Supplier and Service Provider Governance
Competence in sourcing is a core skill of the IT function. The IT function is becoming largely a manager of suppliers and service providers across a wide range of products, solutions and services. IT mediates between the business and the supplier ecosystem, acting as a lens focussing business needs on appropriate suppliers. When products and services are outsourced, the risks of the suppliers and service providers are inherited by the acquiring organisation. Sourcing should not be a “fire and forget” activity. Effective supplier selection and ongoing assessment, validation and management is an important skill for the IT function. The Service Organisation Controls audit approach can be adapted for use by the IT function to develop an approach to vendor governance.
Content
Supplier And Service
Provider Governance
Alan McSweeney
http://ie.linkedin.com/in/alanmcsweeney
Management Of IT Suppliers And Service Providers
•
Management of IT suppliers and service providers relates to
the operation aspects of the sourcing relationship after the
selection process
•
Involves the monitoring and measurement of IT suppliers and
service providers performance and the organisation’s
performance in handling suppliers and service providers
•
Involves the management of risks associated with the
organisation’s use of suppliers and service providers
•
Concerned here with the initial and ongoing supplier/service
provider approach to audit, validation and assessment to
reduce risk to the sourcing organisation
− Not the validation of the functionality of the specific solution or service
February 9, 2016
2
IT Supplier And Service Provider Acquisition And
Management
•
•
•
•
•
•
•
•
•
The IT function is becoming largely a manager of suppliers and service
providers across a wide range of products, solutions and services
When products and services are outsourced, the risks of the suppliers and
service providers are inherited by the acquiring organisation
Effective supplier selection and ongoing assessment, validation and
management is an important skill for the IT function
Adopting a structured, repeatable, easily implemented and operated
approach to this should be considered by the IT function
Reduce the costs (and the risks) of poor supplier and service provider
selection and service delivery and improve the quality of service delivery
Ensure better control of assets and resources
Support and enable collaboration with and innovation by suppliers and
service providers where appropriate
Vendor governance during the life of the sourcing arrangement is crucial
Sourcing should not be a “fire and forget” activity
February 9, 2016
3
IT Function Facilitates The Selection Of Suppliers
And Service Providers To Meet Business Needs
IT
Function
Suppliers
And
Service
Providers
Business
Functions
IT Needs To
Focus The
Business
Needs For
Services on
Appropriate
Suppliers
IT Mediates Between the
Business and the Supplier
Ecosystem, Acting as a Lens
Focussing Business Needs on
Appropriate Suppliers
February 9, 2016
4
IT Function As Mediator, Facilitator And
Intermediary
I Want A
Solution/
Service
I Understand Your Needs
And Will Select An
Appropriate Supplier/
Service Provider
Delivery
Supplier/ Service
Provider Selected
IT
Function
I Manage The
Supplier/ Service
Provider’s Delivery Of
Solution/ Service
February 9, 2016
5
Spectrum Of Sourcing And Service Supply
Arrangements
Potential Duration of Sourcing And Service Supply Arrangement
Product Supply
Support and Maintenance
Consulting
Installation and Customisation
Service Provision/xSourcing
Externally Hosted Service/Cloud/xaaS
February 9, 2016
6
Key Activities During Sourcing
Sourcing Strategy
Management
Governance
Management
Relationship
Management
Value Management
Organisational
Change Management
Sourcing Planning
People Management
Service Provider
Evaluation
Knowledge
Management
Sourcing Opportunity
Analysis
Sourcing Agreement
Technology
Management
Sourcing Approach
Service Transfer
Analysis and
Identification
Initiation/
Transition
February 9, 2016
Sourced Services
Management
Threat Management
Service Delivery
Service Delivery
Management and
Governance
Sourcing Completion/
Handover
Completion
7
Activities During Sourcing
•
Full set of possible activities to be performed during the
management and governance of a sourcing engagement
•
Actual set of activities will depend on the profile of the
sourcing engagement
February 9, 2016
8
IT Supplier And Service Provider Acquisition And
Management – Key Focus Areas And Competencies
Sourcing Strategy And
Objectives Definition
Sourcing Governance
Definition
Opportunity Identification And
Business Engagement
Sourcing Procedure And
Process Definition
Solution/Service And
Supplier/Service Provider
Evaluation Factors
Organisation Change
Sourcing Template
Creation
Supplier And Service Provider
Identification, Evaluation And
Selection
Supplier And Service Provider Integration
Sourcing Measurement
And Monitoring
Definition
Contract Definition,
Negotiation And Closing
Transition And Transformation
Supplier And Service Provider Engagement And Service Delivery
Order Management
Contract
Management
Supplier And Service
Provider Assessment
and Management
Performance
Monitoring And
Measurement
Service Improvement
Supplier And Service
Provider Risk
Management
Sourcing Termination/Transfer To Different Supplier And Service Provider
Sourcing Strategy Evaluation And Update
February 9, 2016
9
IT Supplier And Service Provider Acquisition And
Management – Key Focus Areas And Competencies
•
Sets of skills the IT function needs to be good at to deliver
on effective sourcing and acquisition
•
Not all focus areas apply to all supplier and service
provider types and types of sourcing relationship
February 9, 2016
10
IT Supplier And Service Provider Acquisition And
Management – Assessment, Measurement And Validation
Areas
Sourcing Strategy And
Objectives Definition
Sourcing Governance
Definition
Opportunity Identification And
Business Engagement
Sourcing Procedure And
Process Definition
Solution/Service And
Supplier/Service Provider
Evaluation Factors
Organisation Change
Sourcing Template
Creation
Supplier And Service Provider
Identification, Evaluation And
Selection
Supplier And Service Provider Integration
Sourcing Measurement
And Monitoring
Definition
Contract Definition,
Negotiation And Closing
Transition And Transformation
Supplier And Service Provider Engagement And Service Delivery
Order Management
Contract
Management
Supplier And Service
Provider Assessment
and Management
Performance
Monitoring And
Measurement
Service Improvement
Supplier And Service
Provider Risk
Management
Sourcing Termination/Transfer To Different Supplier And Service Provider
Sourcing Strategy Evaluation And Update
February 9, 2016
11
IT Supplier And Service Provider Acquisition And
Management – Assessment, Measurement And Validation
Areas
•
Assessment, measurement and validation involves both
general solution/service provider and specific
service/solution specific assessments
•
General solution/service provider assessment and
validation used to identify and reduce risk
•
Assessment and measurement comprises:
− Definition of approach
− Implementation and operation
February 9, 2016
12
IT Supplier And Service Provider Acquisition And
Management – Assessment, Measurement And Validation
Areas
•
•
•
•
•
Sourcing Measurement And Monitoring Definition – define
approaches to assessing different types suppliers and service
providers and types of solution and service
Solution/Service And Supplier/Service Provider Evaluation
Factors – define solution/service specific evaluation factors
Supplier And Service Provider Identification, Evaluation And
