Provider Governance
Alan McSweeney
http://ie.linkedin.com/in/alanmcsweeney
Suppliers
And
Service
Providers
Business
Functions
IT Needs To
Focus The
Business
Needs For
Services on
Appropriate
Suppliers
Delivery
Supplier/ Service
Provider Selected
IT
Function
I Manage The
Supplier/ Service
Providers Delivery Of
Solution/ Service
February 9, 2016
Service Provision/xSourcing
Externally Hosted Service/Cloud/xaaS
February 9, 2016
People Management
Service Provider
Evaluation
Knowledge
Management
Sourcing Opportunity
Analysis
Sourcing Agreement
Technology
Management
Sourcing Approach
Service Transfer
Analysis and
Identification
Initiation/
Transition
February 9, 2016
Sourced Services
Management
Threat Management
Service Delivery
Service Delivery
Management and
Governance
Sourcing Completion/
Handover
Completion
February 9, 2016
Sourcing Governance
Definition
Solution/Service And
Supplier/Service Provider
Evaluation Factors
Organisation Change
Sourcing Template
Creation
Sourcing Measurement
And Monitoring
Definition
Contract Definition,
Negotiation And Closing
Order Management
Contract
Management
Performance
Monitoring And
Measurement
Service Improvement
February 9, 2016
10
Sourcing Governance
Definition
Solution/Service And
Supplier/Service Provider
Evaluation Factors
Organisation Change
Sourcing Template
Creation
Sourcing Measurement
And Monitoring
Definition
Contract Definition,
Negotiation And Closing
Order Management
Contract
Management
Performance
Monitoring And
Measurement
Service Improvement
11
February 9, 2016
12
13
Assessment/
Validation
Specific
Performance
Measurement
Supplier/
Assessment/
Service Provider Validation
Common
Specific
Performance
Measurement
February 9, 2016
Implement and
Operate
Define Service/Solution
Evaluate and Score
Specific Evaluation Factors Service/Solution Using
Defined Evaluation Factors
Define Service/Solution
Specific Performance
Measurement Factors
Measure Delivery Of
Service/Solution Using
Defined Evaluation Factors
Measure Delivery Of
Supplier/ Service Provider
Using Defined Evaluation
Factors
14
Assessment/
Validation
Specific
Performance
Measurement
Supplier/
Assessment/
Service Provider Validation
Common
Specific
Performance
Measurement
February 9, 2016
Implement and
Operate
Define Service/Solution
Evaluate and Score
Specific Evaluation Factors Service/Solution Using
Defined Evaluation Factors
Define Service/Solution
Specific Performance
Measurement Factors
Measure Delivery Of
Service/Solution Using
Defined Evaluation Factors
Operation Of A Service
Service Users
Service
Delivery
Internal
Operation of
Service
Service
Provider
Measurement of
Service Delivery
February 9, 2016
16
Operation Of A Service
February 9, 2016
17
Initiation/
Transition
Service Delivery
Service Delivery
Management and
Governance
Completion
18
Operational Solution
Software
February 9, 2016
Infrastructure
Information
and Data
Use,
Operational,
Support and
Management
Teams
Operation
and Support
Processes and
Services
19
20
February 9, 2016
21
February 9, 2016
22
Split Between
Product And
Service
Extent Of
Customisation
Implementation/
Transition Effort
And Time
Security,
Performance,
Reliability,
Availability
Requirements Of
Product/ Service
Complexity Of
Product/ Service
Type Of
Engagement
Solution/
Service
Factors
Novelty Of
Product/ Service
Importance of
Product/ Service
Expected/
Contracted Cost
Experience And
Proven Ability Of
Supplier
February 9, 2016
Expected Duration
Of Business
Relationship
Size/ Extent Of
Product/ Service
23
Dimensions affect how the supplier/service provided should be validated set of risk
factors that dictate the level of supplier governance necessary
Split Between Product And Service mix between pure product and services
Extent Of Customisation
Type Of Engagement consulting/ analysis/ implementation and mix of services of these types
Expected Duration Of Business Relationship how long with the service be provided for or is contracted
for
Importance of Product/ Service sensitivity and importance of product/service to the organisation
Expected/ Contracted Cost how much the product/service is expected to cost or the contracted cost
Size/ Extent Of Product/ Service the amount of effort and the number of parties and stakeholders
involved in or affected by the product/service
Experience And Proven Ability Of Supplier how experienced is the supplier in successfully delivering
the product/service
Novelty Of Product/ Service how new or well-proven is the underlying technology and approach of the
product/service
Complexity Of Product/ Service how complex is the product/service number of components and
interfaces
Security, Performance, Reliability, Availability Requirements Of Product/ Service are there specific
requirements of the product/service in these areas
Implementation/ Transition Effort And Time what is the estimated or expected effort and time to
implement or transition to the product/service
Availability Of Skills And Experience With Product/ Service how readily available are skills within the
