supplier and service provider governance

Supplier And Service Provider Governance

Alan McSweeney

http://ie.linkedin.com/in/alanmcsweeney



Management Of IT Suppliers And Service Providers

• Management of IT suppliers and service providers relates to the operation aspects of the sourcing relationship after the selection process

• Involves the monitoring and measurement of IT suppliers and service providers performance and the organisation’s performance in handling suppliers and service providers

• Involves the management of risks associated with the organisation’s use of suppliers and service providers

• Concerned here with the initial and ongoing supplier/service provider approach to audit, validation and assessment to reduce risk to the sourcing organisation − Not the validation of the functionality of the specific solution or service

February 9, 2016 2

IT Supplier And Service Provider Acquisition And Management

• The IT function is becoming largely a manager of suppliers and service providers across a wide range of products, solutions and services

• When products and services are outsourced, the risks of the suppliers and service providers are inherited by the acquiring organisation

• Effective supplier selection and ongoing assessment, validation and management is an important skill for the IT function

• Adopting a structured, repeatable, easily implemented and operated approach to this should be considered by the IT function

• Reduce the costs (and the risks) of poor supplier and service provider selection and service delivery and improve the quality of service delivery

• Ensure better control of assets and resources

• Support and enable collaboration with and innovation by suppliers and service providers where appropriate

• Vendor governance during the life of the sourcing arrangement is crucial

• Sourcing should not be a “fire and forget” activity

February 9, 2016 3

IT Function Facilitates The Selection Of Suppliers And Service Providers To Meet Business Needs

IT Function

Suppliers And

Service Providers

IT Mediates Between the Business and the Supplier

Ecosystem, Acting as a Lens Focussing Business Needs on

Appropriate Suppliers

IT Needs To Focus The Business

Needs For Services on Appropriate

Suppliers

February 9, 2016 4

Business Functions

IT Function As Mediator, Facilitator And Intermediary

February 9, 2016 5

I Want A Solution/

Service

I Understand Your Needs And Will Select An

Appropriate Supplier/ Service Provider

Delivery Supplier/ Service Provider Selected

I Manage The Supplier/ Service

Provider’s Delivery Of Solution/ Service

IT Function

Spectrum Of Sourcing And Service Supply Arrangements

February 9, 2016 6

Potential Duration of Sourcing And Service Supply Arrangement

Product Supply

Support and Maintenance

Consulting

Installation and Customisation

Externally Hosted Service/Cloud/xaaS

Service Provision/xSourcing

Key Activities During Sourcing

Service Delivery Management and

Governance

Initiation/ Transition

Service Delivery Completion Analysis and Identification

Sourcing Approach

Sourcing Planning

Sourcing Agreement

Service Transfer

Service Provider Evaluation

Sourced Services Management

Sourcing Completion/ Handover

Sourcing Strategy Management

Governance Management

Relationship Management

Value Management

Technology Management

People Management

Knowledge Management

Organisational Change Management

Threat Management

February 9, 2016 7

Sourcing Opportunity Analysis

Activities During Sourcing

• Full set of possible activities to be performed during the management and governance of a sourcing engagement

• Actual set of activities will depend on the profile of the sourcing engagement

February 9, 2016 8

IT Supplier And Service Provider Acquisition And Management – Key Focus Areas And Competencies

February 9, 2016 9

Sourcing Strategy And Objectives Definition

Opportunity Identification And Business Engagement

Supplier And Service Provider Engagement And Service Delivery

Order Management

Sourcing Termination/Transfer To Different Supplier And Service Provider

Sourcing Strategy Evaluation And Update

Sourcing Procedure And Process Definition

Sourcing Template Creation

Sourcing Measurement And Monitoring

Definition

Supplier And Service Provider Identification, Evaluation And

Selection

Contract Definition, Negotiation And Closing

Sourcing Governance Definition

Organisation Change Supplier And Service Provider Integration Transition And Transformation

