Steve Markey, profile picture
Uploaded bySteve Markey
PPTX, PDF467 views

Vendor_Mgmt_101_IIMC_v2

Vendor management involves managing outside firms that provide goods or services to an organization. It is a process that includes onboarding vendors, annual re-evaluations, and off-boarding when relationships end. Key parts of the process include conducting due diligence, establishing service level agreements to define expectations, and performing security and privacy reviews. Vendor management aims to select partners effectively and ensure services meet requirements over the long term through active oversight and well-defined processes.

Embed presentation

Downloaded 17 times
Vendor Management 101 Steven C. Markey,MSIS,PMP,CISSP,CIPP,CISM,CISA,STS-EV,CCSK Principal,nControl,LLC AdjunctProfessor
• Presentation Overview – Vendor Management Overview • General • Processes • Financials • Tools • Service-Level Agreements (SLAs) • Security & Privacy Due Diligence • Business Continuity / Disaster Recovery • Project-based Work Versus Staff Augmentation – Case Studies • SEPTA VVS Vendor Management
• What is Vendor Management? – Process of managing outside firms that provide goods or services. • A process not a procurement task. Vendor Management
• Who Performs Vendor Management? – Dedicated Function • Procurement – Shared Function • Legal • Project Management • Business • IT Security Vendor Management
• Vendor Management Realities – Not All Vendors Are the Same • Cloud • Business Process Outsourcing (BPO) • Outside Counsel • Staff Augmentation – Mirrored Staff Can Really Help • Client Project Manager = Vendor Project Manager – Process Can Be Painful • Divorces Usually Are! – You Need a Written Contract Agreement • Things Go Wrong Vendor Management
• Vendor Management Processes – Onboarding • Business Case • Project Management – Annual Re-evaluation • Syncs to Onboarding – Off-boarding “the Break-up” • Documenting Reasons Why • Cleanup – Badges & Physical Access – Orphaned System Accounts & Data Vendor Management
• Onboarding – Business Case • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
Vendor Management Source: Safari Books
• Onboarding – Business Case • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
• Onboarding – Business Case • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
• Onboarding – Business Case • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
Vendor Management Source: NYSE Euronext
Vendor Management Source: NYSE Euronext
• Onboarding – Business Case • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
Source: PMI
• RFP/RFI – RFP • More Prevalent • Drive Structure of Submission • Incumbent/Separate Vendor Can Develop Materials – RFI • Less Prevalent • More Iterative – Flushes Details Out • Usually Feeds Into RFP Process Vendor Management
• Onboarding – Business Case • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
Vendor Management
• Annual Re-evaluation – Feed Subsequent Business Cases • Market Assessment – Pricing Points – Low-Cost Leader – Time to Market • Metrics – Aligned with SLA • 360° Feedback – Lessons Learned » Internal & External Processes • Determine Need for Process Improvement – RFP / RFI – Vendor Questionnaire Vendor Management
• Off-boarding “the Break-up” – Documenting the Reasons Why – Cleanup • Badges & Physical Access • Orphaned System Accounts & Data Vendor Management
• Financials – Total Cost of Ownership, TCO • IT = 60%~ Maintenance – Return on Investment, ROI • Internal Mandate – Cost-Benefit Analysis, CBA • Payback Period – Opportunity Cost • Expense of Choosing One Option versus Another – Sunk Cost • Outsourcing Does Not Yield Benefits – Capital versus Operating (Budgets, Expenses) Vendor Management
• Tools – Software • Web Services – Custom Software Traversing Different Networks • Vendor Management System (VMS) – Enterprise Resource Planning (ERP) Module » SAP Ariba eBuyer • Change Management • Project Management • Business Activity Monitoring (BAM) – Call Center Metrics – Artifacts • Microsoft Office® Documents • Adobe PDF® Vendor Management
• Tools – Research • Google • Company Literature (White Papers, Presentations) • Advisory Firms (Gartner, IDC, etc.) Vendor Management