organisation
February 9, 2016
24
February 9, 2016
25
February 9, 2016
26
February 9, 2016
27
Service Design
Service Transition
Service Operation
Continual Service
Improvement
Service Portfolio
Management
Service Catalogue
Management
Change Management
Event Management
Service Evaluation
Financial Management
Project Management
(Transition Planning and
Support)
Incident Management
Process Evaluation
Risk Management
Request Fulfilment
Capacity Management
Access Management
CSI Monitoring
Availability Management
Application Development
and Customisation
Problem Management
IT Service Continuity
Management
IT Operations Management
IT Security Management
Knowledge Management
IT Facilities Management
Compliance Management
IT Architecture
Management
Supplier Management
February 9, 2016
28
February 9, 2016
29
30
31
February 9, 2016
32
Common Controls
Security
Organisation and
Management
Communications
Risk Management
and Design and
Implementation of
Controls
Monitoring of
Controls
System Operations
Availability
Processing Integrity
Confidentiality
Privacy
Change
Management
February 9, 2016
33
February 9, 2016
34
The Service Provider/Supplier has defined organisational structures, reporting lines, authorities, and responsibilities for
the design, development, implementation, operation, maintenance and monitoring of the Solution/Service enabling it to
meet its commitments and requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring and
approving the Service Provider/Suppliers Solution/Service controls are assigned to individuals within the Service
Provider/Supplier with authority to ensure policies and other solution/service requirements are effectively promulgated
and placed in operation.
Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the
Solution/Service affecting Security/Availability/Processing Integrity/Confidentiality have the qualifications and resources
to fulfil their responsibilities.
The Service Provider/Supplier has established workforce conduct standards, implemented workforce candidate
background screening procedures and conducts enforcement procedures to enable it to meet its commitments and
requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
February 9, 2016
35
Information regarding the design and operation of the Solution/Service and its boundaries has been prepared and
communicated to authorised internal and external Solution/Service users to permit users to understand their role in the
Solution/Service and the results of Solution/Service operation.
The Service Provider/Suppliers Security/Availability/Processing Integrity/Confidentiality commitments are
communicated to external users, as appropriate, and those commitments and the associated Solution/Service
requirements are communicated to internal Solution/Service users to enable them to carry out their responsibilities.
The Service Provider/Supplier communicates the responsibilities of internal and external users and others whose roles
affect Solution/Service operation.
Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining and
monitoring controls, relevant to the Security/Availability/Processing Integrity/Confidentiality of the Solution/Service
have the information necessary to carry out those responsibilities.
Internal and external Solution/Service users have been provided with information on how to report
Security/Availability/Processing Integrity/Confidentiality failures, incidents, concerns, and other complaints to
appropriate personnel.
Solution/Service changes that affect internal and external Solution/Service user responsibilities or the Service
Provider/Suppliers commitments and requirements relevant to Security/Availability/Processing
Integrity/Confidentiality are communicated to those users in a timely manner.
February 9, 2016
36
2
3
February 9, 2016
37
The design and operating effectiveness of controls are periodically evaluated against
Security/Availability/Processing Integrity/Confidentiality commitments and requirements, corrections and other
necessary actions relating to identified deficiencies are taken in a timely manner.
February 9, 2016
38
3
4
6
7
Logical access security software, infrastructure, and architectures have been implemented to support:
1 - Identification and authentication of authorised users
2 - Restriction of authorised user access to Solution/Service components, or portions thereof, authorised by
management, including hardware, data, software, mobile devices, output, and offline elements
3 - Prevention and detection of unauthorised access.
New internal and external Solution/Service users are registered and authorised prior to being issued Solution/Service
credentials, and granted the ability to access the Solution/Service. User Solution/Service credentials are removed when
user access is no longer authorised.
Internal and external Solution/Service users are identified and authenticated when accessing the Solution/Service
components (for example, infrastructure, software, and data).