Selection - apply solution/service specific evaluation factors to
evaluate vendors and their solutions/services and apply general
vendor assessment
Supplier And Service Provider Assessment and Management –
ongoing solution and service provider assessment and
validation
Performance Monitoring And Measurement – measure
delivery of specific solution/service according to defined and
agreed values
February 9, 2016
13
Assessment, Measurement And Validation
Throughout Selection And Delivery
Define
Solution
Specific
Assessment/
Validation
Specific
Performance
Measurement
Supplier/
Assessment/
Service Provider Validation
Common
Specific
Performance
Measurement
February 9, 2016
Implement and
Operate
Define Service/Solution
Evaluate and Score
Specific Evaluation Factors Service/Solution Using
Defined Evaluation Factors
Define Service/Solution
Specific Performance
Measurement Factors
Measure Delivery Of
Service/Solution Using
Defined Evaluation Factors
Define Supplier/ Service
Evaluate and Score Supplier/
Provider Specific Evaluation Service Provider Using
Factors
Defined Evaluation Factors
Define Supplier/ Service
Provider Specific
Performance Measurement
Factors
Measure Delivery Of
Supplier/ Service Provider
Using Defined Evaluation
Factors
14
Concerned Here With Common Framework For
Supplier/Service Provider Validation
Define
Solution
Specific
Assessment/
Validation
Specific
Performance
Measurement
Supplier/
Assessment/
Service Provider Validation
Common
Specific
Performance
Measurement
February 9, 2016
Implement and
Operate
Define Service/Solution
Evaluate and Score
Specific Evaluation Factors Service/Solution Using
Defined Evaluation Factors
Define Service/Solution
Specific Performance
Measurement Factors
Measure Delivery Of
Service/Solution Using
Defined Evaluation Factors
Define Supplier/ Service
Provider Specific
Evaluation Factors
Evaluate and Score
Supplier/ Service Provider
Using Defined Evaluation
Factors
Define Supplier/ Service
Measure Delivery Of
Provider Specific
Supplier/ Service Provider
Performance Measurement Using Defined Evaluation
Factors
Factors
15
Operation Of A Service
Service Users
Service
Delivery
Internal
Operation of
Service
Service
Provider
Measurement of
Service Delivery
February 9, 2016
16
Operation Of A Service
•
Acquiring organisation should not be concerned with the
internals of the service - only with the results and
outcomes
•
Acquiring organisation should be concerned with and
measure the delivery of the service using agreed
performance gauges
•
Acquiring organisation should audit the service provider to
assess risks
February 9, 2016
17
Supplier Validation During Sourcing And Service
Delivery
Analysis and
Identification
Initiation/
Transition
Service Delivery
Service Delivery
Management and
Governance
Completion
Initial Supplier Validation
Regular Supplier Re-validation
•
•
Supplier validation should be performed initially during
supplier transition and regularly thereafter during the life of
the sourcing arrangement
Audit the controls put in place supplier/ service provider and
the operation to reduce the risk to the sourcing organisation
February 9, 2016
18
Components Of An Operational Sourced Solution
Operational Solution
Software
February 9, 2016
Infrastructure
Information
and Data
Use,
Operational,
Support and
Management
Teams
Operation
and Support
Processes and
Services
19
Components Of A Operational Sourced Solution
•
Concerned here with the operational solution after it is
has been implemented:
− Software – packaged and custom applications that either run or
support the operation and use of the applications
− Infrastructure – physical facilities on which the solution software
runs or which enable it to run
− Information and Data – information supplied to or generated by
and stored by the solution application components
− Use, Operational, Support and Management Teams – set of
services and personnel involved in the use, operation and
management of the solution or service
− Operation and Support Processes and Services – the set of
manual and automated processes related to the use, operation
and management of the solution or service
February 9, 2016
20
Supplier And Service Provider Validation
•
Supplier should expects regular validation and auditing
during the lifetime of the sourcing activity
February 9, 2016
21
Vendor Assessment Depends On The Type Of
Product/Service
•
The amount of effort spent on validating suppliers and
service providers should be based on the size, cost,
importance and type of product/service being provided
February 9, 2016
22
Key Dimensions Of Solution/Service
Availability Of Skills
And Experience
With Product/
Service
Split Between
Product And
Service
Extent Of
Customisation
Implementation/
Transition Effort
And Time
Security,
Performance,
Reliability,
Availability
Requirements Of
Product/ Service
Complexity Of
Product/ Service
Type Of
Engagement
Solution/
Service
Factors
Novelty Of
Product/ Service
Importance of
Product/ Service
Expected/
Contracted Cost
Experience And
Proven Ability Of
Supplier
February 9, 2016
Expected Duration
Of Business
Relationship
Size/ Extent Of
Product/ Service
23
Key Dimensions Of Solution/Service
•
Dimensions affect how the supplier/service provided should be validated – set of risk
factors that dictate the level of supplier governance necessary
−
−
−
−
−
−
−
−
−
−
−
−
−
Split Between Product And Service – mix between pure product and services
Extent Of Customisation
Type Of Engagement – consulting/ analysis/ implementation and mix of services of these types
Expected Duration Of Business Relationship – how long with the service be provided for or is contracted
for
Importance of Product/ Service – sensitivity and importance of product/service to the organisation
Expected/ Contracted Cost – how much the product/service is expected to cost or the contracted cost
Size/ Extent Of Product/ Service – the amount of effort and the number of parties and stakeholders
involved in or affected by the product/service
Experience And Proven Ability Of Supplier – how experienced is the supplier in successfully delivering
the product/service
Novelty Of Product/ Service – how new or well-proven is the underlying technology and approach of the
product/service
Complexity Of Product/ Service – how complex is the product/service – number of components and
interfaces
Security, Performance, Reliability, Availability Requirements Of Product/ Service – are there specific
requirements of the product/service in these areas
Implementation/ Transition Effort And Time – what is the estimated or expected effort and time to
implement or transition to the product/service
Availability Of Skills And Experience With Product/ Service – how readily available are skills within the
organisation
February 9, 2016
24
Profiling The Solution/Service Governance
Requirements
Degree of
Validation
and
Governance
Required
February 9, 2016
25
Profiling The Solution/Service Governance
Requirements
•
More complex, costly, lengthy solutions/services require
greater governance
February 9, 2016
26
Approaches To Supplier And Service Provider
Validation
•
ITIL – service delivery management framework
•
COBIT – framework for governance and management of
the IT function
•
Service Organisation Controls – audit approach to supplier
and service provider validation
•
CMMI eSourcing Capability Model for Client
Organisations (eSCM-CL) – capability model for
organisations that acquire IT services
February 9, 2016
27
ITIL Process Structure
Service Management
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service
Improvement
Service Portfolio
Management
Service Catalogue
Management
Change Management
Event Management
