Vendor_Mgmt_101_IIMC_v2
-
Upload
steve-markey -
Category
Documents
-
view
16 -
download
2
Transcript of Vendor_Mgmt_101_IIMC_v2
Vendor Management 101
Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK
Principal, nControl, LLCAdjunct Professor
• Presentation Overview– Vendor Management Overview
• General• Processes• Financials• Tools• Service-Level Agreements (SLAs)• Security & Privacy Due Diligence• Business Continuity / Disaster Recovery• Project-based Work Versus Staff Augmentation
– Case Studies• SEPTA VVS
Vendor Management
• What is Vendor Management?– Process of managing outside firms that provide
goods or services.• A process not a procurement task.
Vendor Management
• Who Performs Vendor Management?– Dedicated Function
• Procurement
– Shared Function• Legal• Project Management• Business• IT Security
Vendor Management
• Vendor Management Realities– Not All Vendors Are the Same
• Cloud• Business Process Outsourcing (BPO)• Outside Counsel• Staff Augmentation
– Mirrored Staff Can Really Help• Client Project Manager = Vendor Project Manager
– Process Can Be Painful• Divorces Usually Are!
– You Need a Written Contract Agreement• Things Go Wrong
Vendor Management
• Vendor Management Processes– Onboarding
• Business Case• Project Management
– Annual Re-evaluation• Syncs to Onboarding
– Off-boarding “the Break-up”• Documenting Reasons Why• Cleanup
– Badges & Physical Access– Orphaned System Accounts & Data
Vendor Management
• Onboarding– Business Case
• Feasibility• Risk Assessment• Financial Analysis
– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule
Vendor Management
• Onboarding– Business Case
• Feasibility• Risk Assessment• Financial Analysis
– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule
Vendor Management
• Onboarding– Business Case
• Feasibility• Risk Assessment• Financial Analysis
– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule
Vendor Management
• Onboarding– Business Case
• Feasibility• Risk Assessment• Financial Analysis
– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule
Vendor Management
• Onboarding– Business Case
• Feasibility• Risk Assessment• Financial Analysis
– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule
Vendor Management
• RFP/RFI– RFP
• More Prevalent• Drive Structure of Submission• Incumbent/Separate Vendor Can Develop Materials
– RFI• Less Prevalent• More Iterative – Flushes Details Out• Usually Feeds Into RFP Process
Vendor Management
• Onboarding– Business Case
• Feasibility• Risk Assessment• Financial Analysis
– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule
Vendor Management
• Annual Re-evaluation– Feed Subsequent Business Cases
• Market Assessment– Pricing Points– Low-Cost Leader– Time to Market
• Metrics– Aligned with SLA
• 360° Feedback– Lessons Learned
» Internal & External Processes
• Determine Need for Process Improvement– RFP / RFI– Vendor Questionnaire
Vendor Management
• Off-boarding “the Break-up”– Documenting the Reasons Why– Cleanup
• Badges & Physical Access• Orphaned System Accounts & Data
Vendor Management
• Financials– Total Cost of Ownership, TCO
• IT = 60%~ Maintenance
– Return on Investment, ROI• Internal Mandate
– Cost-Benefit Analysis, CBA• Payback Period
– Opportunity Cost• Expense of Choosing One Option versus Another
– Sunk Cost• Outsourcing Does Not Yield Benefits
– Capital versus Operating (Budgets, Expenses)
Vendor Management
• Tools– Software
• Web Services– Custom Software Traversing Different Networks
• Vendor Management System (VMS)– Enterprise Resource Planning (ERP) Module
» SAP Ariba eBuyer
• Change Management• Project Management• Business Activity Monitoring (BAM)
– Call Center Metrics
– Artifacts• Microsoft Office® Documents• Adobe PDF®
Vendor Management
• Tools– Research
• Google• Company Literature (White Papers, Presentations)• Advisory Firms (Gartner, IDC, etc.)