Vendor Management • SLA Overview – What is an SLA? – SLA Best Practices – SLA Lifecycle – Realistic Expectations with SLAs
Vendor Management • What is an SLA? – Temporal Service Contract – Un / Negotiated Bilateral Agreement –Dictates Service Provisions / Expectations / Metrics –Dictates Exit / Divorce Clause(s) –Dictates Refunds, Credits & Surcharges –Dictates Extenuating Circumstances (Force Majeure) – Not An End User License Agreement (EULA) – Not An Operational-Level Agreement (OLA)
Vendor Management • What is an SLA? – Specific Sections –Term –Metrics –Definitions (Outage, Interruption or Failure) –Change Management for SLA –Cause for: –Termination –Refund –Surcharge –Credit
Vendor Management • What is an SLA? – Specific Sections –Cause for: –Credit –Threshold: Outage lasts for x hours / minutes. –Pro-Rated: Rolling credits for downtime. –Percentage: $ per x hours / minutes.
Vendor Management • What is an SLA? – Examples of Metrics –Mean Time To Repair / Recovery (MTTR) –Mean Time Between Failures (MTBR) –Time To Market (TTM) / Time to Implement (TTI) –Backlog Size –Rework Levels –Service Uptime / Availability –Data Throughput –Service Satisfaction –Quality of Service (QoS)
Vendor Management • SLA Best Practices – Use it for Vendor Selection – Adhere to it Internally – Leverage Change Management – Ensure the Metrics & Definitions Are Understood –Have an Attorney Interpret the Language / Verbiage – Get References / Do Research – Educate, Inform & Make Aware – Retain All Contract Documents
Source: IBM
Vendor Management • Realistic Expectations with SLAs – Size Matters – Reputation Matters – Necessary Evil – Vested Interest for Vendor – Outages Happen –Risk Mitigation Versus Risk Removal – Everybody Loses Something In Litigation – Most Cloud Providers SLAs Are Not Negotiable –Amazon, Microsoft, etc. –Smaller Providers Cater to Custom Needs
Vendor Management • Security & Privacy Due Diligence – Existing Certifications / Attestations • SAS 70 Type II / SSAE 16 SOC I-II-III / ISAE 3402 • ISO 27001 / 2 • ISO 27036 • BITS Shared Assessments • PCI DSS • HIPAA / HITECH • COPPA • US Safe Harbor – Others • Generally Accepted Recordkeeping Principles, GARP® • ISO 9000 / 15489 • Capability Maturity Model Integration, CMMi • Better Business Bureau, BBB
Vendor Management • Security & Privacy Due Diligence – Create Your Own Checklist –“Have you been breached?” –“Do you have an Information Security Officer?” – Have an Approved Third Party Assess Them – Place the Sales / Account Person on the Hook –Vested Interest with Commission
Vendor Management • Business Continuity Planning / Disaster Recovery – SLA Should Drive Your –Recovery Time Objective (RTO) –Recovery Point Objective (RPO) – Plans in Place? –Add to Vendor Questionnaire – Annual Testing –Add to Questionnaire –Do They Include Their Vendors?
Vendor Management • Project-based Work Versus Staff Augmentation – Projects –Clearly Defined Scope –Firm Fixed Price –Resource Neutral – Staff Augmentation –Ambiguous Scope –Hourly –Resource Specific – Hybrids –Best of Both Worlds
• Case Study: SEPTA VVS – Background – Drivers – Technologies – Limitations – Risks – Lessons Learned – Next Steps Vendor Management
• Case Study: SEPTA VVS – Background –Southeastern PA Transit Authority –Vehicle Video Surveillance System –2000+ Vehicles & Train Cars –Phased Project – Drivers –100’s of Fraudulent Injury Claims Annually –Employee Behavior Vendor Management
• Case Study: SEPTA VVS – Technologies –GE Security MobileView –NetApp Storage Area Network (SAN) – Limitations –Daily MobileView Storage Capacity –Aggregate Online Storage Vendor Management
• Case Study: SEPTA VVS – Risks –Privacy Laws –Retention Requirements –Security Regulations – Lessons Learned –Understand Strategic Direction of Vendor –Understand Ecosystem –Subcontractors Vendor Management
Vendor Management • Presentation Take Aways – Vendor Management = Iterative Process –Improve Over Time – Strategy & Due Diligence Are VERY Important –Must Consider the Business Ecosystem
Vendor Management • References • http://my.safaribooksonline.com/book/software-engineering-and- development/project-management/0789731975/managing- vendors/ch21lev1sec5
• Questions? • Contact – Email: steve@ncontrol-llc.com – Twitter: @markes1 – LI: http://www.linkedin.com/in/smarkey

