-facing websites. What would an outage such as ThePlanet's mean to them?

For starters it would render unavailable their internet banking capabilities. While most of these services are hosted by other third-party vendors, that fact is largely invisible to the customer/member. They only know they go to their institution's website, click on a link and access the desired service. For all intents and purposes, when the institutions website is unavailable, these services are unavailable. Consider what some of these features are:

Bill pay
Online statements
Balance transfers

Now try and imagine what the impact would be when a customer/member tries to access the website because they have a pressing financial matter to address and they can't!

Most of my clients don't extend their vendor management programs to assess how such an outage would be addressed. And because most disaster recovery/business continuity plans only cover internal scenarios, it wouldn't be addressed there either.

Coincidentally I was asked last evening by the Managing Partner of my firm what were the three highest-risk topics I'm seeing on my recent engagements and I replied:

Vendor Management;
DR/BCP planning and testing;
Incident Response planning.

Based on ThePlanet outage it's not hard to understand why.

As for PCI, check back in a few days and I'll explain why you should keep an eye on where the standard is going.

About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.