Vendor Management
Vendor Management
• SLA Overview– What is an SLA?– SLA Best Practices– SLA Lifecycle– Realistic Expectations with SLAs
Vendor Management
• What is an SLA?– Temporal Service Contract– Un / Negotiated Bilateral Agreement
–Dictates Service Provisions / Expectations / Metrics–Dictates Exit / Divorce Clause(s)–Dictates Refunds, Credits & Surcharges–Dictates Extenuating Circumstances (Force Majeure)
– Not An End User License Agreement (EULA)– Not An Operational-Level Agreement (OLA)
Vendor Management
• What is an SLA?– Specific Sections
–Term–Metrics–Definitions (Outage, Interruption or Failure)–Change Management for SLA–Cause for:
–Termination–Refund–Surcharge–Credit
Vendor Management
• What is an SLA?– Specific Sections
–Cause for:–Credit
–Threshold: Outage lasts for x hours / minutes.–Pro-Rated: Rolling credits for downtime.–Percentage: $ per x hours / minutes.
Vendor Management
• What is an SLA?– Examples of Metrics
–Mean Time To Repair / Recovery (MTTR)–Mean Time Between Failures (MTBR)–Time To Market (TTM) / Time to Implement (TTI)
–Backlog Size–Rework Levels
–Service Uptime / Availability–Data Throughput–Service Satisfaction
–Quality of Service (QoS)
Vendor Management
• SLA Best Practices– Use it for Vendor Selection– Adhere to it Internally– Leverage Change Management– Ensure the Metrics & Definitions Are Understood
–Have an Attorney Interpret the Language / Verbiage– Get References / Do Research– Educate, Inform & Make Aware– Retain All Contract Documents
Vendor Management
• Realistic Expectations with SLAs– Size Matters– Reputation Matters– Necessary Evil– Vested Interest for Vendor– Outages Happen
–Risk Mitigation Versus Risk Removal – Everybody Loses Something In Litigation– Most Cloud Providers SLAs Are Not Negotiable
–Amazon, Microsoft, etc.–Smaller Providers Cater to Custom Needs
Vendor Management• Security & Privacy Due Diligence
– Existing Certifications / Attestations• SAS 70 Type II / SSAE 16 SOC I-II-III / ISAE 3402• ISO 27001 / 2• ISO 27036• BITS Shared Assessments• PCI DSS• HIPAA / HITECH• COPPA• US Safe Harbor
– Others• Generally Accepted Recordkeeping Principles, GARP®• ISO 9000 / 15489• Capability Maturity Model Integration, CMMi• Better Business Bureau, BBB
Vendor Management
• Security & Privacy Due Diligence– Create Your Own Checklist
–“Have you been breached?”–“Do you have an Information Security Officer?”
– Have an Approved Third Party Assess Them– Place the Sales / Account Person on the Hook
–Vested Interest with Commission
Vendor Management
• Business Continuity Planning / Disaster Recovery– SLA Should Drive Your
–Recovery Time Objective (RTO)–Recovery Point Objective (RPO)
– Plans in Place?–Add to Vendor Questionnaire
– Annual Testing–Add to Questionnaire–Do They Include Their Vendors?
Vendor Management• Project-based Work Versus Staff Augmentation
– Projects–Clearly Defined Scope–Firm Fixed Price–Resource Neutral
– Staff Augmentation–Ambiguous Scope–Hourly–Resource Specific
– Hybrids–Best of Both Worlds
• Case Study: SEPTA VVS– Background– Drivers – Technologies– Limitations– Risks– Lessons Learned– Next Steps
Vendor Management
• Case Study: SEPTA VVS– Background
–Southeastern PA Transit Authority–Vehicle Video Surveillance System–2000+ Vehicles & Train Cars–Phased Project
– Drivers –100’s of Fraudulent Injury Claims Annually–Employee Behavior
Vendor Management
• Case Study: SEPTA VVS– Technologies
–GE Security MobileView–NetApp Storage Area Network (SAN)
– Limitations–Daily MobileView Storage Capacity–Aggregate Online Storage
Vendor Management
• Case Study: SEPTA VVS– Risks
–Privacy Laws–Retention Requirements–Security Regulations
– Lessons Learned–Understand Strategic Direction of Vendor–Understand Ecosystem
–Subcontractors
Vendor Management
Vendor Management
• Presentation Take Aways– Vendor Management = Iterative Process
– Improve Over Time– Strategy & Due Diligence Are VERY Important
–Must Consider the Business Ecosystem
Vendor Management
• References• http://my.safaribooksonline.com/book/software-engineering-and-
development/project-management/0789731975/managing-vendors/ch21lev1sec5
• Questions?• Contact
– Email: [email protected]– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey