Successful IT Vendor Management Practices

Kevin Bong

Johnson Financial Group

2

Why – Best Practice

• Get the most value out of your investment

• Protect your corporate and customer data

• Minimize interruptions to customer service and internal operations

• React quickly and effectively to issues

• Have a historical record of vendor service and important events.

3

Why – Regulatory Requirements

• FFIEC Information Security guidelines (based on GLBA and other regs) has multiple sections on service provider oversight

• Sarbanes Oxley addresses “Controls provided by third party organizations”

• HIPAA considers many vendors “Covered Entities” or “Business Associates”, with specific requirements

4

Not Covered – Due Diligence in Vendor Selection

• Info on due diligence in Vendor Selection is pretty easy to find

• Vendor Management is a lifecycle, not a procurement event

5

What to do - 10,000 Foot

• Establish a Vendor Relationship Policy

• Establish a formal process for annual vendor reviews

• Assign and train vendor relationship managers

• Establish a mechanism for tracking vendor management activities

6

Which Vendors

• All Vendors get costly

• Which group of vendors give you the best bang for your buck?– Access to Customer Information

– Critical for Operations

– Critical to Customer Service

– Based on $ amount of the contract

– Otherwise visible/high risk (website host, video equipment in the CEO’s office)

7

The Vendor Manager role

• Who

– Centralized

– Distributed (with centralized management)

• Skillset and tools

• Time Requirements

• Accountability

8

Tools Overview

• Vendor Management Policy

• Annual review checklist

• Critical Statistics

• Vendor Contract and SLA

• Vendor Management Records

• Open and Resolved Issues List

• Vendor financial and third party review reports

9

Vendor Management Policy

• Describes the organizations beliefs, objectives, and general procedures related to vendor management/service provider oversight

• Key things in ours

– Required/recommended vendors

– Assignment of responsibilities

– Accountability

– Basics of annual reviews

10

Tools VM Annual Checklist

• Standard list of actions to perform annually

– Researching

– Requesting, reviewing and updating information

– Recording and reporting results

11

Tools – Vendor Questionnaire/Request List

• Standard list of items to be provided by your vendor on an annual basis

• You feel like an auditor, essentially you are

• If possible, have an obligation to provide this info written in as part of the contract

12

Tools – Critical Statistics

• Contact Information of account personnel

• Contact Information of support personnel

• Any support ID’s, account processes

• Who is authorized to request changes

• Key Contract Dates

• Payment Details

13

Tools – Vendor Contract and SLA

• Outlines the services provided and expectations of each entity

• Outlines recourse for resolving issues

• Where is the vendor contract stored

• Contract termination date

• Date or period of notice prior to renewal or termination

• Insurance coverage of the carrier

• Privacy and other regulatory expectations

14

Tools – Vendor Management Records

• Records and reports of previous vendor management activities for this vendor

• Used to identify trends

• Reminder of concerns from prior reviews, have these been resolved?

15

Tools – Open and Resolved Issues List

• How are requests or issues with the vendor tracked.

• Review of resolved issues

– Appropriate criticality, acceptable resolution

– Any trends

• Review of open issues

– How long open

– Appropriate response and current criticality

16

Vendor Financial Health

• Getting Financial Reports

– Believe it or not, you can get it for free. The Securities and Exchange Commission (SEC) and its EDGAR website give you all sorts of balance sheet information in a company's 10-K and 10-Q reports.

17

Tool - financial reports

• http://beginnersinvest.about.com/cs/investinglessons/l/blintroduction.htm

18

Tool – SAS 70 Reports

19

SAS 70 not a stamp of approval

“Salary.com™ Earns SAS 70 Type II Certification. Successful audit highlights commitment …”

• Not a test against best practice or standard

• The tested organization creates the list of controls they want observed and tested

• Report just describes whether the controls are in place, and results of testing the controls

• Will report negative results

• Just having an SAS 70 provides no assurance, unfortunately you have to read it.

20

SAS 70 report, the meat

Controls Specified by Foo Hosting. Testing Performed by Bong & Associates.

12.3 The creation of any account with domain admin or higher privileges is approved by IT management and tracked in the IT change management system.

Inquired of Active Directory admin to confirm that new domain admin accounts are approved before creation

Inspected that the change system has a category for administrative account changes, with a number of changes recorded.

Results of Testing Of six administrative accounts created in the last 12 months, a corresponding change record could not be found for one.

Management Response: Administrative accounts that are created as a result of

Control Objectives, Controls, Testing, Results of Testing

21

Reviewing the SAS 70 report

• Change management controls

• Code development and testing controls

• Physical and Logical Access Controls

• IT Security controls (Firewalls, IDS)

• Look for negative findings. How many, are they concerning

• Compare year over year – are they improving or getting worse?

22

Other Red Flags

• Leadership and Strategy Changes

• Bankruptcy filings

– US bankruptcy court filings available online

• Employee Turnover

– Your account team or your favorite support engineers

• Client Turnover

– User groups

– Build relationships with other clients

23

Tools – Google

• “Company Name” and “Press Release”

• Search Google News

• “Company Name” and interesting keywords

– Bankrupt, merge, acquire, fire, resign, president, CEO, stockholders,

24

Recording/Tracking progress or service

25

Performance against SLAs

• Ongoing Monitoring

• Periodic Reviews

26

Support

27

License Compliance

• What is the licensing/pricing model

• Analyze vendor pricing and compare to industry average

• What is your utilization (more seats than contracted for, unused modules, etc?)

• What is your expectation of growth

28

Product Roadmap

• Get your input

29

Contract Terms

30

Security

• Your associates

• Their environment

– Third Party Review Results

– Your own Testing

31

Business Continuity- Them

32

Business Continuity - you

• Code stored away

33

How to deal with shortfalls

• Document in detail the expectations that are missed

• Establish recurring meetings to review and track progress

34

Special Cases – software development vendor

• Staged Development Environment, testing processes, source control

• Source code ownership, possession

– Consider source code escrow

• Code security

– Consider web app vulnerability scan

• Meeting expectations for feature/functionality, code quality (# of bugs), and release dates

35

Ten Key Mistakes

• Not having a relationship manager

• Not providing resources or training to relationship managers

• Not tracking events or issues

• Not tracking outages against SLAs

• Missing critical dates (especially contract renewal/termination)

36

Ten Key Mistakes - Continued

• Confusing vendor selection with vendor management

• Going for the lowest price

• No accountability

• Not budgeting for increases due to vendor cost increases or license growth.

• Not keeping the critical details up to date

37

References

38

Stories

• DI Internet

• Contacts not available