Cloud computing and IT outsourcing is an enticing proposition for organizations, offering low cost alternatives, flexibility and scalable IT solutions. However, the enticement can lead to buyer’s remorse if an organization has not properly engaged the Vendor Management Office. Without a Vendor Management Office (VMO), an organization risks having non-standard contracts as well as negotiations driven by individual business units, departments and platform owners. There is a risk of project offices engaging vendors and managing relationships to their specific needs. A VMO provides the business with strategic management of vendor relationships particularly with service providers that offer outsourcing like cloud computing and that will touch all layers of the organization across multiple departments and disciplines.
Engaging a vendor with the end game in mind (the end game being audit rather than price) can help an organization proactively and strategically build the framework of a successful and potentially long-term relationship. The value of a VMO goes beyond negotiating the best possible price, but extends further to ensure IT’s ability to serve the business needs. Rather than create another layer of bureaucracy, an effective VMO team will be the driving force behind standards, promoting best practices and establishing templates for contracts, negotiations, communications and defining vendor performance metrics.
Vendor Selection and Contracts
Cloud adoption continues to grow, as evidenced in a recent InformationWeek survey of 500 executives, showing that 85% are using Software as a Service in 2012, compared to 79% in 2011 and 27% are using Platform as a Service in 2012 compared to just 19% in 2011. Cloud computing presents a challenge because it is a technology and service that is still evolving with many providers throwing their hats into the cloud computing ring. Not all cloud computing vendors are created equally, and as such, organizations must take care to properly select the third parties to whom they will trust their data and IT services. This is where the value of a VMO can be realized. The semantics of cloud computing can be challenging to navigate as end users, analysts and IT professionals vary on their use of the cloud terminology and meanings. As such, clear communication, documentation and understanding of the services offered and provided must be mutually agreed and adopted between the parties engaging in cloud computing service relationship.
An effective VMO will bridge the gaps between business unit requirements and establish formalized negotiations with vendors. The VMO will facilitate collaboration among IT, finance, legal and procurement to make certain that the appropriate SLAs are established for availability and security. Additionally, the VMO will review contracts to ensure that critically important components are clearly addressed including, but not limited to, compliance requirements, right to audit clause and non-disclosure to ensure the company’s interests are protected and the selection process will stand up in an audit.
Since cloud computing and data go hand-in-hand, organizations engaging in cloud services must fully understand the impact of the management of data and the roles and responsibility of protecting and securing the data. Key factors to consider when making a move to the cloud are to evaluate the use of encryption to protect data, vendor physical and data security policies, disaster recovery plans, data accessibility, data ownership, regulatory compliance and certification requirements. A VMO office builds these inquiries into the standard vendor process to mitigate risk and exposure as part of the vendor risk assessment. As part of that review, cloud-based and hosted systems are evaluated on how they control access to data and systems through identity management as well as on their data retention and destruction policies and practices. Again, with audit in mind, a VMO office builds the framework for review and assessment of cloud vendors in a standard and repeatable manner to comprehensively evaluate potential data security vulnerabilities.
Cloud computing as a public, private or a hybrid adoption brings both risk and reward. Vendor election and contracts are of critical importance relative to cloud computing and outsourcing of IT services. A more disciplined approach to vendor selection and management will allow the decision-makers to make sound decisions rather than spend focus and time running the process. A VMO provides the focused resources to run the process. A well-established VMO will provide confidence and integrity in those decisions by ensuring due diligence has been conducted and control measures have been set in place to improve efficiency and effectiveness. The vendor due diligence check list a VMO will conduct should include:
- Who is responsible
- Full description of the service to be provided
- Relationship of acquired service with other assets, applications and/or systems
- Vendor responsibilities and exclusions
- Organizational responsibilities and exclusions
- Pricing (including hidden fees)
- Audit Rights/3rd Party Assessments (SAS 70 Type 2 reports)
- Business Continuity
- Business Impact Analysis
- Vendor Policies
Additionally, it must be clear that a vendor can offer solutions that will bring value to the business and help it achieve its goals and objectives. Taking the time to perform due diligence when it comes to business relationships should not be overlooked. A vendor management office provides a structure for ownership and accountability for vendor management by documenting and establishing how SLAs and contractual requirements will be monitored and measured. Disaster recovery processes and business continuity plans must also be evaluated and approved along with contingency plans related to early termination.
