1 / 38

Successful IT Vendor Management Practices

Successful IT Vendor Management Practices. Kevin Bong Johnson Financial Group. Why – Best Practice. Get the most value out of your investment Protect your corporate and customer data Minimize interruptions to customer service and internal operations React quickly and effectively to issues

elam
Télécharger la présentation

Successful IT Vendor Management Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Successful IT Vendor Management Practices Kevin Bong Johnson Financial Group

  2. Why – Best Practice • Get the most value out of your investment • Protect your corporate and customer data • Minimize interruptions to customer service and internal operations • React quickly and effectively to issues • Have a historical record of vendor service and important events.

  3. Why – Regulatory Requirements • FFIEC Information Security guidelines (based on GLBA and other regs) has multiple sections on service provider oversight • Sarbanes Oxley addresses “Controls provided by third party organizations” • HIPAA considers many vendors “Covered Entities” or “Business Associates”, with specific requirements

  4. Not Covered – Due Diligence in Vendor Selection • Info on due diligence in Vendor Selection is pretty easy to find • Vendor Management is a lifecycle, not a procurement event

  5. What to do - 10,000 Foot • Establish a Vendor Relationship Policy • Establish a formal process for annual vendor reviews • Assign and train vendor relationship managers • Establish a mechanism for tracking vendor management activities

  6. Which Vendors • All Vendors get costly • Which group of vendors give you the best bang for your buck? • Access to Customer Information • Critical for Operations • Critical to Customer Service • Based on $ amount of the contract • Otherwise visible/high risk (website host, video equipment in the CEO’s office)

  7. The Vendor Manager role • Who • Centralized • Distributed (with centralized management) • Skillset and tools • Time Requirements • Accountability

  8. Tools Overview • Vendor Management Policy • Annual review checklist • Critical Statistics • Vendor Contract and SLA • Vendor Management Records • Open and Resolved Issues List • Vendor financial and third party review reports

  9. Vendor Management Policy • Describes the organizations beliefs, objectives, and general procedures related to vendor management/service provider oversight • Key things in ours • Required/recommended vendors • Assignment of responsibilities • Accountability • Basics of annual reviews

  10. Tools VM Annual Checklist • Standard list of actions to perform annually • Researching • Requesting, reviewing and updating information • Recording and reporting results

  11. Tools – Vendor Questionnaire/Request List • Standard list of items to be provided by your vendor on an annual basis • You feel like an auditor, essentially you are • If possible, have an obligation to provide this info written in as part of the contract

  12. Tools – Critical Statistics • Contact Information of account personnel • Contact Information of support personnel • Any support ID’s, account processes • Who is authorized to request changes • Key Contract Dates • Payment Details

  13. Tools – Vendor Contract and SLA • Outlines the services provided and expectations of each entity • Outlines recourse for resolving issues • Where is the vendor contract stored • Contract termination date • Date or period of notice prior to renewal or termination • Insurance coverage of the carrier • Privacy and other regulatory expectations

  14. Tools – Vendor Management Records • Records and reports of previous vendor management activities for this vendor • Used to identify trends • Reminder of concerns from prior reviews, have these been resolved?

  15. Tools – Open and Resolved Issues List • How are requests or issues with the vendor tracked. • Review of resolved issues • Appropriate criticality, acceptable resolution • Any trends • Review of open issues • How long open • Appropriate response and current criticality

  16. Vendor Financial Health • Getting Financial Reports • Believe it or not, you can get it for free. The Securities and Exchange Commission (SEC) and its EDGAR website give you all sorts of balance sheet information in a company's 10-K and 10-Q reports.

  17. Tool - financial reports • http://beginnersinvest.about.com/cs/investinglessons/l/blintroduction.htm

  18. Tool – SAS 70 Reports

  19. SAS 70 not a stamp of approval “Salary.com™ Earns SAS 70 Type II Certification. Successful audit highlights commitment …” • Not a test against best practice or standard • The tested organization creates the list of controls they want observed and tested • Report just describes whether the controls are in place, and results of testing the controls • Will report negative results • Just having an SAS 70 provides no assurance, unfortunately you have to read it.

  20. SAS 70 report, the meat Control Objectives, Controls, Testing, Results of Testing

  21. Reviewing the SAS 70 report • Change management controls • Code development and testing controls • Physical and Logical Access Controls • IT Security controls (Firewalls, IDS) • Look for negative findings. How many, are they concerning • Compare year over year – are they improving or getting worse?

  22. Other Red Flags • Leadership and Strategy Changes • Bankruptcy filings • US bankruptcy court filings available online • Employee Turnover • Your account team or your favorite support engineers • Client Turnover • User groups • Build relationships with other clients

  23. Tools – Google • “Company Name” and “Press Release” • Search Google News • “Company Name” and interesting keywords • Bankrupt, merge, acquire, fire, resign, president, CEO, stockholders,

  24. Recording/Tracking progress or service

  25. Performance against SLAs • Ongoing Monitoring • Periodic Reviews

  26. Support

  27. License Compliance • What is the licensing/pricing model • Analyze vendor pricing and compare to industry average • What is your utilization (more seats than contracted for, unused modules, etc?) • What is your expectation of growth

  28. Product Roadmap • Get your input

  29. Contract Terms

  30. Security • Your associates • Their environment • Third Party Review Results • Your own Testing

  31. Business Continuity- Them

  32. Business Continuity - you • Code stored away

  33. How to deal with shortfalls • Document in detail the expectations that are missed • Establish recurring meetings to review and track progress

  34. Special Cases – software development vendor • Staged Development Environment, testing processes, source control • Source code ownership, possession • Consider source code escrow • Code security • Consider web app vulnerability scan • Meeting expectations for feature/functionality, code quality (# of bugs), and release dates

  35. Ten Key Mistakes • Not having a relationship manager • Not providing resources or training to relationship managers • Not tracking events or issues • Not tracking outages against SLAs • Missing critical dates (especially contract renewal/termination)

  36. Ten Key Mistakes - Continued • Confusing vendor selection with vendor management • Going for the lowest price • No accountability • Not budgeting for increases due to vendor cost increases or license growth. • Not keeping the critical details up to date

  37. References

  38. Stories • DI Internet • Contacts not available

More Related