successful it vendor management practices
DESCRIPTION
Successful IT Vendor Management Practices. Kevin Bong Johnson Financial Group. Why – Best Practice. Get the most value out of your investment Protect your corporate and customer data Minimize interruptions to customer service and internal operations React quickly and effectively to issues - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/1.jpg)
Successful IT Vendor Management Practices
Kevin Bong
Johnson Financial Group
![Page 2: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/2.jpg)
2
Why – Best Practice
• Get the most value out of your investment
• Protect your corporate and customer data
• Minimize interruptions to customer service and internal operations
• React quickly and effectively to issues
• Have a historical record of vendor service and important events.
![Page 3: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/3.jpg)
3
Why – Regulatory Requirements
• FFIEC Information Security guidelines (based on GLBA and other regs) has multiple sections on service provider oversight
• Sarbanes Oxley addresses “Controls provided by third party organizations”
• HIPAA considers many vendors “Covered Entities” or “Business Associates”, with specific requirements
![Page 4: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/4.jpg)
4
Not Covered – Due Diligence in Vendor Selection
• Info on due diligence in Vendor Selection is pretty easy to find
• Vendor Management is a lifecycle, not a procurement event
![Page 5: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/5.jpg)
5
What to do - 10,000 Foot
• Establish a Vendor Relationship Policy
• Establish a formal process for annual vendor reviews
• Assign and train vendor relationship managers
• Establish a mechanism for tracking vendor management activities
![Page 6: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/6.jpg)
6
Which Vendors
• All Vendors get costly
• Which group of vendors give you the best bang for your buck?– Access to Customer Information
– Critical for Operations
– Critical to Customer Service
– Based on $ amount of the contract
– Otherwise visible/high risk (website host, video equipment in the CEO’s office)
![Page 7: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/7.jpg)
7
The Vendor Manager role
• Who
– Centralized
– Distributed (with centralized management)
• Skillset and tools
• Time Requirements
• Accountability
![Page 8: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/8.jpg)
8
Tools Overview
• Vendor Management Policy
• Annual review checklist
• Critical Statistics
• Vendor Contract and SLA
• Vendor Management Records
• Open and Resolved Issues List
• Vendor financial and third party review reports
![Page 9: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/9.jpg)
9
Vendor Management Policy
• Describes the organizations beliefs, objectives, and general procedures related to vendor management/service provider oversight
• Key things in ours
– Required/recommended vendors
– Assignment of responsibilities
– Accountability
– Basics of annual reviews
![Page 10: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/10.jpg)
10
Tools VM Annual Checklist
• Standard list of actions to perform annually
– Researching
– Requesting, reviewing and updating information
– Recording and reporting results
![Page 11: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/11.jpg)
11
Tools – Vendor Questionnaire/Request List
• Standard list of items to be provided by your vendor on an annual basis
• You feel like an auditor, essentially you are
• If possible, have an obligation to provide this info written in as part of the contract
![Page 12: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/12.jpg)
12
Tools – Critical Statistics
• Contact Information of account personnel
• Contact Information of support personnel
• Any support ID’s, account processes
• Who is authorized to request changes
• Key Contract Dates
• Payment Details
![Page 13: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/13.jpg)
13
Tools – Vendor Contract and SLA
• Outlines the services provided and expectations of each entity
• Outlines recourse for resolving issues
• Where is the vendor contract stored
• Contract termination date
• Date or period of notice prior to renewal or termination
• Insurance coverage of the carrier
• Privacy and other regulatory expectations
![Page 14: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/14.jpg)
14
Tools – Vendor Management Records
• Records and reports of previous vendor management activities for this vendor
• Used to identify trends
• Reminder of concerns from prior reviews, have these been resolved?
![Page 15: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/15.jpg)
15
Tools – Open and Resolved Issues List
• How are requests or issues with the vendor tracked.
• Review of resolved issues
– Appropriate criticality, acceptable resolution
– Any trends
• Review of open issues
– How long open
– Appropriate response and current criticality
![Page 16: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/16.jpg)
16
Vendor Financial Health
• Getting Financial Reports
– Believe it or not, you can get it for free. The Securities and Exchange Commission (SEC) and its EDGAR website give you all sorts of balance sheet information in a company's 10-K and 10-Q reports.