In the case of the National Oceanic and Atmospheric Administration’s early adoption of Google Apps in their move to the cloud, the goal and initiative was to move seven federal agencies and three or more services to the cloud. In response to this initiative, NOAA adopted the government version of Google Apps only to find out after implementation that it did not offer all the features and functionalities required. The individuals who had evaluated and recommended Google Apps had evaluated the commercial version and did not realize or recognize that the Government version did not include all the same required features and functionalities, which ultimately necessitated NOAA switching to the commercial version. The NOAA CIO, Joe Klimavicz, cited this as a lesson learned from the migration that possibly could have been avoided if he had engaged a VMO to provide structure and guidance early during the RFP.
Legal Concerns and Compliance
Regulatory compliance and vendor certifications are critically important to IT outsourcing and cloud computing. In today’s information age, technologies are changing rapidly and access to data is unprecedented, creating new complexities and questions about corporate ethics and responsibilities. As a result, there are numerous federal and state privacy rules and regulations that organizations must navigate. To name just a few:
- Gramm-Leach-Bliley (GLB) is the law that establishes financial institutions requirement to protect customer’s non-public information
- SEC Rule 17A is the law directed to brokers and dealers storing electronic records.
- FACTA protects consumer information from misuse across industries
- Sarbanes-Oxley, or SOX, regulates financial reporting and establishes strict roles and responsibilities for the management of financial reporting
- FRCP Rule 26 governs discovery and disclosure of information relevant to civil law suits
- HIPAA protects personally identifiable health records and information
Two very important cloud based data protection certifications are PCI DDS and ISO 27001 (ISO/IEC 27001). PCI DSS: (Payment Card Industry Data Security Standard) is the standard for any organization that manages or facilitates cardholder information from major debit, credit, prepaid, e-purse, ATM or POS cards. An external organization must validate compliance annually for companies handling large volumes of transactions. Companies running smaller volumes of transactions must also validate compliance annually, but can do so via a Self-Assessment Questionnaire (SAQ). ISO/IEC27001 is the Information Security Standard which formally defines a management system that brings information systems under explicit management and control. ISO/IEC 27001 certified organizations can be formally audited and certified compliant.
While considering the cloud and cloud vendors, the VMO should review and vet vendors based on certifications and regulatory compliance. Furthermore, in consideration of audit concerns, it is important that the VMO evaluates the organization’s accessibility to data and information that may be required to support an investigation and ensure that the requirements for security breach notifications are in alignment with the organization’s governance. Ultimately, this type of due diligence conducted by the VMO ensures that, regardless of who manages the data and where it is located or stored, the organization is protected and compliant with internal governance as well as relevant laws and regulations.
Engaging with a vendor without a clear plan on how to evaluate and measure their value and success presents a risk to future accountability and conflict resolution. A vendor management office will have the focused task of developing a standard methodology for measuring performance and value by way of a vendor scorecard. Having this important information available provides standard guidelines, by which decisions can be made to strengthen, continue or terminate a vendor relationship. A vendor scorecard should be objective and used for all vendors as a means to evaluate performance. A vendor management team will have the responsibility of completing the scorecards and reporting the metrics to management so that issues can be identified early, addressed swiftly and hopefully resolved efficiently. A scorecard provides a proactive approach to maintaining healthy and long standing business relationships. Not only does the VMO bring value in establishing better contracts and templates that are written from a position of strength, they also monitor key contract elements and periodically review for compliance, providing a valued IT service to the organization.
The overall benefit of a vendor management office as it relates to cloud computing and audit compliance, and truly as part of IT Asset Management in general, is the strategic positioning it provides the organization. Again, the purpose is not to build another cumbersome layer to the process, but rather create a standard and efficient process utilizing dedicated resources in a strategic manner that will have the most positive impact on business goals and objectives. When engaging a VMO, thresholds should be set to ensure that the “squeeze is worth the juice,” or, in other words, the efforts are proportionate to the spend, protecting the service area from misuse.
Through the efforts of an effective and efficient VMO, an organization should experience the benefits of ITAM best practices and realize overall cost reduction, increase control of IT, improve software compliance (particularly in the area of cloud computing), improved communications between business departments and IT, improved governance compliance, and increased support and transparency relative to security and business continuity efforts.