More Related Content

PDF
Turnarounds & Restructurings -Institute Management Consultants J Davidson
byjfdavidson
 
PPT
Smart Sl As 9.15.09 Combined
bygkoehlinger
 
PDF
Exception analytics - Balancing Risk & Control
byDan French
 
PDF
Best Practices/Techniques Operational Turnarounds and Financial Restructuring...
byjfdavidson
 
PDF
HANSA Knowledge Process Outsourcing (KPO) - Corporate Presentation
byHansa
 
PDF
Confidence in Financial Control with ACL
byDan French
 
DOC
Naveen Derivatives Resume
byNaveen Singe Gowda
 
PPTX
Services Procurement - SOWs Best Practices
byPeopleFluent
 
Turnarounds & Restructurings -Institute Management Consultants J Davidson
byjfdavidson
 
Smart Sl As 9.15.09 Combined
bygkoehlinger
 
Exception analytics - Balancing Risk & Control
byDan French
 
Best Practices/Techniques Operational Turnarounds and Financial Restructuring...
byjfdavidson
 
HANSA Knowledge Process Outsourcing (KPO) - Corporate Presentation
byHansa
 
Confidence in Financial Control with ACL
byDan French
 
Naveen Derivatives Resume
byNaveen Singe Gowda
 
Services Procurement - SOWs Best Practices
byPeopleFluent
 

Viewers also liked

PPTX
Passion, Persistence, and Patience: The Search for Amelia Earhart
byERAUWebinars
 