Service Evaluation
Financial Management
Service Level Management
Project Management
(Transition Planning and
Support)
Incident Management
Process Evaluation
Risk Management
Release and Deployment
Management
Request Fulfilment
Definition of CSI Initiatives
Capacity Management
Service Validation and
Testing
Access Management
CSI Monitoring
Availability Management
Application Development
and Customisation
Problem Management
IT Service Continuity
Management
Service Asset and
Configuration Management
IT Operations Management
IT Security Management
Knowledge Management
IT Facilities Management
Compliance Management
IT Architecture
Management
Supplier Management
February 9, 2016
28
ITIL Process Structure
•
ITIL is concerned with the set of processes that may be
implemented by the service provider to deliver the
contracted services
•
In the context of service provision, these are used by the
service provider and not by the acquiring organisation
•
Service provider should measure its own service
performance
February 9, 2016
29
Service Organisation Controls
•
•
•
•
Service Organisation Controls (SOC) originally related to auditing of
financial transactions performed by third-parties and the controls in
place
Work designed to performed by the organisation’s external auditors
Extended to cover the operation of the service and its compliance
with security, availability, reliability, confidentiality and privacy
Three reports:
− SOC 1 – statement of financial controls only
− SOC 2 – detailed report for internal use
− SOC 3 – version of SOC2 designed to be published
•
Two report types:
− Type 1 – description of the controls in place at a point in time
− Type 2 – describes the validation tests performed and their results with
historical analysis
February 9, 2016
30
Service Organisation Controls – History And
Evolution
•
•
•
•
•
1993 – Statement on Auditing Standards (SAS) No. 70, Service
Organizations
2008 – Trust Services Principles and Criteria for Security,
Availability, Processing Integrity, Confidentiality, and Privacy
2010 – Standards for Attestation Engagements (SSAE) 16,
Reporting on Controls at a Service Organization
2011 – International Auditing and Assurance Standards Board
(IAASB) issued International Standard on Assurance
Engagements (ISAE) 3402, Assurance Reports on Controls at a
Service Organization
2015 – Updated Trust Services Principles and Criteria for
Security, Availability, Processing Integrity, Confidentiality, and
Privacy
February 9, 2016
31
Service Organisation Controls
•
This approach can be adapted and used internally by the IT
function to perform initial and regular subsequent audits
of suppliers
February 9, 2016
32
Service Organisation Controls Structure
Service
Organisation
Controls
Common Controls
Security
Organisation and
Management
Communications
Risk Management
and Design and
Implementation of
Controls
Monitoring of
Controls
Logical and Physical
Access Controls
System Operations
Availability
Processing Integrity
Confidentiality
Privacy
Change
Management
February 9, 2016
33
Service Organisation Controls Structure
•
Set of common controls to be applied across the areas of
Security, Availability, Processing Integrity and
Confidentiality
•
Privacy controls can be separated
•
Individual sets of controls defined for the areas of Security,
Availability, Processing Integrity and Confidentiality
•
53 controls in total across all topics
February 9, 2016
34
Common Controls – Organisation and Management
No Control
1
2
3
4
The Service Provider/Supplier has defined organisational structures, reporting lines, authorities, and responsibilities for
the design, development, implementation, operation, maintenance and monitoring of the Solution/Service enabling it to
meet its commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring and
approving the Service Provider/Supplier’s Solution/Service controls are assigned to individuals within the Service
Provider/Supplier with authority to ensure policies and other solution/service requirements are effectively promulgated
and placed in operation.
Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the
Solution/Service affecting Security/Availability/Processing Integrity/Confidentiality have the qualifications and resources
to fulfil their responsibilities.
The Service Provider/Supplier has established workforce conduct standards, implemented workforce candidate
background screening procedures and conducts enforcement procedures to enable it to meet its commitments and
requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
February 9, 2016
35
Common Controls – Communications
No Control
1
2
3
4
5
6
Information regarding the design and operation of the Solution/Service and its boundaries has been prepared and
communicated to authorised internal and external Solution/Service users to permit users to understand their role in the
Solution/Service and the results of Solution/Service operation.
The Service Provider/Supplier’s Security/Availability/Processing Integrity/Confidentiality commitments are
communicated to external users, as appropriate, and those commitments and the associated Solution/Service
requirements are communicated to internal Solution/Service users to enable them to carry out their responsibilities.
The Service Provider/Supplier communicates the responsibilities of internal and external users and others whose roles
affect Solution/Service operation.
Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining and
monitoring controls, relevant to the Security/Availability/Processing Integrity/Confidentiality of the Solution/Service
have the information necessary to carry out those responsibilities.
Internal and external Solution/Service users have been provided with information on how to report
Security/Availability/Processing Integrity/Confidentiality failures, incidents, concerns, and other complaints to
appropriate personnel.
Solution/Service changes that affect internal and external Solution/Service user responsibilities or the Service
Provider/Supplier’s commitments and requirements relevant to Security/Availability/Processing
Integrity/Confidentiality are communicated to those users in a timely manner.
February 9, 2016
36
Common Controls – Risk Management And Design
And Implementation Of Controls
No Control
1
2
3
The Service Provider/Supplier:
1 - Identifies potential threats that would impair Solution/Service’s Security/Availability/Processing
Integrity/Confidentiality commitments and requirements
2 - Analyses the significance of risks associated with the identified threats
3 - Determines mitigation strategies for those risks (including controls and other mitigation strategies).
The Service Provider/Supplier designs, develops, and implements controls, including policies and procedures, to
implement its risk mitigation strategy.
The Service Provider/Supplier:
1 - Identifies and assesses changes (for example, environmental, regulatory, and technological changes) that could
significantly affect the Solution/Service of internal control for Security/Availability/Processing
Integrity/Confidentiality and reassesses risks and mitigation strategies based on the changes
2 - Reassesses the suitability of the design and deployment of control activities based on the operation and
monitoring of those activities, and updates them as necessary.
February 9, 2016
37
Common Controls – Monitoring Of Controls
Number Control
1
The design and operating effectiveness of controls are periodically evaluated against
Security/Availability/Processing Integrity/Confidentiality commitments and requirements, corrections and other
necessary actions relating to identified deficiencies are taken in a timely manner.
