Competence in sourcing is a core skill of the IT function. The IT function is becoming largely a manager of suppliers and service providers across a wide range of products, solutions and services. IT mediates between the business and the supplier ecosystem, acting as a lens focussing business needs on appropriate suppliers. When products and services are outsourced, the risks of the suppliers and service providers are inherited by the acquiring organisation. Sourcing should not be a “fire and forget” activity. Effective supplier selection and ongoing assessment, validation and management is an important skill for the IT function. The Service Organisation Controls audit approach can be adapted for use by the IT function to develop an approach to vendor governance.

1. Supplier And Service
Provider Governance
Alan McSweeney
http://ie.linkedin.com/in/alanmcsweeney

2. Management Of IT Suppliers And Service Providers
• Management of IT suppliers and service providers relates to
the operation aspects of the sourcing relationship after the
selection process
• Involves the monitoring and measurement of IT suppliers and
service providers performance and the organisation’s
performance in handling suppliers and service providers
• Involves the management of risks associated with the
organisation’s use of suppliers and service providers
• Concerned here with the initial and ongoing supplier/service
provider approach to audit, validation and assessment to
reduce risk to the sourcing organisation
− Not the validation of the functionality of the specific solution or service
February 9, 2016 2

3. IT Supplier And Service Provider Acquisition And
Management
• The IT function is becoming largely a manager of suppliers and service
providers across a wide range of products, solutions and services
• When products and services are outsourced, the risks of the suppliers and
service providers are inherited by the acquiring organisation
• Effective supplier selection and ongoing assessment, validation and
management is an important skill for the IT function
• Adopting a structured, repeatable, easily implemented and operated
approach to this should be considered by the IT function
• Reduce the costs (and the risks) of poor supplier and service provider
selection and service delivery and improve the quality of service delivery
• Ensure better control of assets and resources
• Support and enable collaboration with and innovation by suppliers and
service providers where appropriate
• Vendor governance during the life of the sourcing arrangement is crucial
• Sourcing should not be a “fire and forget” activity
February 9, 2016 3

4. IT Function Facilitates The Selection Of Suppliers
And Service Providers To Meet Business Needs
IT
Function
Suppliers
And
Service
Providers
IT Mediates Between the
Business and the Supplier
Ecosystem, Acting as a Lens
Focussing Business Needs on
Appropriate Suppliers
IT Needs To
Focus The
Business
Needs For
Services on
Appropriate
Suppliers
February 9, 2016 4
Business
Functions

5. IT Function As Mediator, Facilitator And
Intermediary
February 9, 2016 5
I Want A
Solution/
Service
I Understand Your Needs
And Will Select An
Appropriate Supplier/
Service Provider
Delivery
Supplier/ Service
Provider Selected
I Manage The
Supplier/ Service
Provider’s Delivery Of
Solution/ Service
IT
Function

6. Spectrum Of Sourcing And Service Supply
Arrangements
February 9, 2016 6
Potential Duration of Sourcing And Service Supply Arrangement
Product Supply
Support and Maintenance
Consulting
Installation and Customisation
Externally Hosted Service/Cloud/xaaS
Service Provision/xSourcing

7. Key Activities During Sourcing
Service Delivery
Management and
Governance
Initiation/
Transition
Service Delivery Completion
Analysis and
Identification
Sourcing Approach
Sourcing Planning
Sourcing Agreement
Service Transfer
Service Provider
Evaluation
Sourced Services
Management
Sourcing Completion/
Handover
Sourcing Strategy
Management
Governance
Management
Relationship
Management
Value Management
Technology
Management
People Management
Knowledge
Management
Organisational
Change Management
Threat Management
February 9, 2016 7
Sourcing Opportunity
Analysis

8. Activities During Sourcing
• Full set of possible activities to be performed during the
management and governance of a sourcing engagement
• Actual set of activities will depend on the profile of the
sourcing engagement
February 9, 2016 8