Contract Management

Supplier And Service Provider Assessment

and Management

Performance Monitoring And Measurement

Service Improvement Supplier And Service

Provider Risk Management

Solution/Service And Supplier/Service Provider

Evaluation Factors

IT Supplier And Service Provider Acquisition And Management – Key Focus Areas And Competencies

• Sets of skills the IT function needs to be good at to deliver on effective sourcing and acquisition

• Not all focus areas apply to all supplier and service provider types and types of sourcing relationship

February 9, 2016 10

IT Supplier And Service Provider Acquisition And Management – Assessment, Measurement And Validation Areas

February 9, 2016 11

Sourcing Strategy And Objectives Definition

Supplier And Service Provider Engagement And Service Delivery

Order Management

Sourcing Termination/Transfer To Different Supplier And Service Provider

Sourcing Strategy Evaluation And Update

Sourcing Procedure And Process Definition

Sourcing Template Creation

Sourcing Measurement And Monitoring

Definition

Sourcing Governance Definition

Organisation Change Supplier And Service Provider Integration Transition And Transformation

Contract Management

Supplier And Service Provider Assessment

and Management

Performance Monitoring And Measurement

Service Improvement Supplier And Service

Provider Risk Management

Opportunity Identification And Business Engagement

Supplier And Service Provider Identification, Evaluation And

Selection

Contract Definition, Negotiation And Closing

Solution/Service And Supplier/Service Provider

Evaluation Factors


• Assessment, measurement and validation involves both general solution/service provider and specific service/solution specific assessments

• General solution/service provider assessment and validation used to identify and reduce risk

• Assessment and measurement comprises: −Definition of approach

− Implementation and operation

February 9, 2016 12


• Sourcing Measurement And Monitoring Definition – define approaches to assessing different types suppliers and service providers and types of solution and service

• Solution/Service And Supplier/Service Provider Evaluation Factors – define solution/service specific evaluation factors

• Supplier And Service Provider Identification, Evaluation And Selection - apply solution/service specific evaluation factors to evaluate vendors and their solutions/services and apply general vendor assessment

• Supplier And Service Provider Assessment and Management –ongoing solution and service provider assessment and validation

• Performance Monitoring And Measurement – measure delivery of specific solution/service according to defined and agreed values

February 9, 2016 13

Assessment, Measurement And Validation Throughout Selection And Delivery

Define Implement and Operate

Solution Specific

Assessment/ Validation

Define Service/Solution Specific Evaluation Factors

Evaluate and Score Service/Solution Using Defined Evaluation Factors

Specific Performance Measurement

Define Service/Solution Specific Performance Measurement Factors

Measure Delivery Of Service/Solution Using Defined Evaluation Factors

Supplier/ Service Provider Common


Define Supplier/ Service Provider Specific Evaluation Factors

Evaluate and Score Supplier/ Service Provider Using Defined Evaluation Factors


Define Supplier/ Service Provider Specific Performance Measurement Factors

Measure Delivery Of Supplier/ Service Provider Using Defined Evaluation Factors

February 9, 2016 14

Concerned Here With Common Framework For Supplier/Service Provider Validation

Define Implement and Operate

Solution Specific


Define Service/Solution Specific Evaluation Factors

Evaluate and Score Service/Solution Using Defined Evaluation Factors


Define Service/Solution Specific Performance Measurement Factors

Measure Delivery Of Service/Solution Using Defined Evaluation Factors

Supplier/ Service Provider Common


Define Supplier/ Service Provider Specific Evaluation Factors

Evaluate and Score Supplier/ Service Provider Using Defined Evaluation Factors


Define Supplier/ Service Provider Specific Performance Measurement Factors

Measure Delivery Of Supplier/ Service Provider Using Defined Evaluation Factors

February 9, 2016 15

Operation Of A Service

February 9, 2016 16

Internal Operation of

Service

Service Provider

Service Delivery

Service Users

Measurement of Service Delivery

Operation Of A Service

• Acquiring organisation should not be concerned with the internals of the service - only with the results and outcomes

• Acquiring organisation should be concerned with and measure the delivery of the service using agreed performance gauges

• Acquiring organisation should audit the service provider to assess risks

February 9, 2016 17

Supplier Validation During Sourcing And Service Delivery

• Supplier validation should be performed initially during supplier transition and regularly thereafter during the life of the sourcing arrangement

• Audit the controls put in place supplier/ service provider and the operation to reduce the risk to the sourcing organisation

February 9, 2016 18

Service Delivery Management and

Governance

Initiation/ Transition

Service Delivery Completion Analysis and Identification

Initial Supplier Validation

Regular Supplier Re-validation

Components Of An Operational Sourced Solution

February 9, 2016 19

Operational Solution

Software Infrastructure Information

and Data

Use, Operational, Support and Management

Teams

Operation and Support

Processes and Services

Components Of A Operational Sourced Solution

• Concerned here with the operational solution after it is has been implemented: − Software – packaged and custom applications that either run or

support the operation and use of the applications − Infrastructure – physical facilities on which the solution software

runs or which enable it to run − Information and Data – information supplied to or generated by

and stored by the solution application components −Use, Operational, Support and Management Teams – set of

services and personnel involved in the use, operation and management of the solution or service

−Operation and Support Processes and Services – the set of manual and automated processes related to the use, operation and management of the solution or service

February 9, 2016 20

Supplier And Service Provider Validation

• Supplier should expects regular validation and auditing during the lifetime of the sourcing activity

February 9, 2016 21

Vendor Assessment Depends On The Type Of Product/Service

• The amount of effort spent on validating suppliers and service providers should be based on the size, cost, importance and type of product/service being provided

February 9, 2016 22

Key Dimensions Of Solution/Service

February 9, 2016 23

Solution/ Service Factors

Split Between Product And

Service Extent Of Customisation

Type Of Engagement

Expected Duration Of Business Relationship

Importance of Product/ Service

Expected/ Contracted Cost

Size/ Extent Of Product/ Service

Experience And Proven Ability Of

Supplier

Novelty Of Product/ Service

Complexity Of Product/ Service

Security, Performance,

Reliability, Availability

Requirements Of Product/ Service

Implementation/ Transition Effort

And Time

Availability Of Skills And Experience With Product/

Service

Key Dimensions Of Solution/Service

• Dimensions affect how the supplier/service provided should be validated – set of risk factors that dictate the level of supplier governance necessary − Split Between Product And Service – mix between pure product and services − Extent Of Customisation − Type Of Engagement – consulting/ analysis/ implementation and mix of services of these types − Expected Duration Of Business Relationship – how long with the service be provided for or is contracted

for − Importance of Product/ Service – sensitivity and importance of product/service to the organisation − Expected/ Contracted Cost – how much the product/service is expected to cost or the contracted cost − Size/ Extent Of Product/ Service – the amount of effort and the number of parties and stakeholders

involved in or affected by the product/service − Experience And Proven Ability Of Supplier – how experienced is the supplier in successfully delivering

the product/service − Novelty Of Product/ Service – how new or well-proven is the underlying technology and approach of the

product/service − Complexity Of Product/ Service – how complex is the product/service – number of components and

interfaces − Security, Performance, Reliability, Availability Requirements Of Product/ Service – are there specific

requirements of the product/service in these areas − Implementation/ Transition Effort And Time – what is the estimated or expected effort and time to

implement or transition to the product/service − Availability Of Skills And Experience With Product/ Service – how readily available are skills within the

organisation

February 9, 2016 24

Profiling The Solution/Service Governance Requirements

February 9, 2016 25

Degree of Validation

and Governance

Required

Profiling The Solution/Service Governance Requirements

• More complex, costly, lengthy solutions/services require greater governance

February 9, 2016 26

Approaches To Supplier And Service Provider Validation

• ITIL – service delivery management framework

• COBIT – framework for governance and management of the IT function

• Service Organisation Controls – audit approach to supplier and service provider validation

• CMMI eSourcing Capability Model for Client Organisations (eSCM-CL) – capability model for organisations that acquire IT services

February 9, 2016 27

ITIL Process Structure

February 9, 2016 28

Service Management

Service Strategy

Service Portfolio Management

Financial Management

Service Design

Service Catalogue Management

Service Level Management

Risk Management

Capacity Management

Availability Management

IT Service Continuity Management

IT Security Management

Compliance Management

IT Architecture Management

Supplier Management

Service Transition

Change Management

Project Management (Transition Planning and

Support)

Release and Deployment Management

Service Validation and Testing

Application Development and Customisation

Service Asset and Configuration Management

Knowledge Management

Service Operation

Event Management

Incident Management

Request Fulfilment

Access Management

Problem Management

IT Operations Management

IT Facilities Management

Continual Service Improvement

Service Evaluation

Process Evaluation

Definition of CSI Initiatives

CSI Monitoring

ITIL Process Structure

• ITIL is concerned with the set of processes that may be implemented by the service provider to deliver the contracted services

• In the context of service provision, these are used by the service provider and not by the acquiring organisation

• Service provider should measure its own service performance

February 9, 2016 29

Service Organisation Controls

• Service Organisation Controls (SOC) originally related to auditing of financial transactions performed by third-parties and the controls in place

• Work designed to performed by the organisation’s external auditors

• Extended to cover the operation of the service and its compliance with security, availability, reliability, confidentiality and privacy

• Three reports: − SOC 1 – statement of financial controls only − SOC 2 – detailed report for internal use − SOC 3 – version of SOC2 designed to be published

• Two report types: − Type 1 – description of the controls in place at a point in time − Type 2 – describes the validation tests performed and their results with

historical analysis

February 9, 2016 30

Service Organisation Controls – History And Evolution

• 1993 – Statement on Auditing Standards (SAS) No. 70, Service Organizations

• 2008 – Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy

• 2010 – Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization

• 2011 – International Auditing and Assurance Standards Board (IAASB) issued International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization

• 2015 – Updated Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy

February 9, 2016 31

Service Organisation Controls

• This approach can be adapted and used internally by the IT function to perform initial and regular subsequent audits of suppliers

February 9, 2016 32

Service Organisation Controls Structure

Service Organisation

Controls

Common Controls

Organisation and Management

Communications

Risk Management and Design and

Implementation of Controls

Monitoring of Controls

Logical and Physical Access Controls

System Operations

Change Management

Security Availability Processing Integrity Confidentiality Privacy

February 9, 2016 33

Service Organisation Controls Structure

• Set of common controls to be applied across the areas of Security, Availability, Processing Integrity and Confidentiality

• Privacy controls can be separated

• Individual sets of controls defined for the areas of Security, Availability, Processing Integrity and Confidentiality

• 53 controls in total across all topics

February 9, 2016 34

Common Controls – Organisation and Management

No Control 1 The Service Provider/Supplier has defined organisational structures, reporting lines, authorities, and responsibilities for

the design, development, implementation, operation, maintenance and monitoring of the Solution/Service enabling it to meet its commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.

2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring and approving the Service Provider/Supplier’s Solution/Service controls are assigned to individuals within the Service Provider/Supplier with authority to ensure policies and other solution/service requirements are effectively promulgated and placed in operation.

3 Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the Solution/Service affecting Security/Availability/Processing Integrity/Confidentiality have the qualifications and resources to fulfil their responsibilities.

4 The Service Provider/Supplier has established workforce conduct standards, implemented workforce candidate background screening procedures and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.

February 9, 2016 35

Common Controls – Communications

No Control 1 Information regarding the design and operation of the Solution/Service and its boundaries has been prepared and

communicated to authorised internal and external Solution/Service users to permit users to understand their role in the Solution/Service and the results of Solution/Service operation.

2 The Service Provider/Supplier’s Security/Availability/Processing Integrity/Confidentiality commitments are communicated to external users, as appropriate, and those commitments and the associated Solution/Service requirements are communicated to internal Solution/Service users to enable them to carry out their responsibilities.

3 The Service Provider/Supplier communicates the responsibilities of internal and external users and others whose roles affect Solution/Service operation.

4 Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining and monitoring controls, relevant to the Security/Availability/Processing Integrity/Confidentiality of the Solution/Service have the information necessary to carry out those responsibilities.

5 Internal and external Solution/Service users have been provided with information on how to report Security/Availability/Processing Integrity/Confidentiality failures, incidents, concerns, and other complaints to appropriate personnel.

6 Solution/Service changes that affect internal and external Solution/Service user responsibilities or the Service Provider/Supplier’s commitments and requirements relevant to Security/Availability/Processing Integrity/Confidentiality are communicated to those users in a timely manner.

February 9, 2016 36

Common Controls – Risk Management And Design And Implementation Of Controls

No Control 1 The Service Provider/Supplier:

1 - Identifies potential threats that would impair Solution/Service’s Security/Availability/Processing Integrity/Confidentiality commitments and requirements 2 - Analyses the significance of risks associated with the identified threats 3 - Determines mitigation strategies for those risks (including controls and other mitigation strategies).

2 The Service Provider/Supplier designs, develops, and implements controls, including policies and procedures, to implement its risk mitigation strategy.

3 The Service Provider/Supplier:

1 - Identifies and assesses changes (for example, environmental, regulatory, and technological changes) that could significantly affect the Solution/Service of internal control for Security/Availability/Processing Integrity/Confidentiality and reassesses risks and mitigation strategies based on the changes 2 - Reassesses the suitability of the design and deployment of control activities based on the operation and monitoring of those activities, and updates them as necessary.

February 9, 2016 37

Common Controls – Monitoring Of Controls

Number Control 1 The design and operating effectiveness of controls are periodically evaluated against

Security/Availability/Processing Integrity/Confidentiality commitments and requirements, corrections and other necessary actions relating to identified deficiencies are taken in a timely manner.

February 9, 2016 38

Common Controls – Logical And Physical Access Controls

No Control 1 Logical access security software, infrastructure, and architectures have been implemented to support:

1 - Identification and authentication of authorised users 2 - Restriction of authorised user access to Solution/Service components, or portions thereof, authorised by management, including hardware, data, software, mobile devices, output, and offline elements 3 - Prevention and detection of unauthorised access.

2 New internal and external Solution/Service users are registered and authorised prior to being issued Solution/Service credentials, and granted the ability to access the Solution/Service. User Solution/Service credentials are removed when user access is no longer authorised.

3 Internal and external Solution/Service users are identified and authenticated when accessing the Solution/Service components (for example, infrastructure, software, and data).

4 Access to data, software, functions, and other IT resources is authorised and is modified or removed based on roles, responsibilities, or the Solution/Service design and changes to them.

5 Physical access to facilities housing the Solution/Service (for example, data centres, backup media storage, and other sensitive locations as well as sensitive Solution/Service components within those locations) is restricted to authorised personnel.

6 Logical access security measures have been implemented to protect against Security/Availability/Processing Integrity/Confidentiality threats from sources outside the boundaries of the Solution/Service.

7 The transmission, movement, and removal of information is restricted to authorised users and processes, and is protected during transmission, movement, or removal enabling the Service Provider/Supplier to meet its commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.

8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorised or malicious software.

February 9, 2016 39

Common Controls – System Operations

No Control 1 Vulnerabilities of Solution/Service components to Security/Availability/Processing Integrity/Confidentiality breaches

and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are implemented to compensate for known and new vulnerabilities.

2 Security/Availability/Processing Integrity/Confidentiality incidents, including logical and physical security breaches, failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance with established incident response procedures.

February 9, 2016 40

Common Controls – Change Management

No Control 1 Security/Availability/Processing Integrity/Confidentiality commitments and requirements, are addressed, during the

Solution/Service implementation lifecycle including design, acquisition, implementation, configuration, testing, modification, and maintenance of Solution/Service components.

2 Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the Solution/Service commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.

3 Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during Solution/Service operation and monitoring.

