IT-Vendor-Management
advertisement
Successful IT Vendor Management Practices Kevin Bong Johnson Financial Group Why – Best Practice • Get the most value out of your investment • Protect your corporate and customer data • Minimize interruptions to customer service and internal operations • React quickly and effectively to issues • Have a historical record of vendor service and important events. 2 Why – Regulatory Requirements • FFIEC Information Security guidelines (based on GLBA and other regs) has multiple sections on service provider oversight • Sarbanes Oxley addresses “Controls provided by third party organizations” • HIPAA considers many vendors “Covered Entities” or “Business Associates”, with specific requirements 3 Not Covered – Due Diligence in Vendor Selection • Info on due diligence in Vendor Selection is pretty easy to find • Vendor Management is a lifecycle, not a procurement event 4 What to do - 10,000 Foot • Establish a Vendor Relationship Policy • Establish a formal process for annual vendor reviews • Assign and train vendor relationship managers • Establish a mechanism for tracking vendor management activities 5 Which Vendors • All Vendors get costly • Which group of vendors give you the best bang for your buck? – Access to Customer Information – Critical for Operations – Critical to Customer Service – Based on $ amount of the contract – Otherwise visible/high risk (website host, video equipment in the CEO’s office) 6 The Vendor Manager role • Who – Centralized – Distributed (with centralized management) • Skillset and tools • Time Requirements • Accountability 7 Tools Overview • Vendor Management Policy • Annual review checklist • Critical Statistics • Vendor Contract and SLA • Vendor Management Records • Open and Resolved Issues List • Vendor financial and third party review reports 8 Vendor Management Policy • Describes the organizations beliefs, objectives, and general procedures related to vendor management/service provider oversight • Key things in ours – Required/recommended vendors – Assignment of responsibilities – Accountability – Basics of annual reviews 9 Tools VM Annual Checklist • Standard list of actions to perform annually – Researching – Requesting, reviewing and updating information – Recording and reporting results 10 Tools – Vendor Questionnaire/Request List • Standard list of items to be provided by your vendor on an annual basis • You feel like an auditor, essentially you are • If possible, have an obligation to provide this info written in as part of the contract 11 Tools – Critical Statistics • Contact Information of account personnel • Contact Information of support personnel • Any support ID’s, account processes • Who is authorized to request changes • Key Contract Dates • Payment Details 12 Tools – Vendor Contract and SLA • Outlines the services provided and expectations of each entity • Outlines recourse for resolving issues • Where is the vendor contract stored • Contract termination date • Date or period of notice prior to renewal or termination • Insurance coverage of the carrier • Privacy and other regulatory expectations 13 Tools – Vendor Management Records • Records and reports of previous vendor management activities for this vendor • Used to identify trends • Reminder of concerns from prior reviews, have these been resolved? 14 Tools – Open and Resolved Issues List • How are requests or issues with the vendor tracked. • Review of resolved issues – Appropriate criticality, acceptable resolution – Any trends • Review of open issues – How long open – Appropriate response and current criticality 15 Vendor Financial Health • Getting Financial Reports – Believe it or not, you can get it for free. The Securities and Exchange Commission (SEC) and its EDGAR website give you all sorts of balance sheet information in a company's 10-K and 10-Q reports. 16 Tool - financial reports • http://beginnersinvest.about.com/cs/investingless ons/l/blintroduction.htm 17 Tool – SAS 70 Reports 18 SAS 70 not a stamp of approval “Salary.com™ Earns SAS 70 Type II Certification. Successful audit highlights commitment …” • Not a test against best practice or standard • The tested organization creates the list of controls they want observed and tested • Report just describes whether the controls are in place, and results of testing the controls • Will report negative results • Just having an SAS 70 provides no assurance, unfortunately you have to read it. 19 SAS 70 report, the meat Control Objectives, Controls, Testing, Results of Testing Controls Specified by Foo Hosting. Testing Performed by Bong & Associates. 12.3 Inquired of Active Directory admin to confirm that new domain admin accounts are approved before creation The creation of any account with domain admin or higher privileges is approved by IT management and tracked in the IT change management system. Inspected that the change system has a category for administrative account changes, with a number of changes recorded. Results of Testing Of six administrative accounts created in the last 12 months, a corresponding change record could not be found for one. Management Response: Administrative accounts that are created as a result of 20 Reviewing the SAS 70 report • Change management controls • Code development and testing controls • Physical and Logical Access Controls • IT Security controls (Firewalls, IDS) • Look for negative findings. How many, are they concerning • Compare year over year – are they improving or getting worse? 21 Other Red Flags • Leadership and Strategy Changes • Bankruptcy filings – US bankruptcy court filings available online • Employee Turnover – Your account team or your favorite support engineers • Client Turnover – User groups – Build relationships with other clients 22 Tools – Google • “Company Name” and “Press Release” • Search Google News • “Company Name” and interesting keywords – Bankrupt, merge, acquire, fire, resign, president, CEO, stockholders, 23 Recording/Tracking progress or service 24 Performance against SLAs • Ongoing Monitoring • Periodic Reviews 25 Support 26 License Compliance • What is the licensing/pricing model • Analyze vendor pricing and compare to industry average • What is your utilization (more seats than contracted for, unused modules, etc?) • What is your expectation of growth 27 Product Roadmap • Get your input 28 Contract Terms 29 Security • Your associates • Their environment – Third Party Review Results – Your own Testing 30 Business Continuity- Them 31 Business Continuity - you • Code stored away 32 How to deal with shortfalls • Document in detail the expectations that are missed • Establish recurring meetings to review and track progress 33 Special Cases – software development vendor • Staged Development Environment, testing processes, source control • Source code ownership, possession – Consider source code escrow • Code security – Consider web app vulnerability scan • Meeting expectations for feature/functionality, code quality (# of bugs), and release dates 34 Ten Key Mistakes • Not having a relationship manager • Not providing resources or training to relationship managers • Not tracking events or issues • Not tracking outages against SLAs • Missing critical dates (especially contract renewal/termination) 35 Ten Key Mistakes - Continued • Confusing vendor selection with vendor management • Going for the lowest price • No accountability • Not budgeting for increases due to vendor cost increases or license growth. • Not keeping the critical details up to date 36 References 37 Stories • DI Internet • Contacts not available 38