9. IT Supplier And Service Provider Acquisition And
Management – Key Focus Areas And Competencies
February 9, 2016 9
Sourcing Strategy And
Objectives Definition
Opportunity Identification And
Business Engagement
Supplier And Service Provider Engagement And Service Delivery
Order Management
Sourcing Termination/Transfer To Different Supplier And Service Provider
Sourcing Strategy Evaluation And Update
Sourcing Procedure And
Process Definition
Sourcing Template
Creation
Sourcing Measurement
And Monitoring
Definition
Supplier And Service Provider
Identification, Evaluation And
Selection
Contract Definition,
Negotiation And Closing
Sourcing Governance
Definition
Organisation Change Supplier And Service Provider Integration Transition And Transformation
Contract
Management
Supplier And Service
Provider Assessment
and Management
Performance
Monitoring And
Measurement
Service Improvement
Supplier And Service
Provider Risk
Management
Solution/Service And
Supplier/Service Provider
Evaluation Factors

10. IT Supplier And Service Provider Acquisition And
Management – Key Focus Areas And Competencies
• Sets of skills the IT function needs to be good at to deliver
on effective sourcing and acquisition
• Not all focus areas apply to all supplier and service
provider types and types of sourcing relationship
February 9, 2016 10

11. IT Supplier And Service Provider Acquisition And
Management – Assessment, Measurement And Validation
Areas
February 9, 2016 11
Sourcing Strategy And
Objectives Definition
Supplier And Service Provider Engagement And Service Delivery
Order Management
Sourcing Termination/Transfer To Different Supplier And Service Provider
Sourcing Strategy Evaluation And Update
Sourcing Procedure And
Process Definition
Sourcing Template
Creation
Sourcing Measurement
And Monitoring
Definition
Sourcing Governance
Definition
Organisation Change Supplier And Service Provider Integration Transition And Transformation
Contract
Management
Supplier And Service
Provider Assessment
and Management
Performance
Monitoring And
Measurement
Service Improvement
Supplier And Service
Provider Risk
Management
Opportunity Identification And
Business Engagement
Supplier And Service Provider
Identification, Evaluation And
Selection
Contract Definition,
Negotiation And Closing
Solution/Service And
Supplier/Service Provider
Evaluation Factors

12. IT Supplier And Service Provider Acquisition And
Management – Assessment, Measurement And Validation
Areas
• Assessment, measurement and validation involves both
general solution/service provider and specific
service/solution specific assessments
• General solution/service provider assessment and
validation used to identify and reduce risk
• Assessment and measurement comprises:
− Definition of approach
− Implementation and operation
February 9, 2016 12

13. IT Supplier And Service Provider Acquisition And
Management – Assessment, Measurement And Validation
Areas
• Sourcing Measurement And Monitoring Definition – define
approaches to assessing different types suppliers and service
providers and types of solution and service
• Solution/Service And Supplier/Service Provider Evaluation
Factors – define solution/service specific evaluation factors
• Supplier And Service Provider Identification, Evaluation And
Selection - apply solution/service specific evaluation factors to
evaluate vendors and their solutions/services and apply general
vendor assessment
• Supplier And Service Provider Assessment and Management –
ongoing solution and service provider assessment and
validation
• Performance Monitoring And Measurement – measure
delivery of specific solution/service according to defined and
agreed values
February 9, 2016 13

14. Assessment, Measurement And Validation
Throughout Selection And Delivery
Define Implement and
Operate
Solution
Specific
Assessment/
Validation
Define Service/Solution
Specific Evaluation Factors
Evaluate and Score
Service/Solution Using
Defined Evaluation Factors
Specific
Performance
Measurement
Define Service/Solution
Specific Performance
Measurement Factors
Measure Delivery Of
Service/Solution Using
Defined Evaluation Factors
Supplier/
Service Provider
Common
Assessment/
Validation
Define Supplier/ Service
Provider Specific Evaluation
Factors
Evaluate and Score Supplier/
Service Provider Using
Defined Evaluation Factors
Specific
Performance
Measurement
Define Supplier/ Service
Provider Specific
Performance Measurement
Factors
Measure Delivery Of
Supplier/ Service Provider
Using Defined Evaluation
Factors
February 9, 2016 14