February 9, 2016
38
Common Controls – Logical And Physical Access
Controls
No Control
1
2
3
4
5
6
7
8
Logical access security software, infrastructure, and architectures have been implemented to support:
1 - Identification and authentication of authorised users
2 - Restriction of authorised user access to Solution/Service components, or portions thereof, authorised by
management, including hardware, data, software, mobile devices, output, and offline elements
3 - Prevention and detection of unauthorised access.
New internal and external Solution/Service users are registered and authorised prior to being issued Solution/Service
credentials, and granted the ability to access the Solution/Service. User Solution/Service credentials are removed when
user access is no longer authorised.
Internal and external Solution/Service users are identified and authenticated when accessing the Solution/Service
components (for example, infrastructure, software, and data).
Access to data, software, functions, and other IT resources is authorised and is modified or removed based on roles,
responsibilities, or the Solution/Service design and changes to them.
Physical access to facilities housing the Solution/Service (for example, data centres, backup media storage, and other
sensitive locations as well as sensitive Solution/Service components within those locations) is restricted to authorised
personnel.
Logical access security measures have been implemented to protect against Security/Availability/Processing
Integrity/Confidentiality threats from sources outside the boundaries of the Solution/Service.
The transmission, movement, and removal of information is restricted to authorised users and processes, and is protected
during transmission, movement, or removal enabling the Service Provider/Supplier to meet its commitments and
requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Controls have been implemented to prevent or detect and act upon the introduction of unauthorised or malicious
software.
February 9, 2016
39
Common Controls – System Operations
No Control
1
2
Vulnerabilities of Solution/Service components to Security/Availability/Processing Integrity/Confidentiality breaches
and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are
implemented to compensate for known and new vulnerabilities.
Security/Availability/Processing Integrity/Confidentiality incidents, including logical and physical security breaches,
failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance
with established incident response procedures.
February 9, 2016
40
Common Controls – Change Management
No Control
1
2
3
4
Security/Availability/Processing Integrity/Confidentiality commitments and requirements, are addressed, during the
Solution/Service implementation lifecycle including design, acquisition, implementation, configuration, testing,
modification, and maintenance of Solution/Service components.
Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the Solution/Service
commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are
identified during Solution/Service operation and monitoring.
Changes to Solution/Service components are authorised, designed, developed, configured, documented, tested,
approved, and implemented in accordance with Security/Availability/Processing Integrity/Confidentiality commitments
and requirements.
February 9, 2016
41
Availability Controls
No Control
1
2
3
Current processing capacity and usage are maintained, monitored, and evaluated to manage demand and to enable the
implementation of additional capacity to help meet availability commitments and requirements.
Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed,
implemented, operated, maintained, and monitored to meet availability commitments and requirements.
Procedures supporting Solution/Service recovery in accordance with recovery plans are periodically tested to help meet
availability commitments and requirements.
February 9, 2016
42
Processing Integrity Controls
No Control
1
2
3
4
5
6
Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and
requirements.
Solution/Service inputs are measured and recorded completely, accurately, and timely in accordance with processing
integrity commitments and requirements.
Data is processed completely, accurately, and timely as authorised in accordance with pro-cessing integrity commitments
and requirements.
Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity
commitments and requirements.
Solution/Service output is complete, accurate, distributed, and retained in accordance with processing integrity
commitments and requirements.
Modification of data is authorised, using authorised procedures in accordance with processing integrity commitments and
requirements.
February 9, 2016
43
Confidentiality Controls
No Control
1
2
3
4
5
6
Confidential information is protected during the Solution/Service design, development, testing, implementation, and
change processes in accordance with confidentiality commitments and requirements.
Confidential information within the boundaries of the Solution/Service is protected against unauthorised access, use, and
disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments
and requirements.
Access to confidential information from outside the boundaries of the Solution/Service and disclosure of confidential
information is restricted to authorised parties in accordance with confidentiality commitments and requirements.
The Service Provider/Supplier obtains confidentiality commitments that are consistent with the Service
Provider/Supplier’s confidentiality requirements from vendors and other third parties whose products and services
comprise part of the Solution/Service and have access to confidential information.
Compliance with confidentiality commitments and requirements by vendors and others third parties whose products and
services comprise part of the Solution/Service is assessed on a periodic and as-needed basis and corrective action is
taken, if necessary.
Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and
other third parties whose products and services are included in the Solution/Service .
February 9, 2016
44
Privacy Controls
No Control
1
The Service Provider/Supplier defines documents, communicates, and assigns accountability for its privacy policies and
procedures.
2 The Service Provider/Supplier provides notice about its privacy policies and procedures and identifies the purposes for
which personal information is collected, used, retained, and disclosed.
3 The Service Provider/Supplier describes the choices available to the individual and obtains implicit or explicit consent with
respect to the collection, use, and disclosure of personal information.
4 The Service Provider/Supplier collects personal information only for the purposes identified in the notice.
5 The Service Provider/Supplier limits the use of personal information to the purposes identified in the notice and for which
the individual has provided implicit or explicit consent. The Service Provider/Supplier retains personal information for only
as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately
disposes of such information.
6 The Service Provider/Supplier provides individuals with access to their personal information for re-view and update.
7 The Service Provider/Supplier discloses personal information to third parties only for the purposes identified in the notice
and with the implicit or explicit consent of the individual.
8 The Service Provider/Supplier protects personal information against unauthorized access (both physical and logical).
9 The Service Provider/Supplier maintains accurate, complete, and relevant personal information for the purposes
identified in the notice.
10 The Service Provider/Supplier monitors compliance with its privacy policies and procedures and has procedures to
address privacy-related complaints and disputes.
February 9, 2016
45
Putting Service Organisation Controls Into Practice
•
•
The controls must be implemented and operated through specific
statements of requirements about their application and use that can
be verified
Example - Organisation and Management Common Control 1:
− The Service Provider/Supplier has defined organisational structures, reporting
lines, authorities, and responsibilities for the design, development,
implementation, operation, maintenance and monitoring of the
Solution/Service enabling it to meet its commitments and requirements as
they relate to Security/Availability/Processing Integrity/Confidentiality.