PDF
MARIA AUXILIADORA
byVale Verdesoto
 
PPTX
Alpha and Omega: Program Outcomes to the Capstone
byERAUWebinars
 
PPT
Securing_Dbs_in_Cloud_v12
bySteve Markey
 
PPT
Securing_Medical_Devices_v5
bySteve Markey
 
PPTX
Cloud_Computing_IIMC_v1
bySteve Markey
 
PPT
Presentatie hrm inspiratiedag
byEsther Mallant
 
PDF
FOJ Marketing 2015
byErin Perkins
 
PDF
Na it infographic_fnl
byThuyly Vu
 
PPTX
Webinar Slides-Three Knows to Great Writing Nov 4 2014
byERAUWebinars
 
PDF
ERAU Webinar Slides: Global Business Environment--China Trip
byERAUWebinars
 
PPTX
Reverse_Engineering_Thick-clients
bySteve Markey
 
PPTX
Going_Mobile_101_IIMC_v5
bySteve Markey
 
PPT
Cryptov2 v1
bySteve Markey
 
PPTX
Safety webinar with mark friend
byERAUWebinars
 
PPTX
Secure_Development_ISSA_v4
bySteve Markey
 
PPT
e-Discovery_2_Cloud_v5
bySteve Markey
 
PPT
SSO_Good_Bad_Ugly
bySteve Markey
 
PPTX
Maotchitim
byjoliff
 
PPT
ICS_Cybersecurity_FINAL
bySteve Markey
 
Passion, Persistence, and Patience: The Search for Amelia Earhart
byERAUWebinars
 
MARIA AUXILIADORA
byVale Verdesoto
 
Alpha and Omega: Program Outcomes to the Capstone
byERAUWebinars
 
Securing_Dbs_in_Cloud_v12
bySteve Markey
 
Securing_Medical_Devices_v5
bySteve Markey
 
Cloud_Computing_IIMC_v1
bySteve Markey
 
Presentatie hrm inspiratiedag
byEsther Mallant
 
FOJ Marketing 2015
byErin Perkins
 
Na it infographic_fnl
byThuyly Vu
 
Webinar Slides-Three Knows to Great Writing Nov 4 2014
byERAUWebinars
 
ERAU Webinar Slides: Global Business Environment--China Trip
byERAUWebinars
 
Reverse_Engineering_Thick-clients
bySteve Markey
 
Going_Mobile_101_IIMC_v5
bySteve Markey
 
Cryptov2 v1
bySteve Markey
 
Safety webinar with mark friend
byERAUWebinars
 
Secure_Development_ISSA_v4
bySteve Markey
 
e-Discovery_2_Cloud_v5
bySteve Markey
 
SSO_Good_Bad_Ugly
bySteve Markey
 
Maotchitim
byjoliff
 
ICS_Cybersecurity_FINAL
bySteve Markey
 

Similar to Vendor_Mgmt_101_IIMC_v2

DOCX
Vendor Management - An Overview (Project File)
byJyoti Kumari
 
PPTX
Outsourcing and Vendor management
byRaminder Pal Singh
 
PPTX
Vendor management using COBIT 5
byRobert Stroud
 
PPTX
Managed IT Presentation
byTomsmyth1
 
PDF
Evaluating Vendor Risks - slides
byISACA New England
 
PDF
Are you interested in expanding your business in the United States?"
byBeatriz Raggio
 
PDF
Evaluating Vendor Risks - Presentation
byISACA New England
 
PPT
The W Group Vendor Management Practice
bymohara7750
 
PDF
Professional services Sourcing and Vendor
byRamiro Tolosa
 
PPT
Outsourcing Security Management
byNick Krym
 
PDF
090119 Enabling Strategic Sourcing
byHan Driessen
 
PDF
Post Award Contract Management for IT Suppliers v1.0 20200701
byPeter Soetevent
 
PDF
TrustArc Webinar - How to Build a Vendor Risk Management Program
byTrustArc
 
PDF
DATAMARK Outsourcing Relationship Checkup
byDATAMARK
 
PPT
ITIL
byMohammed El Rafie Tarabay
 
PDF
Best-in-class vendor management office
byWGroup
 
PPTX
type of Vendor management in civil engineering
bydeepikas438869
 
PPT
Prepay Process Linked In
byCurtBarsness
 
PDF
NCHICA - Contracts with Healthcare Cloud Computing Vendors
byWhitmeyerTuffin
 
PPS
Sourcing Gurus Profile
bySystems Plus Solutions
 
Vendor Management - An Overview (Project File)
byJyoti Kumari
 
Outsourcing and Vendor management
byRaminder Pal Singh
 
Vendor management using COBIT 5
byRobert Stroud
 
Managed IT Presentation
byTomsmyth1
 
Evaluating Vendor Risks - slides
byISACA New England
 
Are you interested in expanding your business in the United States?"
byBeatriz Raggio
 