15. Concerned Here With Common Framework For
Supplier/Service Provider Validation
Define Implement and
Operate
Solution
Specific
Assessment/
Validation
Define Service/Solution
Specific Evaluation Factors
Evaluate and Score
Service/Solution Using
Defined Evaluation Factors
Specific
Performance
Measurement
Define Service/Solution
Specific Performance
Measurement Factors
Measure Delivery Of
Service/Solution Using
Defined Evaluation Factors
Supplier/
Service Provider
Common
Assessment/
Validation
Define Supplier/ Service
Provider Specific
Evaluation Factors
Evaluate and Score
Supplier/ Service Provider
Using Defined Evaluation
Factors
Specific
Performance
Measurement
Define Supplier/ Service
Provider Specific
Performance Measurement
Factors
Measure Delivery Of
Supplier/ Service Provider
Using Defined Evaluation
Factors
February 9, 2016 15

16. Operation Of A Service
February 9, 2016 16
Internal
Operation of
Service
Service
Provider
Service
Delivery
Service Users
Measurement of
Service Delivery

17. Operation Of A Service
• Acquiring organisation should not be concerned with the
internals of the service - only with the results and
outcomes
• Acquiring organisation should be concerned with and
measure the delivery of the service using agreed
performance gauges
• Acquiring organisation should audit the service provider to
assess risks
February 9, 2016 17

18. Supplier Validation During Sourcing And Service
Delivery
• Supplier validation should be performed initially during
supplier transition and regularly thereafter during the life of
the sourcing arrangement
• Audit the controls put in place supplier/ service provider and
the operation to reduce the risk to the sourcing organisation
February 9, 2016 18
Service Delivery
Management and
Governance
Initiation/
Transition
Service Delivery Completion
Analysis and
Identification
Initial Supplier Validation
Regular Supplier Re-validation

19. Components Of An Operational Sourced Solution
February 9, 2016 19
Operational Solution
Software Infrastructure
Information
and Data
Use,
Operational,
Support and
Management
Teams
Operation
and Support
Processes and
Services

20. Components Of A Operational Sourced Solution
• Concerned here with the operational solution after it is
has been implemented:
− Software – packaged and custom applications that either run or
support the operation and use of the applications
− Infrastructure – physical facilities on which the solution software
runs or which enable it to run
− Information and Data – information supplied to or generated by
and stored by the solution application components
− Use, Operational, Support and Management Teams – set of
services and personnel involved in the use, operation and
management of the solution or service
− Operation and Support Processes and Services – the set of
manual and automated processes related to the use, operation
and management of the solution or service
February 9, 2016 20

21. Supplier And Service Provider Validation
• Supplier should expects regular validation and auditing
during the lifetime of the sourcing activity
February 9, 2016 21

22. Vendor Assessment Depends On The Type Of
Product/Service
• The amount of effort spent on validating suppliers and
service providers should be based on the size, cost,
importance and type of product/service being provided
February 9, 2016 22

23. Key Dimensions Of Solution/Service
February 9, 2016 23
Solution/
Service
Factors
Split Between
Product And
Service Extent Of
Customisation
Type Of
Engagement
Expected Duration
Of Business
Relationship
Importance of
Product/ Service
Expected/
Contracted Cost
Size/ Extent Of
Product/ Service
Experience And
Proven Ability Of
Supplier
Novelty Of
Product/ Service
Complexity Of
Product/ Service
Security,
Performance,
Reliability,
Availability
Requirements Of
Product/ Service
Implementation/
Transition Effort
And Time
Availability Of Skills
And Experience
With Product/
Service

