Vendor Management
&Technology
John V. LevonickLegal and Compliance Lead
Copyright © 2014 Accenture All rights reserved.
Technology
Key Components to Vendor Management Program
• Risk Scoring and Vendor Assessment
• Modern Software Architecture and Delivery Methodology: Technology Knowledge
• Contracts Elements
• Key Contractual Provisions – Service Level Agreements
Vendor Management
2
Copyright © 2014 Accenture All rights reserved.
Risk-Scoring and Vendor Assessment Considerations
• The adequacy of the Vendors internal controls;
– ISO27001; SSAE 16/SOC1,2,3; SAS-70 Type I and II,
– Vulnerability Assessments,
– Client Data Protection: Policy, Practice and Protocols (Pass-Through, Archive, Purge),
– Regulatory Awareness,
– Embedded Software and Third Party Service Providers,
• The relationship of technology/service to the transaction (for example, the number and dollar volumes and the complexity);
– Secondary Provider
– Transition and Migration Plan
– Business Continuity - Manual Processes or Bypass Solution
• The evolution of the technology and commitment to enhancements and product development;
Due Diligence for Vendor Selection and the Ongoing Audit Obligations of Vendors
3
Copyright © 2014 Accenture All rights reserved.
Risk-Scoring and Vendor Assessment Considerations - II
• The nature of the architecture and deployment/delivery methodology;
– elasticity and ramp-up speed to handle spikes in volume,
– business continuity and disaster recovery: geographically disparate and redundant,
– client data protection and security protocols,
– the impact on dependent critical business processes,
– potential financial impact: hourly, daily, weekly,
– planned conversions,
– economic and regulatory environment;
Due Diligence for Vendor Selection and the Ongoing Audit Obligations of Vendors
4
Copyright © 2014 Accenture All rights reserved.
Risk-Scoring and Vendor Assessment Considerations - III
• The physical and logical security of delivery, information, equipment, and premises;
• The adequacy of operating management oversight and monitoring;
• Financial wherewithal of the Vendor, commitment to space, diverse business lines;
• Previous regulatory and audit results and management's responsiveness in addressing issues;
• Human resources, including the experience of management and staff, turnover, technical competence, management's succession plan, and the degree of delegation; and
• Senior management oversight and critical employees.
Due Diligence for Vendor Selection and the Ongoing Audit Obligations of Vendors
5
Copyright © 2014 Accenture All rights reserved.
Modern Software Architecture and Delivery Methodology
The IP Lawyers Definition:
• Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Source: NIST Special Publication 800-145
• What does SaaS, IaaS, PaaS Mean?
• What does Hosted Mean? What does the Cloud Mean?
– Private Cloud – Single Tenant - Public Cloud – Multi-Tenant - Hybrid
• Co-location Centers, Fully Replicated and Fail Over.
• Servers vs. Virtual Machines (VMs)
• Rendering Capability and BYOD
Due Diligence for Vendor Selection and the Ongoing Audit Obligations of Vendors
6
Copyright © 2014 Accenture All rights reserved.
Key Contractual Components for Mission Critical Software Applications • Termination Rights for Breach and Data Transition/Migration Plan
• Data Ownership and Audit Rights
• IP Preservation: Business Process, Know How
• Note Industry Standards for Internal Controls and Self-Assessment:
– ISO/IEC 27001
– SSAE 16 / SOC1,2&3
– SAS-70 / Type I and II
• BCDR
– Redundancy and Geographic Disparity
– Replication Time Objective and Recovery Point Objective
– Fail Over Triggers and Determination, Active/Active.
• Pandemic Plan (if applicable)
• Releases, Versions and Hot-Fixes: Documentation, QC, Training .
• Mortgage Lending: 201 CMR 17.00 et. seq.
Due Diligence for Vendor Selection and the Ongoing Audit Obligations of Vendors
7
Copyright © 2014 Accenture All rights reserved.
Key Contractual Component: Service Level Agreement
Who is responsible when something does not work, who will fix it, who’s fault is it, and how soon will it be fixed?