Access to data, software, functions, and other IT resources is authorised and is modified or removed based on roles,
responsibilities, or the Solution/Service design and changes to them.
Physical access to facilities housing the Solution/Service (for example, data centres, backup media storage, and other
sensitive locations as well as sensitive Solution/Service components within those locations) is restricted to authorised
personnel.
Logical access security measures have been implemented to protect against Security/Availability/Processing
Integrity/Confidentiality threats from sources outside the boundaries of the Solution/Service.
The transmission, movement, and removal of information is restricted to authorised users and processes, and is protected
during transmission, movement, or removal enabling the Service Provider/Supplier to meet its commitments and
requirements as they relate to Security/Availability/Processing Integrity/Confidentiality.
Controls have been implemented to prevent or detect and act upon the introduction of unauthorised or malicious
software.
February 9, 2016
39
February 9, 2016
40
2
3
4
February 9, 2016
41
Availability Controls
No Control
1
2
3
Current processing capacity and usage are maintained, monitored, and evaluated to manage demand and to enable the
implementation of additional capacity to help meet availability commitments and requirements.
Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed,
implemented, operated, maintained, and monitored to meet availability commitments and requirements.
Procedures supporting Solution/Service recovery in accordance with recovery plans are periodically tested to help meet
availability commitments and requirements.
February 9, 2016
42
Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and
requirements.
Solution/Service inputs are measured and recorded completely, accurately, and timely in accordance with processing
integrity commitments and requirements.
Data is processed completely, accurately, and timely as authorised in accordance with pro-cessing integrity commitments
and requirements.
Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity
commitments and requirements.
Solution/Service output is complete, accurate, distributed, and retained in accordance with processing integrity
commitments and requirements.
Modification of data is authorised, using authorised procedures in accordance with processing integrity commitments and
requirements.
February 9, 2016
43
Confidentiality Controls
No Control
1
2
3
4
Confidential information is protected during the Solution/Service design, development, testing, implementation, and
change processes in accordance with confidentiality commitments and requirements.
Confidential information within the boundaries of the Solution/Service is protected against unauthorised access, use, and
disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments
and requirements.
Access to confidential information from outside the boundaries of the Solution/Service and disclosure of confidential
information is restricted to authorised parties in accordance with confidentiality commitments and requirements.
The Service Provider/Supplier obtains confidentiality commitments that are consistent with the Service
Provider/Suppliers confidentiality requirements from vendors and other third parties whose products and services
comprise part of the Solution/Service and have access to confidential information.
Compliance with confidentiality commitments and requirements by vendors and others third parties whose products and
services comprise part of the Solution/Service is assessed on a periodic and as-needed basis and corrective action is
taken, if necessary.
Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and
other third parties whose products and services are included in the Solution/Service .
February 9, 2016
44
Privacy Controls
No Control
1
The Service Provider/Supplier defines documents, communicates, and assigns accountability for its privacy policies and
procedures.
2 The Service Provider/Supplier provides notice about its privacy policies and procedures and identifies the purposes for
which personal information is collected, used, retained, and disclosed.
3 The Service Provider/Supplier describes the choices available to the individual and obtains implicit or explicit consent with
respect to the collection, use, and disclosure of personal information.
4 The Service Provider/Supplier collects personal information only for the purposes identified in the notice.
5 The Service Provider/Supplier limits the use of personal information to the purposes identified in the notice and for which
the individual has provided implicit or explicit consent. The Service Provider/Supplier retains personal information for only
as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately
disposes of such information.
6 The Service Provider/Supplier provides individuals with access to their personal information for re-view and update.
7 The Service Provider/Supplier discloses personal information to third parties only for the purposes identified in the notice
and with the implicit or explicit consent of the individual.
8 The Service Provider/Supplier protects personal information against unauthorized access (both physical and logical).
9 The Service Provider/Supplier maintains accurate, complete, and relevant personal information for the purposes
identified in the notice.
10 The Service Provider/Supplier monitors compliance with its privacy policies and procedures and has procedures to
address privacy-related complaints and disputes.
February 9, 2016
45
Must Be
Appropriately Solution/Services
Service Provider/Suppliers Structured In
Relation To
Organisational Structures
Reporting Lines
Authorities
Responsibilities
February 9, 2016
Design
Development
Implementation
Operation
Maintenance
Monitoring
In Order To
Comply
With
Requirements
Relating To
Security
Availability
Processing Integrity
Confidentiality
46
February 9, 2016
47
Summary
February 9, 2016
48