24. Key Dimensions Of Solution/Service
• Dimensions affect how the supplier/service provided should be validated – set of risk
factors that dictate the level of supplier governance necessary
− Split Between Product And Service – mix between pure product and services
− Extent Of Customisation
− Type Of Engagement – consulting/ analysis/ implementation and mix of services of these types
− Expected Duration Of Business Relationship – how long with the service be provided for or is contracted
for
− Importance of Product/ Service – sensitivity and importance of product/service to the organisation
− Expected/ Contracted Cost – how much the product/service is expected to cost or the contracted cost
− Size/ Extent Of Product/ Service – the amount of effort and the number of parties and stakeholders
involved in or affected by the product/service
− Experience And Proven Ability Of Supplier – how experienced is the supplier in successfully delivering
the product/service
− Novelty Of Product/ Service – how new or well-proven is the underlying technology and approach of the
product/service
− Complexity Of Product/ Service – how complex is the product/service – number of components and
interfaces
− Security, Performance, Reliability, Availability Requirements Of Product/ Service – are there specific
requirements of the product/service in these areas
− Implementation/ Transition Effort And Time – what is the estimated or expected effort and time to
implement or transition to the product/service
− Availability Of Skills And Experience With Product/ Service – how readily available are skills within the
organisation
February 9, 2016 24

25. Profiling The Solution/Service Governance
Requirements
February 9, 2016 25
Degree of
Validation
and
Governance
Required

26. Profiling The Solution/Service Governance
Requirements
• More complex, costly, lengthy solutions/services require
greater governance
February 9, 2016 26

27. Approaches To Supplier And Service Provider
Validation
• ITIL – service delivery management framework
• COBIT – framework for governance and management of
the IT function
• Service Organisation Controls – audit approach to supplier
and service provider validation
• CMMI eSourcing Capability Model for Client
Organisations (eSCM-CL) – capability model for
organisations that acquire IT services
February 9, 2016 27

28. ITIL Process Structure
February 9, 2016 28
Service Management
Service Strategy
Service Portfolio
Management
Financial Management
Service Design
Service Catalogue
Management
Service Level Management
Risk Management
Capacity Management
Availability Management
IT Service Continuity
Management
IT Security Management
Compliance Management
IT Architecture
Management
Supplier Management
Service Transition
Change Management
Project Management
(Transition Planning and
Support)
Release and Deployment
Management
Service Validation and
Testing
Application Development
and Customisation
Service Asset and
Configuration Management
Knowledge Management
Service Operation
Event Management
Incident Management
Request Fulfilment
Access Management
Problem Management
IT Operations Management
IT Facilities Management
Continual Service
Improvement
Service Evaluation
Process Evaluation
Definition of CSI Initiatives
CSI Monitoring

29. ITIL Process Structure
• ITIL is concerned with the set of processes that may be
implemented by the service provider to deliver the
contracted services
• In the context of service provision, these are used by the
service provider and not by the acquiring organisation
• Service provider should measure its own service
performance
February 9, 2016 29

30. Service Organisation Controls
• Service Organisation Controls (SOC) originally related to auditing of
financial transactions performed by third-parties and the controls in
place
• Work designed to performed by the organisation’s external auditors
• Extended to cover the operation of the service and its compliance
with security, availability, reliability, confidentiality and privacy
• Three reports:
− SOC 1 – statement of financial controls only
− SOC 2 – detailed report for internal use
− SOC 3 – version of SOC2 designed to be published
• Two report types:
− Type 1 – description of the controls in place at a point in time
− Type 2 – describes the validation tests performed and their results with
historical analysis
February 9, 2016 30