Evaluating Vendor Risks - Presentation
byISACA New England
 
The W Group Vendor Management Practice
bymohara7750
 
Professional services Sourcing and Vendor
byRamiro Tolosa
 
Outsourcing Security Management
byNick Krym
 
090119 Enabling Strategic Sourcing
byHan Driessen
 
Post Award Contract Management for IT Suppliers v1.0 20200701
byPeter Soetevent
 
TrustArc Webinar - How to Build a Vendor Risk Management Program
byTrustArc
 
DATAMARK Outsourcing Relationship Checkup
byDATAMARK
 
ITIL
byMohammed El Rafie Tarabay
 
Best-in-class vendor management office
byWGroup
 
type of Vendor management in civil engineering
bydeepikas438869
 
Prepay Process Linked In
byCurtBarsness
 
NCHICA - Contracts with Healthcare Cloud Computing Vendors
byWhitmeyerTuffin
 
Sourcing Gurus Profile
bySystems Plus Solutions
 

Vendor_Mgmt_101_IIMC_v2

  • 1.
    Vendor Management 101 StevenC. Markey,MSIS,PMP,CISSP,CIPP,CISM,CISA,STS-EV,CCSK Principal,nControl,LLC AdjunctProfessor
  • 2.
    • Presentation Overview –Vendor Management Overview • General • Processes • Financials • Tools • Service-Level Agreements (SLAs) • Security & Privacy Due Diligence • Business Continuity / Disaster Recovery • Project-based Work Versus Staff Augmentation – Case Studies • SEPTA VVS Vendor Management
  • 3.
    • What isVendor Management? – Process of managing outside firms that provide goods or services. • A process not a procurement task. Vendor Management
  • 4.
    • Who PerformsVendor Management? – Dedicated Function • Procurement – Shared Function • Legal • Project Management • Business • IT Security Vendor Management
  • 5.
    • Vendor ManagementRealities – Not All Vendors Are the Same • Cloud • Business Process Outsourcing (BPO) • Outside Counsel • Staff Augmentation – Mirrored Staff Can Really Help • Client Project Manager = Vendor Project Manager – Process Can Be Painful • Divorces Usually Are! – You Need a Written Contract Agreement • Things Go Wrong Vendor Management
  • 6.
    • Vendor ManagementProcesses – Onboarding • Business Case • Project Management – Annual Re-evaluation • Syncs to Onboarding – Off-boarding “the Break-up” • Documenting Reasons Why • Cleanup – Badges & Physical Access – Orphaned System Accounts & Data Vendor Management
  • 7.
    • Onboarding – BusinessCase • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
  • 8.
  • 9.
    • Onboarding – BusinessCase • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
  • 10.
    • Onboarding – BusinessCase • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
  • 12.
    • Onboarding – BusinessCase • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
  • 13.
  • 14.
  • 15.
    • Onboarding – BusinessCase • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
  • 16.
  • 17.
    • RFP/RFI – RFP •More Prevalent • Drive Structure of Submission • Incumbent/Separate Vendor Can Develop Materials – RFI • Less Prevalent • More Iterative – Flushes Details Out • Usually Feeds Into RFP Process Vendor Management
  • 18.
    • Onboarding – BusinessCase • Feasibility • Risk Assessment • Financial Analysis – Project Management • Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO) • System Development Lifecycle (SDLC) • Funding Gates: Pilot, Proof of Concept (POC) • Procurement: Request for Proposal (RFP), Request for Info (RFI) • Change Management: Requests, Scope, Budget, Schedule Vendor Management
  • 19.
  • 20.
    • Annual Re-evaluation –Feed Subsequent Business Cases • Market Assessment – Pricing Points – Low-Cost Leader – Time to Market • Metrics – Aligned with SLA • 360° Feedback – Lessons Learned » Internal & External Processes • Determine Need for Process Improvement – RFP / RFI – Vendor Questionnaire Vendor Management
  • 21.
    • Off-boarding “theBreak-up” – Documenting the Reasons Why – Cleanup • Badges & Physical Access • Orphaned System Accounts & Data Vendor Management
  • 22.
    • Financials – TotalCost of Ownership, TCO • IT = 60%~ Maintenance – Return on Investment, ROI • Internal Mandate – Cost-Benefit Analysis, CBA • Payback Period – Opportunity Cost • Expense of Choosing One Option versus Another – Sunk Cost • Outsourcing Does Not Yield Benefits – Capital versus Operating (Budgets, Expenses) Vendor Management
  • 23.
    • Tools – Software •Web Services – Custom Software Traversing Different Networks • Vendor Management System (VMS) – Enterprise Resource Planning (ERP) Module » SAP Ariba eBuyer • Change Management • Project Management • Business Activity Monitoring (BAM) – Call Center Metrics – Artifacts • Microsoft Office® Documents • Adobe PDF® Vendor Management
  • 24.
