OUTSOURCED I.T. ACTIVITY SHOULD BE SUBJECTED TO STRICT SCRUTINY

The Federal Financial Institutions Examination Council has

Outsourcing an IT activity does not relieve an institution's board and management from the responsibility to ensure that the data are processed in "a secure environment," according to the FFIEC's Outsourcing Technology Services Booklet.

Risks, such as the loss of funds and competitive advantage, damaged reputation, improper disclosure of information, and regulatory action, are still present when an external provider carries out any IT service, process, or system operation, said the booklet.

Outsourcing relationships should be subject to the same risk management, security, privacy, and other policies governing activities conducted in-house, said the booklet. Boards and senior management should establish and approve policies "appropriate to the size and complexity of the institution," according to the FFIEC.

In the other publication, "Management Booklet," the FFIEC states that boards and top executives should "understand and take responsibility for IT management as a critical component of their overall corporate governance efforts."

For directors, that includes not only approving information technology plans, policies, and major expenditures, but also being "familiar with IT and data center concepts and activities," according to the booklet.

For oversight support, it said, directors may choose to delegate the monitoring of information technology activities to an IT steering committee, so long as committee members consist of knowledgeable representatives from senior management, the IT department, and major end-user departments.

The committee should report regularly to directors on major information technology projects or issues, and "ensure the board has adequate information to make informed decisions about IT operations," according to the booklet.