Must Be
Appropriately Solution/Service’s
Service Provider/Supplier’s Structured In
Relation To
•
•
•
•
Organisational Structures
Reporting Lines
Authorities
Responsibilities
February 9, 2016
•
•
•
•
•
•
Design
Development
Implementation
Operation
Maintenance
Monitoring
In Order To
Comply
With
Requirements
Relating To
•
•
•
•
Security
Availability
Processing Integrity
Confidentiality
46
Putting Service Organisation Controls Into Practice
•
Sets of statements of requirements can be detailed or
high-level
•
Sets of controls need to be created for each control area
•
A statement of compliance needs to be obtained from the
Service Provider/Supplier
•
Compliance should be verified through auditing of selected
ones
February 9, 2016
47
Summary
•
Competence in sourcing is a core skill of the IT function
•
Vendor assessment and validation during the life of the
sourcing arrangement is crucial
•
Sourcing should not be a “fire and forget” activity
•
The Service Organisation Controls audit approach can be
adapted for use by the IT function to develop an effective
approach to vendor governance
February 9, 2016
48
Provider Governance
Alan McSweeney
http://ie.linkedin.com/in/alanmcsweeney
Management Of IT Suppliers And Service Providers
•
Management of IT suppliers and service providers relates to
the operation aspects of the sourcing relationship after the
selection process
•
Involves the monitoring and measurement of IT suppliers and
service providers performance and the organisation’s
performance in handling suppliers and service providers
•
Involves the management of risks associated with the
organisation’s use of suppliers and service providers
•
Concerned here with the initial and ongoing supplier/service
provider approach to audit, validation and assessment to
reduce risk to the sourcing organisation
− Not the validation of the functionality of the specific solution or service
February 9, 2016
2
IT Supplier And Service Provider Acquisition And
Management
•
•
•
•
•
•
•
•
•
The IT function is becoming largely a manager of suppliers and service
providers across a wide range of products, solutions and services
When products and services are outsourced, the risks of the suppliers and
service providers are inherited by the acquiring organisation
Effective supplier selection and ongoing assessment, validation and
management is an important skill for the IT function
Adopting a structured, repeatable, easily implemented and operated
approach to this should be considered by the IT function
Reduce the costs (and the risks) of poor supplier and service provider
selection and service delivery and improve the quality of service delivery
Ensure better control of assets and resources
Support and enable collaboration with and innovation by suppliers and
service providers where appropriate
Vendor governance during the life of the sourcing arrangement is crucial
Sourcing should not be a “fire and forget” activity
February 9, 2016
3
IT Function Facilitates The Selection Of Suppliers
And Service Providers To Meet Business Needs
IT
Function
Suppliers
And
Service
Providers
Business
Functions
IT Needs To
Focus The
Business
Needs For
Services on
Appropriate
Suppliers
IT Mediates Between the
Business and the Supplier
Ecosystem, Acting as a Lens
Focussing Business Needs on
Appropriate Suppliers
February 9, 2016
4
IT Function As Mediator, Facilitator And
Intermediary
I Want A
Solution/
Service
I Understand Your Needs
And Will Select An
Appropriate Supplier/
Service Provider
Delivery
Supplier/ Service
Provider Selected
IT
Function
I Manage The
Supplier/ Service
Provider’s Delivery Of
Solution/ Service
February 9, 2016
5
Spectrum Of Sourcing And Service Supply
Arrangements
Potential Duration of Sourcing And Service Supply Arrangement
Product Supply
Support and Maintenance
Consulting
Installation and Customisation
Service Provision/xSourcing
Externally Hosted Service/Cloud/xaaS
February 9, 2016
6
Key Activities During Sourcing
Sourcing Strategy
Management
Governance
Management
Relationship
Management
Value Management
Organisational
Change Management
Sourcing Planning
People Management
Service Provider
Evaluation
Knowledge
Management
Sourcing Opportunity
Analysis
Sourcing Agreement
Technology
Management
Sourcing Approach
Service Transfer
Analysis and
Identification
Initiation/
Transition
February 9, 2016
Sourced Services
Management
Threat Management
Service Delivery
Service Delivery
Management and
Governance
Sourcing Completion/
Handover
Completion
7
Activities During Sourcing
•
Full set of possible activities to be performed during the
management and governance of a sourcing engagement
•
Actual set of activities will depend on the profile of the
sourcing engagement
February 9, 2016
8
IT Supplier And Service Provider Acquisition And
Management – Key Focus Areas And Competencies
Sourcing Strategy And
Objectives Definition
Sourcing Governance
Definition
Opportunity Identification And
Business Engagement
Sourcing Procedure And
Process Definition
Solution/Service And
Supplier/Service Provider
Evaluation Factors
Organisation Change
Sourcing Template
Creation
Supplier And Service Provider
Identification, Evaluation And
Selection
Supplier And Service Provider Integration
Sourcing Measurement
And Monitoring
Definition
Contract Definition,
Negotiation And Closing
Transition And Transformation
Supplier And Service Provider Engagement And Service Delivery
Order Management
Contract
Management
Supplier And Service
Provider Assessment
and Management
Performance
Monitoring And
Measurement
Service Improvement
Supplier And Service
Provider Risk
Management
Sourcing Termination/Transfer To Different Supplier And Service Provider
Sourcing Strategy Evaluation And Update
February 9, 2016
9
IT Supplier And Service Provider Acquisition And
Management – Key Focus Areas And Competencies
•
Sets of skills the IT function needs to be good at to deliver
on effective sourcing and acquisition
•
Not all focus areas apply to all supplier and service
provider types and types of sourcing relationship
February 9, 2016
10
IT Supplier And Service Provider Acquisition And
Management – Assessment, Measurement And Validation
Areas
Sourcing Strategy And
Objectives Definition
Sourcing Governance
Definition
Opportunity Identification And
Business Engagement
Sourcing Procedure And
Process Definition
Solution/Service And
Supplier/Service Provider
Evaluation Factors
Organisation Change
Sourcing Template
Creation
Supplier And Service Provider
Identification, Evaluation And
Selection
Supplier And Service Provider Integration
Sourcing Measurement
And Monitoring
Definition
Contract Definition,
Negotiation And Closing
Transition And Transformation
Supplier And Service Provider Engagement And Service Delivery
Order Management
Contract
Management
Supplier And Service
Provider Assessment
and Management
Performance
Monitoring And
Measurement
Service Improvement
Supplier And Service
Provider Risk
Management
Sourcing Termination/Transfer To Different Supplier And Service Provider
Sourcing Strategy Evaluation And Update
February 9, 2016
11
IT Supplier And Service Provider Acquisition And
Management – Assessment, Measurement And Validation
Areas
•
Assessment, measurement and validation involves both
general solution/service provider and specific
service/solution specific assessments
•
General solution/service provider assessment and
validation used to identify and reduce risk
•
Assessment and measurement comprises:
− Definition of approach
− Implementation and operation
February 9, 2016
12
IT Supplier And Service Provider Acquisition And
Management – Assessment, Measurement And Validation
Areas
•
•
•
•
•
Sourcing Measurement And Monitoring Definition – define
approaches to assessing different types suppliers and service
providers and types of solution and service
Solution/Service And Supplier/Service Provider Evaluation
Factors – define solution/service specific evaluation factors
Supplier And Service Provider Identification, Evaluation And
Selection - apply solution/service specific evaluation factors to
evaluate vendors and their solutions/services and apply general
vendor assessment
Supplier And Service Provider Assessment and Management –
ongoing solution and service provider assessment and
validation
Performance Monitoring And Measurement – measure
delivery of specific solution/service according to defined and
agreed values
February 9, 2016
13
Assessment, Measurement And Validation
Throughout Selection And Delivery
Define
Solution
Specific
Assessment/
Validation
Specific
Performance
Measurement
Supplier/
Assessment/
Service Provider Validation
Common
Specific
Performance
Measurement
February 9, 2016
Implement and
Operate
Define Service/Solution
Evaluate and Score
Specific Evaluation Factors Service/Solution Using
Defined Evaluation Factors
Define Service/Solution
Specific Performance
Measurement Factors
Measure Delivery Of
Service/Solution Using
Defined Evaluation Factors
Define Supplier/ Service
Evaluate and Score Supplier/
Provider Specific Evaluation Service Provider Using
Factors
Defined Evaluation Factors
Define Supplier/ Service
Provider Specific
Performance Measurement
Factors
Measure Delivery Of
Supplier/ Service Provider
Using Defined Evaluation
Factors
14
Concerned Here With Common Framework For
Supplier/Service Provider Validation
Define
Solution
Specific
Assessment/
Validation
Specific
Performance
Measurement
Supplier/
Assessment/
Service Provider Validation
Common
Specific
Performance
Measurement
February 9, 2016
Implement and
Operate
Define Service/Solution
Evaluate and Score
Specific Evaluation Factors Service/Solution Using
Defined Evaluation Factors
Define Service/Solution
Specific Performance
Measurement Factors
Measure Delivery Of
Service/Solution Using
Defined Evaluation Factors
Define Supplier/ Service
Provider Specific
Evaluation Factors
Evaluate and Score
Supplier/ Service Provider
Using Defined Evaluation
Factors
Define Supplier/ Service
Measure Delivery Of
Provider Specific
Supplier/ Service Provider
Performance Measurement Using Defined Evaluation
Factors
Factors
15
Operation Of A Service
Service Users
Service
Delivery
Internal
Operation of
Service
Service
Provider
Measurement of
Service Delivery
February 9, 2016
16
Operation Of A Service
•
Acquiring organisation should not be concerned with the
internals of the service - only with the results and
outcomes
•
Acquiring organisation should be concerned with and
measure the delivery of the service using agreed
performance gauges
•
Acquiring organisation should audit the service provider to
assess risks
February 9, 2016
17
Supplier Validation During Sourcing And Service
Delivery
Analysis and
Identification
Initiation/
Transition
Service Delivery
Service Delivery
Management and
Governance
Completion
Initial Supplier Validation
Regular Supplier Re-validation
•
•
Supplier validation should be performed initially during
supplier transition and regularly thereafter during the life of
the sourcing arrangement
Audit the controls put in place supplier/ service provider and
the operation to reduce the risk to the sourcing organisation
February 9, 2016
18
Components Of An Operational Sourced Solution
Operational Solution
Software
February 9, 2016
Infrastructure
Information
and Data
Use,
Operational,
Support and
Management
Teams
Operation
and Support
Processes and
Services
19
Components Of A Operational Sourced Solution
•
Concerned here with the operational solution after it is
has been implemented:
− Software – packaged and custom applications that either run or
support the operation and use of the applications
− Infrastructure – physical facilities on which the solution software
runs or which enable it to run
− Information and Data – information supplied to or generated by
and stored by the solution application components
− Use, Operational, Support and Management Teams – set of
services and personnel involved in the use, operation and
management of the solution or service
− Operation and Support Processes and Services – the set of
manual and automated processes related to the use, operation
and management of the solution or service
February 9, 2016
20
Supplier And Service Provider Validation
•
Supplier should expects regular validation and auditing
during the lifetime of the sourcing activity
February 9, 2016
21
Vendor Assessment Depends On The Type Of
Product/Service
•
The amount of effort spent on validating suppliers and
service providers should be based on the size, cost,
importance and type of product/service being provided
February 9, 2016
22
Key Dimensions Of Solution/Service
Availability Of Skills
And Experience
With Product/
Service
Split Between
Product And
Service
Extent Of
Customisation
Implementation/
Transition Effort
And Time
Security,
Performance,
Reliability,
Availability
Requirements Of
Product/ Service
Complexity Of
Product/ Service
Type Of
Engagement
Solution/
Service
Factors
Novelty Of
Product/ Service
Importance of
Product/ Service
Expected/
Contracted Cost
Experience And
Proven Ability Of
Supplier
February 9, 2016
Expected Duration
Of Business
Relationship
Size/ Extent Of
Product/ Service
23
Key Dimensions Of Solution/Service
•
Dimensions affect how the supplier/service provided should be validated – set of risk
factors that dictate the level of supplier governance necessary
−
−
−
−
−
−
−
−
−
−
−
−
−
Split Between Product And Service – mix between pure product and services
Extent Of Customisation
Type Of Engagement – consulting/ analysis/ implementation and mix of services of these types
Expected Duration Of Business Relationship – how long with the service be provided for or is contracted
for
Importance of Product/ Service – sensitivity and importance of product/service to the organisation
Expected/ Contracted Cost – how much the product/service is expected to cost or the contracted cost
Size/ Extent Of Product/ Service – the amount of effort and the number of parties and stakeholders
involved in or affected by the product/service
Experience And Proven Ability Of Supplier – how experienced is the supplier in successfully delivering
the product/service
Novelty Of Product/ Service – how new or well-proven is the underlying technology and approach of the
product/service
Complexity Of Product/ Service – how complex is the product/service – number of components and
interfaces
Security, Performance, Reliability, Availability Requirements Of Product/ Service – are there specific
requirements of the product/service in these areas
Implementation/ Transition Effort And Time – what is the estimated or expected effort and time to
implement or transition to the product/service
Availability Of Skills And Experience With Product/ Service – how readily available are skills within the
organisation
February 9, 2016
24
Profiling The Solution/Service Governance
Requirements
Degree of
Validation
and
Governance
Required
February 9, 2016
25
Profiling The Solution/Service Governance
Requirements
•
More complex, costly, lengthy solutions/services require
greater governance
February 9, 2016
26
Approaches To Supplier And Service Provider
Validation
•
ITIL – service delivery management framework
•
COBIT – framework for governance and management of
the IT function
•
Service Organisation Controls – audit approach to supplier
and service provider validation
•
CMMI eSourcing Capability Model for Client
Organisations (eSCM-CL) – capability model for
organisations that acquire IT services
February 9, 2016
27
ITIL Process Structure
Service Management
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service
Improvement
Service Portfolio
Management
Service Catalogue
Management
Change Management
Event Management
Service Evaluation
Financial Management
Service Level Management
Project Management
(Transition Planning and
Support)
Incident Management
Process Evaluation
Risk Management
Release and Deployment
Management
Request Fulfilment
Definition of CSI Initiatives
Capacity Management
Service Validation and
Testing
Access Management
CSI Monitoring
Availability Management
Application Development
and Customisation
Problem Management
IT Service Continuity
Management
Service Asset and
Configuration Management
IT Operations Management
IT Security Management
Knowledge Management
IT Facilities Management
Compliance Management
IT Architecture
Management
Supplier Management
February 9, 2016
28
ITIL Process Structure
•
ITIL is concerned with the set of processes that may be
implemented by the service provider to deliver the
contracted services
•
In the context of service provision, these are used by the
service provider and not by the acquiring organisation
•
Service provider should measure its own service
performance
February 9, 2016
29
Service Organisation Controls
•
•
•
•
Service Organisation Controls (SOC) originally related to auditing of
financial transactions performed by third-parties and the controls in
place
Work designed to performed by the organisation’s external auditors
Extended to cover the operation of the service and its compliance
with security, availability, reliability, confidentiality and privacy
Three reports:
− SOC 1 – statement of financial controls only
− SOC 2 – detailed report for internal use
− SOC 3 – version of SOC2 designed to be published
•
Two report types:
− Type 1 – description of the controls in place at a point in time
− Type 2 – describes the validation tests performed and their results with
historical analysis
February 9, 2016
30
Service Organisation Controls – History And
Evolution
•
•
•
•
•
1993 – Statement on Auditing Standards (SAS) No. 70, Service
Organizations
2008 – Trust Services Principles and Criteria for Security,
Availability, Processing Integrity, Confidentiality, and Privacy
2010 – Standards for Attestation Engagements (SSAE) 16,
Reporting on Controls at a Service Organization
2011 – International Auditing and Assurance Standards Board
(IAASB) issued International Standard on Assurance
Engagements (ISAE) 3402, Assurance Reports on Controls at a
Service Organization
2015 – Updated Trust Services Principles and Criteria for
Security, Availability, Processing Integrity, Confidentiality, and
Privacy
February 9, 2016
31
Service Organisation Controls
•
This approach can be adapted and used internally by the IT
function to perform initial and regular subsequent audits
of suppliers
February 9, 2016
32
Service Organisation Controls Structure
Service
Organisation
Controls
Common Controls
Security
Organisation and
Management
Communications
Risk Management
and Design and
Implementation of
Controls
Monitoring of
Controls
Logical and Physical
Access Controls
System Operations
Availability
Processing Integrity
Confidentiality
Privacy
Change
Management
February 9, 2016
33
Service Organisation Controls Structure
•
Set of common controls to be applied across the areas of
Security, Availability, Processing Integrity and
Confidentiality
•
Privacy controls can be separated
•
Individual sets of controls defined for the areas of Security,
Availability, Processing Integrity and Confidentiality
•
53 controls in total across all topics
February 9, 2016
34
Common Controls – Organisation and Management
No Control
1
2
3
4
The Service Provider/Supplier has defined organisational structures, reporting lines, authorities, and responsibilities for
the design, development, implementation, operation, maintenance and monitoring of the Solution/Service enabling it to
meet its commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring and
approving the Service Provider/Supplier’s Solution/Service controls are assigned to individuals within the Service
Provider/Supplier with authority to ensure policies and other solution/service requirements are effectively promulgated
and placed in operation.
Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the
Solution/Service affecting Security/Availability/Processing Integrity/Confidentiality have the qualifications and resources
to fulfil their responsibilities.
The Service Provider/Supplier has established workforce conduct standards, implemented workforce candidate
background screening procedures and conducts enforcement procedures to enable it to meet its commitments and
requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
February 9, 2016
35
Common Controls – Communications
No Control
1
2
3
4
5
6
Information regarding the design and operation of the Solution/Service and its boundaries has been prepared and
communicated to authorised internal and external Solution/Service users to permit users to understand their role in the
Solution/Service and the results of Solution/Service operation.
The Service Provider/Supplier’s Security/Availability/Processing Integrity/Confidentiality commitments are
communicated to external users, as appropriate, and those commitments and the associated Solution/Service
requirements are communicated to internal Solution/Service users to enable them to carry out their responsibilities.
The Service Provider/Supplier communicates the responsibilities of internal and external users and others whose roles
affect Solution/Service operation.
Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining and
monitoring controls, relevant to the Security/Availability/Processing Integrity/Confidentiality of the Solution/Service
have the information necessary to carry out those responsibilities.
Internal and external Solution/Service users have been provided with information on how to report
Security/Availability/Processing Integrity/Confidentiality failures, incidents, concerns, and other complaints to
appropriate personnel.
Solution/Service changes that affect internal and external Solution/Service user responsibilities or the Service
Provider/Supplier’s commitments and requirements relevant to Security/Availability/Processing
Integrity/Confidentiality are communicated to those users in a timely manner.
February 9, 2016
36
Common Controls – Risk Management And Design
And Implementation Of Controls
No Control
1
2
3
The Service Provider/Supplier:
1 - Identifies potential threats that would impair Solution/Service’s Security/Availability/Processing
Integrity/Confidentiality commitments and requirements
2 - Analyses the significance of risks associated with the identified threats
3 - Determines mitigation strategies for those risks (including controls and other mitigation strategies).
The Service Provider/Supplier designs, develops, and implements controls, including policies and procedures, to
implement its risk mitigation strategy.
The Service Provider/Supplier:
1 - Identifies and assesses changes (for example, environmental, regulatory, and technological changes) that could
significantly affect the Solution/Service of internal control for Security/Availability/Processing
Integrity/Confidentiality and reassesses risks and mitigation strategies based on the changes
2 - Reassesses the suitability of the design and deployment of control activities based on the operation and
monitoring of those activities, and updates them as necessary.
February 9, 2016
37
Common Controls – Monitoring Of Controls
Number Control
1
The design and operating effectiveness of controls are periodically evaluated against
Security/Availability/Processing Integrity/Confidentiality commitments and requirements, corrections and other
necessary actions relating to identified deficiencies are taken in a timely manner.
February 9, 2016
38
Common Controls – Logical And Physical Access
Controls
No Control
1
2
3
4
5
6
7
8
Logical access security software, infrastructure, and architectures have been implemented to support:
1 - Identification and authentication of authorised users
2 - Restriction of authorised user access to Solution/Service components, or portions thereof, authorised by
management, including hardware, data, software, mobile devices, output, and offline elements
3 - Prevention and detection of unauthorised access.
New internal and external Solution/Service users are registered and authorised prior to being issued Solution/Service
credentials, and granted the ability to access the Solution/Service. User Solution/Service credentials are removed when
user access is no longer authorised.
Internal and external Solution/Service users are identified and authenticated when accessing the Solution/Service
components (for example, infrastructure, software, and data).
Access to data, software, functions, and other IT resources is authorised and is modified or removed based on roles,
responsibilities, or the Solution/Service design and changes to them.
Physical access to facilities housing the Solution/Service (for example, data centres, backup media storage, and other
sensitive locations as well as sensitive Solution/Service components within those locations) is restricted to authorised
personnel.
Logical access security measures have been implemented to protect against Security/Availability/Processing
Integrity/Confidentiality threats from sources outside the boundaries of the Solution/Service.
The transmission, movement, and removal of information is restricted to authorised users and processes, and is protected
during transmission, movement, or removal enabling the Service Provider/Supplier to meet its commitments and
requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Controls have been implemented to prevent or detect and act upon the introduction of unauthorised or malicious
software.
February 9, 2016
39
Common Controls – System Operations
No Control
1
2
Vulnerabilities of Solution/Service components to Security/Availability/Processing Integrity/Confidentiality breaches
and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are
implemented to compensate for known and new vulnerabilities.
Security/Availability/Processing Integrity/Confidentiality incidents, including logical and physical security breaches,
failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance
with established incident response procedures.
February 9, 2016
40
Common Controls – Change Management
No Control
1
2
3
4
Security/Availability/Processing Integrity/Confidentiality commitments and requirements, are addressed, during the
Solution/Service implementation lifecycle including design, acquisition, implementation, configuration, testing,
modification, and maintenance of Solution/Service components.
Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the Solution/Service
commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are
identified during Solution/Service operation and monitoring.
Changes to Solution/Service components are authorised, designed, developed, configured, documented, tested,
approved, and implemented in accordance with Security/Availability/Processing Integrity/Confidentiality commitments
and requirements.
February 9, 2016
41
Availability Controls
No Control
1
2
3
Current processing capacity and usage are maintained, monitored, and evaluated to manage demand and to enable the
implementation of additional capacity to help meet availability commitments and requirements.
Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed,
implemented, operated, maintained, and monitored to meet availability commitments and requirements.
Procedures supporting Solution/Service recovery in accordance with recovery plans are periodically tested to help meet
availability commitments and requirements.
February 9, 2016
42
Processing Integrity Controls
No Control
1
2
3
4
5
6
Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and
requirements.
Solution/Service inputs are measured and recorded completely, accurately, and timely in accordance with processing
integrity commitments and requirements.
Data is processed completely, accurately, and timely as authorised in accordance with pro-cessing integrity commitments
and requirements.
Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity
commitments and requirements.
Solution/Service output is complete, accurate, distributed, and retained in accordance with processing integrity
commitments and requirements.
Modification of data is authorised, using authorised procedures in accordance with processing integrity commitments and
requirements.
February 9, 2016
43
Confidentiality Controls
No Control
1
2
3
4
5
6
Confidential information is protected during the Solution/Service design, development, testing, implementation, and
change processes in accordance with confidentiality commitments and requirements.
Confidential information within the boundaries of the Solution/Service is protected against unauthorised access, use, and
disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments
and requirements.
Access to confidential information from outside the boundaries of the Solution/Service and disclosure of confidential
information is restricted to authorised parties in accordance with confidentiality commitments and requirements.
The Service Provider/Supplier obtains confidentiality commitments that are consistent with the Service
Provider/Supplier’s confidentiality requirements from vendors and other third parties whose products and services
comprise part of the Solution/Service and have access to confidential information.
Compliance with confidentiality commitments and requirements by vendors and others third parties whose products and
services comprise part of the Solution/Service is assessed on a periodic and as-needed basis and corrective action is
taken, if necessary.
Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and
other third parties whose products and services are included in the Solution/Service .
February 9, 2016
44
Privacy Controls
No Control
1
The Service Provider/Supplier defines documents, communicates, and assigns accountability for its privacy policies and
procedures.
2 The Service Provider/Supplier provides notice about its privacy policies and procedures and identifies the purposes for
which personal information is collected, used, retained, and disclosed.
3 The Service Provider/Supplier describes the choices available to the individual and obtains implicit or explicit consent with
respect to the collection, use, and disclosure of personal information.
4 The Service Provider/Supplier collects personal information only for the purposes identified in the notice.
5 The Service Provider/Supplier limits the use of personal information to the purposes identified in the notice and for which
the individual has provided implicit or explicit consent. The Service Provider/Supplier retains personal information for only
as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately
disposes of such information.
6 The Service Provider/Supplier provides individuals with access to their personal information for re-view and update.
7 The Service Provider/Supplier discloses personal information to third parties only for the purposes identified in the notice
and with the implicit or explicit consent of the individual.
8 The Service Provider/Supplier protects personal information against unauthorized access (both physical and logical).
9 The Service Provider/Supplier maintains accurate, complete, and relevant personal information for the purposes
identified in the notice.
10 The Service Provider/Supplier monitors compliance with its privacy policies and procedures and has procedures to
address privacy-related complaints and disputes.
February 9, 2016
45
Putting Service Organisation Controls Into Practice
•
•
The controls must be implemented and operated through specific
statements of requirements about their application and use that can
be verified
Example - Organisation and Management Common Control 1:
− The Service Provider/Supplier has defined organisational structures, reporting
lines, authorities, and responsibilities for the design, development,
implementation, operation, maintenance and monitoring of the
Solution/Service enabling it to meet its commitments and requirements as
they relate to Security/Availability/Processing Integrity/Confidentiality.
Must Be
Appropriately Solution/Service’s
Service Provider/Supplier’s Structured In
Relation To
•
•
•
•
Organisational Structures
Reporting Lines
Authorities
Responsibilities
February 9, 2016
•
•
•
•
•
•
Design
Development
Implementation
Operation
Maintenance
Monitoring
In Order To
Comply
With
Requirements
Relating To
•
•
•
•
Security
Availability
Processing Integrity
Confidentiality
46
Putting Service Organisation Controls Into Practice
•
Sets of statements of requirements can be detailed or
high-level
•
Sets of controls need to be created for each control area
•
A statement of compliance needs to be obtained from the
Service Provider/Supplier
•
Compliance should be verified through auditing of selected
ones
February 9, 2016
47
Summary
•
Competence in sourcing is a core skill of the IT function
•
Vendor assessment and validation during the life of the
sourcing arrangement is crucial
•
Sourcing should not be a “fire and forget” activity
•
The Service Organisation Controls audit approach can be
adapted for use by the IT function to develop an effective
approach to vendor governance
February 9, 2016
48