    • Tools – Research •Google • Company Literature (White Papers, Presentations) • Advisory Firms (Gartner, IDC, etc.) Vendor Management
  • 25.
    Vendor Management • SLAOverview – What is an SLA? – SLA Best Practices – SLA Lifecycle – Realistic Expectations with SLAs
  • 26.
    Vendor Management • Whatis an SLA? – Temporal Service Contract – Un / Negotiated Bilateral Agreement –Dictates Service Provisions / Expectations / Metrics –Dictates Exit / Divorce Clause(s) –Dictates Refunds, Credits & Surcharges –Dictates Extenuating Circumstances (Force Majeure) – Not An End User License Agreement (EULA) – Not An Operational-Level Agreement (OLA)
  • 27.
    Vendor Management • Whatis an SLA? – Specific Sections –Term –Metrics –Definitions (Outage, Interruption or Failure) –Change Management for SLA –Cause for: –Termination –Refund –Surcharge –Credit
  • 28.
    Vendor Management • Whatis an SLA? – Specific Sections –Cause for: –Credit –Threshold: Outage lasts for x hours / minutes. –Pro-Rated: Rolling credits for downtime. –Percentage: $ per x hours / minutes.
  • 29.
    Vendor Management • Whatis an SLA? – Examples of Metrics –Mean Time To Repair / Recovery (MTTR) –Mean Time Between Failures (MTBR) –Time To Market (TTM) / Time to Implement (TTI) –Backlog Size –Rework Levels –Service Uptime / Availability –Data Throughput –Service Satisfaction –Quality of Service (QoS)
  • 30.
    Vendor Management • SLABest Practices – Use it for Vendor Selection – Adhere to it Internally – Leverage Change Management – Ensure the Metrics & Definitions Are Understood –Have an Attorney Interpret the Language / Verbiage – Get References / Do Research – Educate, Inform & Make Aware – Retain All Contract Documents
  • 31.
  • 32.
    Vendor Management • RealisticExpectations with SLAs – Size Matters – Reputation Matters – Necessary Evil – Vested Interest for Vendor – Outages Happen –Risk Mitigation Versus Risk Removal – Everybody Loses Something In Litigation – Most Cloud Providers SLAs Are Not Negotiable –Amazon, Microsoft, etc. –Smaller Providers Cater to Custom Needs
  • 33.
    Vendor Management • Security& Privacy Due Diligence – Existing Certifications / Attestations • SAS 70 Type II / SSAE 16 SOC I-II-III / ISAE 3402 • ISO 27001 / 2 • ISO 27036 • BITS Shared Assessments • PCI DSS • HIPAA / HITECH • COPPA • US Safe Harbor – Others • Generally Accepted Recordkeeping Principles, GARP® • ISO 9000 / 15489 • Capability Maturity Model Integration, CMMi • Better Business Bureau, BBB
  • 34.
    Vendor Management • Security& Privacy Due Diligence – Create Your Own Checklist –“Have you been breached?” –“Do you have an Information Security Officer?” – Have an Approved Third Party Assess Them – Place the Sales / Account Person on the Hook –Vested Interest with Commission
  • 35.
    Vendor Management • BusinessContinuity Planning / Disaster Recovery – SLA Should Drive Your –Recovery Time Objective (RTO) –Recovery Point Objective (RPO) – Plans in Place? –Add to Vendor Questionnaire – Annual Testing –Add to Questionnaire –Do They Include Their Vendors?
  • 36.
    Vendor Management • Project-basedWork Versus Staff Augmentation – Projects –Clearly Defined Scope –Firm Fixed Price –Resource Neutral – Staff Augmentation –Ambiguous Scope –Hourly –Resource Specific – Hybrids –Best of Both Worlds
  • 37.
    • Case Study:SEPTA VVS – Background – Drivers – Technologies – Limitations – Risks – Lessons Learned – Next Steps Vendor Management
  • 38.
    • Case Study:SEPTA VVS – Background –Southeastern PA Transit Authority –Vehicle Video Surveillance System –2000+ Vehicles & Train Cars –Phased Project – Drivers –100’s of Fraudulent Injury Claims Annually –Employee Behavior Vendor Management
  • 39.
    • Case Study:SEPTA VVS – Technologies –GE Security MobileView –NetApp Storage Area Network (SAN) – Limitations –Daily MobileView Storage Capacity –Aggregate Online Storage Vendor Management
  • 40.
    • Case Study:SEPTA VVS – Risks –Privacy Laws –Retention Requirements –Security Regulations – Lessons Learned –Understand Strategic Direction of Vendor –Understand Ecosystem –Subcontractors Vendor Management
  • 41.
    Vendor Management • PresentationTake Aways – Vendor Management = Iterative Process –Improve Over Time – Strategy & Due Diligence Are VERY Important –Must Consider the Business Ecosystem
  • 42.
    Vendor Management • References •http://my.safaribooksonline.com/book/software-engineering-and- development/project-management/0789731975/managing- vendors/ch21lev1sec5
  • 43.
    • Questions? • Contact –Email: steve@ncontrol-llc.com – Twitter: @markes1 – LI: http://www.linkedin.com/in/smarkey