Outsourcing continues to be prevalent in today's business landscape, especially for the increasing digitalised financial industry. Many companies rely on outsourced service providers to perform certain - in some cases critical or material - business functions. However, many are still underestimating the complexities they are exposed to when engaging with outsourced service providers. Although companies have started to look closely at the risks related to cybersecurity, many organisations might have overlooked the fact that physical data security is equally, if not more, important than logical security - which is the protection from unauthorised access.
In February 2018, Trusted Source, a fully owned subsidiary of Temasek Management Services and a leading provider of technology and business services received its Outsourced Service Provider Audit Report (OSPAR) rating for IT Security and IT Infrastructure Services. The attestation confirms that Trusted Source adheres to all standards, controls and procedures expected by financial institutions (FIs) for the full year audited, 1 January 2017 to 31 December 2017. It follows the Monetary Authority of Singapore (MAS) and Association of Banks in Singapore's (ABS) guidelines, which require outsourced service providers working with FIs to maintain the same level of governance, thoroughness and consistency as the FIs themselves.
Confirmation of an OSPAR attestation is confirmation to all of Trusted Sources' clients of the integrity and effectiveness of the company's internal controls for IT services. For banks and other financial institutions, this attestation removes the audit and liability burden; clients and partners can work with Trusted Source confident in the knowledge that the organisation complies with the latest MAS outsourcing guidelines.
"Trusted Source is working closely with its clients to develop a digital strategy and to build a secure infrastructure that leverages cloud services for the benefit of their business, without compromising security or regulatory requirements. The issuance of OSPAR attestation to Trusted Source is a strong testimony to our credibility as it reassures financial institutions of our compliance to ABS Outsourcing Guidelines and maintains the high level of governance, rigour and processes required by MAS," said Ong Whee Teck, CEO of Trusted Source.
OSPAR covers the following controls:
1. Entity-level controls
Such controls include but are not limited to risk assessment, information and communication, information security policies, as well as human resources policies and practices.
2. General information technology (IT) controls
Such controls include but are not limited to change and incident management, backup and disaster recovery (DRP), network and security management, and security incident response.
3. Service controls
Such controls include but are not limited to setting up new clients, safeguarding assets, as well as service reporting and monitoring.
Being ABS OSPAR-certified is a guarantee to FIs and their clients that the OSP complies with at least a minimum standard of controls and measures expected by the financial services industry. It also minimises the number of service control audits of the OSP required by the FI.
The loss of customer confidential data or disruptions to critical banking services may result in damage to a financial institution's reputation and might even result in regulatory breaches. Many organisations assume that the cause of most security breaches originate from professionally organised hackers, but in fact, one of the biggest threats to information security is human error and negligence, often on the part of internal stakeholders.