• Uptime Assurance – What does 99.99%, 24/7/365?
• Downtime
– Service and Scheduled Maintenance Windows
– Emergency Maintenance
– Force Majeure Event
• Issue Identification, Replication, Classification and Remediation – Severity Level Assignment
Due Diligence for Vendor Selection and the Ongoing Audit Obligations of Vendors
8
Copyright © 2014 Accenture All rights reserved.
Service Level AgreementsCritical Business Impact
Complete loss of business process, No “intended use” can occur. No workaround exists
Significant Business Impact
Technology / Service is usable, and “intended use” is obtainable however degradation of services is significantly impacting the business. No workaround exists.
Moderate Business Impact
Technology / Service is usable, and “intended use” is obtainable and work can continue in an impaired manner with only moderate business impact. A workaround does exist.
Minimal Business Impact
Business process is substantially functional, and “intended use” is obtainable with only minor or no impediment of services. A workaround may or may not exist.
• Issue Prioritization
• Credits and Termination Rights
Due Diligence for Vendor Selection and the Ongoing Audit Obligations of Vendors
9
Copyright © 2014 Accenture All rights reserved.
QUESTIONS?
John V. Levonick
Legal and Compliance Lead, Accenture Software
10
Copyright © 2013 Accenture All rights reserved.
Example Slide Text• Lorem ipsum dolor sit amet, consectetur
adipiscing elit. Pellentesque molestie lectus ut lacus hendrerit eu adipiscing eros sollicitudin.
• Lorem ipsum dolor sit amet, consectetur adipiscing elit. Pellentesque molestie lectus ut lacus hendrerit eu adipiscing eros sollicitudin.
11
Copyright © 2013 Accenture All rights reserved.
Color Palette
Periwinkle BlueR 102G 136B 187
Light GrayR 119G 136B 136
TaupeR 153G 153B 119
Dark OrangeR 221G 68B 17
12
Copyright © 2013 Accenture All rights reserved.
Example Slide Chart
Number of households
Category 1 Category 2 Category 3 Category 4
4.3
2.5
3.5
4.5
2.4
4.4
1.8
2.8
2 2
3
5
Series 1 Series 2 Series 3
13
Copyright © 2013 Accenture All rights reserved.
Sit amet convallis• Cras imperdiet blandit tristique.
• Phasellus tincidunt ultricies sapien, sed eleifend massa pulvinar ut.
• Sed a molestie elit.
• Maecenas dictum venenatis blandit.
• Vestibulum tempus leo eget sem lobortis quis ultricies tellus commodo.
• Duis id diam tellus.
• Maecenas id massa velit, id tincidunt leo.
• Mauris eget magna quis diam facilisis mollis.
• In rhoncus ornare augue vel pretium.
Example Slide Graphic
Houston
14
Copyright © 2013 Accenture All rights reserved.
Example Table
Column 1 Column 2 Column 3 Column 4 Column 5 Column 6 Column 7 Column 8
Heading 1 [X] [X] [X] [X] [X] [X] [X]
Heading 2 [X] [X] [X] [X] [X] [X] [X]
Heading 3 [X] [X] [X] [X] [X] [X] [X]
Heading 4 [X] [X] [X] [X] [X] [X] [X]
Heading 5 [X] [X] [X] [X] [X] [X] [X]
Heading 6 [X] [X] [X] [X] [X] [X] [X]
Heading 7 [X] [X] [X] [X] [X] [X] [X]
The researchLorem ipsum dolor sit amet, consectetur adipiscing elit. Pellentesque molestie lectus ut lacus hendrerit eu adipiscing eros sollicitudin
The resultsLorem ipsum dolor sit amet, consectetur adipiscing elit. Pellentesque molestie lectus ut lacus hendrerit eu adipiscing eros sollicitudin
15
16Copyright © 2013 Accenture All rights reserved.
17Copyright © 2013 Accenture All rights reserved.
Divider Slide
18Copyright © 2013 Accenture All rights reserved.
Divider Slide