31. Service Organisation Controls – History And
Evolution
• 1993 – Statement on Auditing Standards (SAS) No. 70, Service
Organizations
• 2008 – Trust Services Principles and Criteria for Security,
Availability, Processing Integrity, Confidentiality, and Privacy
• 2010 – Standards for Attestation Engagements (SSAE) 16,
Reporting on Controls at a Service Organization
• 2011 – International Auditing and Assurance Standards Board
(IAASB) issued International Standard on Assurance
Engagements (ISAE) 3402, Assurance Reports on Controls at a
Service Organization
• 2015 – Updated Trust Services Principles and Criteria for
Security, Availability, Processing Integrity, Confidentiality, and
Privacy
February 9, 2016 31

32. Service Organisation Controls
• This approach can be adapted and used internally by the IT
function to perform initial and regular subsequent audits
of suppliers
February 9, 2016 32

33. Service Organisation Controls Structure
Service
Organisation
Controls
Common Controls
Organisation and
Management
Communications
Risk Management
and Design and
Implementation of
Controls
Monitoring of
Controls
Logical and Physical
Access Controls
System Operations
Change
Management
Security Availability Processing Integrity Confidentiality Privacy
February 9, 2016 33

34. Service Organisation Controls Structure
• Set of common controls to be applied across the areas of
Security, Availability, Processing Integrity and
Confidentiality
• Privacy controls can be separated
• Individual sets of controls defined for the areas of Security,
Availability, Processing Integrity and Confidentiality
• 53 controls in total across all topics
February 9, 2016 34

35. Common Controls – Organisation and Management
No Control
1 The Service Provider/Supplier has defined organisational structures, reporting lines, authorities, and responsibilities for
the design, development, implementation, operation, maintenance and monitoring of the Solution/Service enabling it to
meet its commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring and
approving the Service Provider/Supplier’s Solution/Service controls are assigned to individuals within the Service
Provider/Supplier with authority to ensure policies and other solution/service requirements are effectively promulgated
and placed in operation.
3 Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the
Solution/Service affecting Security/Availability/Processing Integrity/Confidentiality have the qualifications and resources
to fulfil their responsibilities.
4 The Service Provider/Supplier has established workforce conduct standards, implemented workforce candidate
background screening procedures and conducts enforcement procedures to enable it to meet its commitments and
requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
February 9, 2016 35

36. Common Controls – Communications
No Control
1 Information regarding the design and operation of the Solution/Service and its boundaries has been prepared and
communicated to authorised internal and external Solution/Service users to permit users to understand their role in the
Solution/Service and the results of Solution/Service operation.
2 The Service Provider/Supplier’s Security/Availability/Processing Integrity/Confidentiality commitments are
communicated to external users, as appropriate, and those commitments and the associated Solution/Service
requirements are communicated to internal Solution/Service users to enable them to carry out their responsibilities.
3 The Service Provider/Supplier communicates the responsibilities of internal and external users and others whose roles
affect Solution/Service operation.
4 Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining and
monitoring controls, relevant to the Security/Availability/Processing Integrity/Confidentiality of the Solution/Service
have the information necessary to carry out those responsibilities.
5 Internal and external Solution/Service users have been provided with information on how to report
Security/Availability/Processing Integrity/Confidentiality failures, incidents, concerns, and other complaints to
appropriate personnel.
6 Solution/Service changes that affect internal and external Solution/Service user responsibilities or the Service
Provider/Supplier’s commitments and requirements relevant to Security/Availability/Processing
Integrity/Confidentiality are communicated to those users in a timely manner.
February 9, 2016 36

37. Common Controls – Risk Management And Design
And Implementation Of Controls
No Control
1 The Service Provider/Supplier:
1 - Identifies potential threats that would impair Solution/Service’s Security/Availability/Processing
Integrity/Confidentiality commitments and requirements
2 - Analyses the significance of risks associated with the identified threats
3 - Determines mitigation strategies for those risks (including controls and other mitigation strategies).
2 The Service Provider/Supplier designs, develops, and implements controls, including policies and procedures, to
implement its risk mitigation strategy.
3 The Service Provider/Supplier:
1 - Identifies and assesses changes (for example, environmental, regulatory, and technological changes) that could
significantly affect the Solution/Service of internal control for Security/Availability/Processing
Integrity/Confidentiality and reassesses risks and mitigation strategies based on the changes
2 - Reassesses the suitability of the design and deployment of control activities based on the operation and
monitoring of those activities, and updates them as necessary.
February 9, 2016 37