4 Changes to Solution/Service components are authorised, designed, developed, configured, documented, tested, approved, and implemented in accordance with Security/Availability/Processing Integrity/Confidentiality commitments and requirements.

February 9, 2016 41

Availability Controls

No Control 1 Current processing capacity and usage are maintained, monitored, and evaluated to manage demand and to enable the

implementation of additional capacity to help meet availability commitments and requirements.

2 Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained, and monitored to meet availability commitments and requirements.

3 Procedures supporting Solution/Service recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements.

February 9, 2016 42

Processing Integrity Controls

No Control 1 Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and

requirements.

2 Solution/Service inputs are measured and recorded completely, accurately, and timely in accordance with processing integrity commitments and requirements.

3 Data is processed completely, accurately, and timely as authorised in accordance with pro-cessing integrity commitments and requirements.

4 Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity commitments and requirements.

5 Solution/Service output is complete, accurate, distributed, and retained in accordance with processing integrity commitments and requirements.

6 Modification of data is authorised, using authorised procedures in accordance with processing integrity commitments and requirements.

February 9, 2016 43

Confidentiality Controls

No Control 1 Confidential information is protected during the Solution/Service design, development, testing, implementation, and

change processes in accordance with confidentiality commitments and requirements.

2 Confidential information within the boundaries of the Solution/Service is protected against unauthorised access, use, and disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments and requirements.

3 Access to confidential information from outside the boundaries of the Solution/Service and disclosure of confidential information is restricted to authorised parties in accordance with confidentiality commitments and requirements.

4 The Service Provider/Supplier obtains confidentiality commitments that are consistent with the Service Provider/Supplier’s confidentiality requirements from vendors and other third parties whose products and services comprise part of the Solution/Service and have access to confidential information.

5 Compliance with confidentiality commitments and requirements by vendors and others third parties whose products and services comprise part of the Solution/Service is assessed on a periodic and as-needed basis and corrective action is taken, if necessary.

6 Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and other third parties whose products and services are included in the Solution/Service .

February 9, 2016 44

Privacy Controls

No Control 1 The Service Provider/Supplier defines documents, communicates, and assigns accountability for its privacy policies and

procedures.

2 The Service Provider/Supplier provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.

3 The Service Provider/Supplier describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

4 The Service Provider/Supplier collects personal information only for the purposes identified in the notice.

5 The Service Provider/Supplier limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The Service Provider/Supplier retains personal information for only as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.

6 The Service Provider/Supplier provides individuals with access to their personal information for re-view and update.

7 The Service Provider/Supplier discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

8 The Service Provider/Supplier protects personal information against unauthorized access (both physical and logical).

9 The Service Provider/Supplier maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

10 The Service Provider/Supplier monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

February 9, 2016 45

Putting Service Organisation Controls Into Practice

• The controls must be implemented and operated through specific statements of requirements about their application and use that can be verified

• Example - Organisation and Management Common Control 1: − The Service Provider/Supplier has defined organisational structures, reporting

lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance and monitoring of the Solution/Service enabling it to meet its commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.

February 9, 2016 46

Service Provider/Supplier’s • Organisational Structures • Reporting Lines • Authorities • Responsibilities

Solution/Service’s • Design • Development • Implementation • Operation • Maintenance • Monitoring

Requirements Relating To • Security • Availability • Processing Integrity • Confidentiality

Must Be Appropriately Structured In Relation To

In Order To Comply

With

Putting Service Organisation Controls Into Practice

• Sets of statements of requirements can be detailed or high-level

• Sets of controls need to be created for each control area

• A statement of compliance needs to be obtained from the Service Provider/Supplier

• Compliance should be verified through auditing of selected ones

February 9, 2016 47

Summary

• Competence in sourcing is a core skill of the IT function

• Vendor assessment and validation during the life of the sourcing arrangement is crucial

• Sourcing should not be a “fire and forget” activity

• The Service Organisation Controls audit approach can be adapted for use by the IT function to develop an effective approach to vendor governance

February 9, 2016 48