The evolution of and an increase in popularity in business process outsourcing in the financial services and insurance industry has put an onus on service providers to put greater focus on risk management and compliance. The drive by small service providers to increase their funds under management has increased their desire to add GS007 compliance to their corporate resume.
One thing that an IT Manager or CIO is tasked with in many of these smaller business process outsourcing organisations is the requirement to comply with a vast array of legislative and audit requirements. The GS007 Type 2 standard is one of the more onerous standards to comply with and with sections G.1 – G.14 being considered within scope of all GS007 audits it’s critical that the IT function within these outsourced providers are across the requirements prior to the audit process. Many service providers are seeking to achieve this compliance to this standard because of the reputation gained within the industry, GS007 is a great addition to the corporate resume and is quickly becoming a requirement to get access to business from superannuation or investment funds.
When considering the investment into achieving this standard it’s incredibly important that business understand at least at a high-level the impact to business as usual as a result of the audit and the following increased level of governance often required to maintain a clean sheet throughout the audit process in subsequent years audits. There are several areas of the business that will be reviewed when being audited for the GS007 standard. Finance, HR and Technology departments are most often involved in this process, with high-levels of governance and consistency required to maintain compliance the increased cost should be considered an ongoing aspect of doing business.
Specific to the Technology department in the business the following control objectives are reviewed and should be worked on prior to engaging an audit partner to reduce the cost and effort associated with the process:
Restricting System Access – It’s important that throughout the audit process that the IT function can provide the auditor with extensive proof of processes and that the proces is followed every time. The new user provision, change and offboard process should be focussed on to ensure consistency of approach. Segregation of duties and user access confirmation processes are also important. Nb: 360 Managed work with our clients to automate as much user maintenance/creation/offboarding as possible which largely caters for this audit requirement.
Transaction and processing authorisation – Organisations must maintain a strong record of access provision and change in user access to maintain complete visibility for management and segregation of duties for all staff. This process can be achieved through user provision, change and off-boarding processes and automation.
Safeguarding Assets – To ensure safeguarding of information assets organisations should ensure that a well-structured information security plan is in place, monitored and reported against regularly. The definition of a robust information security plan will account for a good number of the requirements of GS007, including the establishment of an accountability and review structure. The safeguarding of physical assets should also be accounted for through the use of a well-structured technology asset management processes including an asset lifecycle with procurement and disposal procedures.
Maintaining and developing systems hardware and software – Mostly surrounding the requirements of a software development function within the business this control looks to ensure a strong software development lifecycle is in place. A rigorous segregation, environment management and testing plan is required to be documented and confirmed to be followed to satisfy these requirements. 360 Managed have worked with organisations to implement DevOps in software development houses to greatly increase efficiency throughout these processes.
Recovering from processing interruptions – A business continuity plan (BCP) is an absolute must for any organisation, but particularly for organisations looking to achieve GS007 compliance standards. The BCP and Disaster Recovery Plan (DRP) should be reviewed and tested every 12 months to ensure satisfactory processes are documented and the required recovery point objectives and recovery time objectives are available using the developed plans.
Monitoring compliance – Focussing on the compliance of outsourced service providers, this section looks to confirm that external parties have adequate checks and against their contracted services and that the contracts are reviewed regularly.
Much like many international standards (such as ISO27001) the GS007 standard requires a significant and sustained effort towards the documentation of processes and policies that are reviewed each year. From broad IT Acceptable Use policies to user access control reviews, a strict adherence to policy is required to achieve the standard.
360 Managed provide Technology as a Service that’s specifically designed from the ground up to cater for all of the requirements within the GS007 compliance standard. Alternatively we’re able to consult to your organisation to provide guidance on the most cost effective way of reaching certification. With many templated processes and policies we can guide your business to success.
Contact us for a discussion now.