38. Common Controls – Monitoring Of Controls
Number Control
1 The design and operating effectiveness of controls are periodically evaluated against
Security/Availability/Processing Integrity/Confidentiality commitments and requirements, corrections and other
necessary actions relating to identified deficiencies are taken in a timely manner.
February 9, 2016 38

39. Common Controls – Logical And Physical Access
Controls
No Control
1 Logical access security software, infrastructure, and architectures have been implemented to support:
1 - Identification and authentication of authorised users
2 - Restriction of authorised user access to Solution/Service components, or portions thereof, authorised by
management, including hardware, data, software, mobile devices, output, and offline elements
3 - Prevention and detection of unauthorised access.
2 New internal and external Solution/Service users are registered and authorised prior to being issued Solution/Service
credentials, and granted the ability to access the Solution/Service. User Solution/Service credentials are removed when
user access is no longer authorised.
3 Internal and external Solution/Service users are identified and authenticated when accessing the Solution/Service
components (for example, infrastructure, software, and data).
4 Access to data, software, functions, and other IT resources is authorised and is modified or removed based on roles,
responsibilities, or the Solution/Service design and changes to them.
5 Physical access to facilities housing the Solution/Service (for example, data centres, backup media storage, and other
sensitive locations as well as sensitive Solution/Service components within those locations) is restricted to authorised
personnel.
6 Logical access security measures have been implemented to protect against Security/Availability/Processing
Integrity/Confidentiality threats from sources outside the boundaries of the Solution/Service.
7 The transmission, movement, and removal of information is restricted to authorised users and processes, and is protected
during transmission, movement, or removal enabling the Service Provider/Supplier to meet its commitments and
requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorised or malicious
software.
February 9, 2016 39

40. Common Controls – System Operations
No Control
1 Vulnerabilities of Solution/Service components to Security/Availability/Processing Integrity/Confidentiality breaches
and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are
implemented to compensate for known and new vulnerabilities.
2 Security/Availability/Processing Integrity/Confidentiality incidents, including logical and physical security breaches,
failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance
with established incident response procedures.
February 9, 2016 40

41. Common Controls – Change Management
No Control
1 Security/Availability/Processing Integrity/Confidentiality commitments and requirements, are addressed, during the
Solution/Service implementation lifecycle including design, acquisition, implementation, configuration, testing,
modification, and maintenance of Solution/Service components.
2 Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the Solution/Service
commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
3 Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are
identified during Solution/Service operation and monitoring.
4 Changes to Solution/Service components are authorised, designed, developed, configured, documented, tested,
approved, and implemented in accordance with Security/Availability/Processing Integrity/Confidentiality commitments
and requirements.
February 9, 2016 41

42. Availability Controls
No Control
1 Current processing capacity and usage are maintained, monitored, and evaluated to manage demand and to enable the
implementation of additional capacity to help meet availability commitments and requirements.
2 Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed,
implemented, operated, maintained, and monitored to meet availability commitments and requirements.
3 Procedures supporting Solution/Service recovery in accordance with recovery plans are periodically tested to help meet
availability commitments and requirements.
February 9, 2016 42

43. Processing Integrity Controls
No Control
1 Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and
requirements.
2 Solution/Service inputs are measured and recorded completely, accurately, and timely in accordance with processing
integrity commitments and requirements.
3 Data is processed completely, accurately, and timely as authorised in accordance with pro-cessing integrity commitments
and requirements.
4 Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity
commitments and requirements.
5 Solution/Service output is complete, accurate, distributed, and retained in accordance with processing integrity
commitments and requirements.
6 Modification of data is authorised, using authorised procedures in accordance with processing integrity commitments and
requirements.
February 9, 2016 43