![Page 17: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/17.jpg)
17
Tool - financial reports
• http://beginnersinvest.about.com/cs/investinglessons/l/blintroduction.htm
![Page 18: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/18.jpg)
18
Tool – SAS 70 Reports
![Page 19: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/19.jpg)
19
SAS 70 not a stamp of approval
“Salary.com™ Earns SAS 70 Type II Certification. Successful audit highlights commitment …”
• Not a test against best practice or standard
• The tested organization creates the list of controls they want observed and tested
• Report just describes whether the controls are in place, and results of testing the controls
• Will report negative results
• Just having an SAS 70 provides no assurance, unfortunately you have to read it.
![Page 20: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/20.jpg)
20
SAS 70 report, the meat
Controls Specified by Foo Hosting. Testing Performed by Bong & Associates.
12.3 The creation of any account with domain admin or higher privileges is approved by IT management and tracked in the IT change management system.
Inquired of Active Directory admin to confirm that new domain admin accounts are approved before creation
Inspected that the change system has a category for administrative account changes, with a number of changes recorded.
Results of Testing Of six administrative accounts created in the last 12 months, a corresponding change record could not be found for one.
Management Response: Administrative accounts that are created as a result of
Control Objectives, Controls, Testing, Results of Testing
![Page 21: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/21.jpg)
21
Reviewing the SAS 70 report
• Change management controls
• Code development and testing controls
• Physical and Logical Access Controls
• IT Security controls (Firewalls, IDS)
• Look for negative findings. How many, are they concerning
• Compare year over year – are they improving or getting worse?
![Page 22: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/22.jpg)
22
Other Red Flags
• Leadership and Strategy Changes
• Bankruptcy filings
– US bankruptcy court filings available online
• Employee Turnover
– Your account team or your favorite support engineers
• Client Turnover
– User groups
– Build relationships with other clients
![Page 23: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/23.jpg)
23
Tools – Google
• “Company Name” and “Press Release”
• Search Google News
• “Company Name” and interesting keywords
– Bankrupt, merge, acquire, fire, resign, president, CEO, stockholders,
![Page 24: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/24.jpg)
24
Recording/Tracking progress or service
![Page 25: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/25.jpg)
25
Performance against SLAs
• Ongoing Monitoring
• Periodic Reviews
![Page 26: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/26.jpg)
26
Support
![Page 27: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/27.jpg)
27
License Compliance
• What is the licensing/pricing model
• Analyze vendor pricing and compare to industry average
• What is your utilization (more seats than contracted for, unused modules, etc?)
• What is your expectation of growth
![Page 28: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/28.jpg)
28
Product Roadmap
• Get your input
![Page 29: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/29.jpg)
29
Contract Terms
![Page 30: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/30.jpg)
30
Security
• Your associates
• Their environment
– Third Party Review Results
– Your own Testing
![Page 31: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/31.jpg)
31
Business Continuity- Them
![Page 32: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/32.jpg)
32
Business Continuity - you
• Code stored away
![Page 33: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/33.jpg)
33
How to deal with shortfalls
• Document in detail the expectations that are missed
• Establish recurring meetings to review and track progress
![Page 34: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/34.jpg)
34
Special Cases – software development vendor
• Staged Development Environment, testing processes, source control
• Source code ownership, possession
– Consider source code escrow
• Code security
– Consider web app vulnerability scan
• Meeting expectations for feature/functionality, code quality (# of bugs), and release dates
![Page 35: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/35.jpg)
35
Ten Key Mistakes
• Not having a relationship manager
• Not providing resources or training to relationship managers
• Not tracking events or issues
• Not tracking outages against SLAs
• Missing critical dates (especially contract renewal/termination)
![Page 36: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/36.jpg)
36
Ten Key Mistakes - Continued
• Confusing vendor selection with vendor management
• Going for the lowest price
• No accountability
• Not budgeting for increases due to vendor cost increases or license growth.
• Not keeping the critical details up to date
![Page 37: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/37.jpg)
37
References
![Page 38: Successful IT Vendor Management Practices](https://reader035.vdocuments.net/reader035/viewer/2022062309/56814cfc550346895dba1b28/html5/thumbnails/38.jpg)
38
Stories
• DI Internet
• Contacts not available