44. Confidentiality Controls
No Control
1 Confidential information is protected during the Solution/Service design, development, testing, implementation, and
change processes in accordance with confidentiality commitments and requirements.
2 Confidential information within the boundaries of the Solution/Service is protected against unauthorised access, use, and
disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments
and requirements.
3 Access to confidential information from outside the boundaries of the Solution/Service and disclosure of confidential
information is restricted to authorised parties in accordance with confidentiality commitments and requirements.
4 The Service Provider/Supplier obtains confidentiality commitments that are consistent with the Service
Provider/Supplier’s confidentiality requirements from vendors and other third parties whose products and services
comprise part of the Solution/Service and have access to confidential information.
5 Compliance with confidentiality commitments and requirements by vendors and others third parties whose products and
services comprise part of the Solution/Service is assessed on a periodic and as-needed basis and corrective action is
taken, if necessary.
6 Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and
other third parties whose products and services are included in the Solution/Service .
February 9, 2016 44

45. Privacy Controls
No Control
1 The Service Provider/Supplier defines documents, communicates, and assigns accountability for its privacy policies and
procedures.
2 The Service Provider/Supplier provides notice about its privacy policies and procedures and identifies the purposes for
which personal information is collected, used, retained, and disclosed.
3 The Service Provider/Supplier describes the choices available to the individual and obtains implicit or explicit consent with
respect to the collection, use, and disclosure of personal information.
4 The Service Provider/Supplier collects personal information only for the purposes identified in the notice.
5 The Service Provider/Supplier limits the use of personal information to the purposes identified in the notice and for which
the individual has provided implicit or explicit consent. The Service Provider/Supplier retains personal information for only
as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately
disposes of such information.
6 The Service Provider/Supplier provides individuals with access to their personal information for re-view and update.
7 The Service Provider/Supplier discloses personal information to third parties only for the purposes identified in the notice
and with the implicit or explicit consent of the individual.
8 The Service Provider/Supplier protects personal information against unauthorized access (both physical and logical).
9 The Service Provider/Supplier maintains accurate, complete, and relevant personal information for the purposes
identified in the notice.
10 The Service Provider/Supplier monitors compliance with its privacy policies and procedures and has procedures to
address privacy-related complaints and disputes.
February 9, 2016 45

46. Putting Service Organisation Controls Into Practice
• The controls must be implemented and operated through specific
statements of requirements about their application and use that can
be verified
• Example - Organisation and Management Common Control 1:
− The Service Provider/Supplier has defined organisational structures, reporting
lines, authorities, and responsibilities for the design, development,
implementation, operation, maintenance and monitoring of the
Solution/Service enabling it to meet its commitments and requirements as
they relate to Security/Availability/Processing Integrity/Confidentiality.
February 9, 2016 46
Service Provider/Supplier’s
• Organisational Structures
• Reporting Lines
• Authorities
• Responsibilities
Solution/Service’s
• Design
• Development
• Implementation
• Operation
• Maintenance
• Monitoring
Requirements
Relating To
• Security
• Availability
• Processing Integrity
• Confidentiality
Must Be
Appropriately
Structured In
Relation To
In Order To
Comply
With

47. Putting Service Organisation Controls Into Practice
• Sets of statements of requirements can be detailed or
high-level
• Sets of controls need to be created for each control area
• A statement of compliance needs to be obtained from the
Service Provider/Supplier
• Compliance should be verified through auditing of selected
ones
February 9, 2016 47

48. Summary
• Competence in sourcing is a core skill of the IT function
• Vendor assessment and validation during the life of the
sourcing arrangement is crucial
• Sourcing should not be a “fire and forget” activity
• The Service Organisation Controls audit approach can be
adapted for use by the IT function to develop an effective
approach to vendor governance
February 9, 2016 48