Professional Documents
Culture Documents
MANAGEMENT
Using COBIT® 5
ISACA®
With more than 110,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and
IT leaders maximize value and manage risk related to information and technology. Founded in 1969,
the nonprofit, independent ISACA is an advocate for professionals involved in information security,
assurance, risk management and governance. These professionals rely on ISACA as the trusted source
for information and technology knowledge, community, standards and certification. The association,
which has 200 chapters worldwide, advances and validates business-critical skills and knowledge through
the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security
Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and
Information Systems ControlTM (CRISCTM) credentials. ISACA also developed and continually updates
COBIT®, a business framework that helps enterprises in all industries and geographies govern and manage
their information and technology.
Disclaimer
ISACA has designed and created Vendor Management: Using COBIT® 5 (the “Work”) primarily as an
educational resource for security, governance and assurance professionals. ISACA makes no claim
that use of any of the Work will assure a successful outcome. The Work should not be considered
inclusive of all proper information, procedures and tests or exclusive of other information, procedures
and tests that are reasonably directed to obtaining the same results. In determining the propriety of
any specific information, procedure or test, security governance and assurance professionals should
apply their own professional judgment to the specific circumstances presented by the particular
systems or information technology environment.
Reservation of Rights
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any
means (electronic, mechanical, photocopying, recording or otherwise) without the prior written
authorization of ISACA. Reproduction and use of all or portions of this publication are permitted
solely for academic, internal and noncommercial use and for consulting/advisory engagements, and
must include full attribution of the material’s source. No other right or permission is granted with
respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
ISBN: 978-1-60420-344-8
Vendor Management: Using COBIT® 5
3
Acknowledgments
ISACA Wishes to Recognize:
Development Team
Serge Cauberghs, PwC, Belgium
Maxim Deweerdt, PwC, Belgium
Stefanie Grijp, PwC, Belgium
Bart Peeters, CISA, PwC, Belgium
Sven Van Hoorebeeck, CISA, PwC, Belgium
Work Group
Stephen Buraczynski, CCBSO, CCBTO, NVE Bank, USA
Sami Kaukinen, CISM, CISSP, Finland
Sujatha Nambisan, CISA, NeST Information Technologies Pvt., Ltd., India
Anne Maria Yrjana, CISA, CRISC, Tieto Finland, Finland
Nikolaos Zacharopoulos, CISA, CRISC, CISSP, DeutschePost-DHL, Germany
Expert Reviewers
Jennifer Bayuk, CISA, CISM, CGEIT, CISSP, Jennifer Bayuk LLC., USA
Russell K. Fairchild, CISA, CRISC, CISSP, PMP, SecureIsle, USA
Kenneth H. Newman, CISM, CRISC, PMP, ITIL/ITSM, Central Pacific Bank, USA
Yogendra Rajput, Gujarat Gas Company Ltd., India
Anantha Sayana, CISA, CISM, CIA, Larsen & Toubro, Ltd., India
Claudio Schicht, CISA, CGEIT, ITIL, PMP, Independent Consultant, Argentina
Joanne De Vito De Palma, MBA, BCMM, The Ardent Group LLC., USA
Knowledge Board
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Steven A. Babb, CGEIT, CRISC, Vodafone, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Acknowledgments (cont.)
Guidance and Practices Committee
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
John Jasinski, CISA, CGEIT, ISO20K, ITIL Exp, SSBB, ITSMBP, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Brazil
Jotham Nyamari, CISA, CISSP, Deloitte, USA
James Seaman, CISM, CRISC, A. Inst. IISP, CCP, QSA, RandomStorm Ltd., UK
Gurvinder Singh, CISA, CISM, CRISC, Australia
Siang Jun Julia Yeo, CISA, CRISC, CPA (Australia), MasterCard Asia/Pacific Pte. Ltd., Singapore
Nikolaos Zacharopoulos, CISA, CRISC, CISSP, DeutschePost–DHL, Germany
Table of Contents
Chapter 1. Introduction..............................................................................................9
Background............................................................................................................9
Purpose of This Publication..................................................................................9
Who Should Use This Guide?...............................................................................9
Scope and Approach............................................................................................10
Appendix D. D
rafting the Contract: High-level Legal Checklist
for Non-legal Stakeholders................................................................97
Appendix K. E
xample SLA Back Office Services...............................................157
Appendix L. H
igh-level Mapping of COBIT 5 and
ITIL V3 for Vendor Management...................................................171
Acronyms ................................................................................................................173
Glossary...................................................................................................................175
List of Figures
Figure 1—Life Cycle of the Contractual Relationship..............................................12
Figure 2—Bidding Document Comparison................................................................14
Figure 3—Vendor Management RACI Chart.............................................................16
Figure 4—Financial Impact of Inadequate Vendor Management...............................24
Figure 5—Financial Impact of Adequate Vendor Management.................................25
Figure 6—Initial Case Solution..................................................................................41
Figure 7—Three-tier Framework................................................................................43
Figure 8—Information Items in the Vendor Relationship Life Cycle........................45
Figure 9—SLA Issues.................................................................................................49
Figure 10—SLA Common Pitfalls.............................................................................50
Figure 1—Cloud Service Models (in Security Considerations for
Cloud Computing).....................................................................................55
Figure 9—Cloud Threats and Mitigating Actions Mapped to COBIT® 5
for Information Security (in Security Considerations for
Cloud Computing).....................................................................................74
Figure 11—Vendor Selection Dashboard Example....................................................87
Figure 12—Vendor Score Example............................................................................88
Figure 13—Graphic Representation of Vendor Score Example.................................89
Figure 14—Call for Tender Checklist.........................................................................95
Figure 15—Service Level Agreement (SLA) Spider Diagram Example ................125
Figure 16—SLA Checklist.......................................................................................129
Chapter 1. Introduction
Background
Vendor management includes the process of managing third parties that deliver
IT services and products to the enterprise to maximize benefits and reduce
associated risk. This process requires significant effort from both the enterprise
and the vendor; therefore, IT vendor management often focuses on strategic
client-vendor relationships that play a vital role in the enterprise’s daily operations.
These relationships can have significant impact on the success of strategic projects
and may generate substantive financial implications.
Strategic client-vendor relationships can encompass significant risk to the enterprise and
should be managed rigorously. Although guidance on third-party management is available
in process APO10 Manage suppliers in COBIT® 5: Enabling Processes1, this publication
on vendor management provides additional and more detailed practical guidance and
facilitates the vendor management process for IT and business professionals. Vendor
Management: Using COBIT® 5 complements COBIT® 5: Enabling Processes.
1
ISACA, COBIT® 5: Enabling Processes, USA, 2012
Personal Copy of: Mr. Cosmin Ionascu
10 Vendor Management: Using COBIT® 5
This publication provides practical guidance for all stakeholders involved in the
vendor management process, from the board and C-level executives (e.g., chief
executive officer [CEO], chief financial officer [CFO], to business professionals,
supporting functions (e.g., compliance, legal, risk, procurement) and IT.
This publication describes the vendor management process and its activities and
then presents the most common threats, risk and mitigation actions. A detailed case
study is provided to show the potential consequences of faulty vendor management.
Practical sample templates and checklists are also provided to help during
implementation of the concepts presented in this publication.
Most enterprises seek external vendor support for assistance with operations for one
of the following reasons:
• Vendor expertise—The enterprise needs expert knowledge or a broader
perspective and experience with similar enterprises to effectively and efficiently
handle certain activities.
• Vendor capacity—The enterprise does not have the resources to handle the work
related to a specific product or service. The vendor can supply the resources to
support the entire operation or to supplement in-house resources.
• Vendor assuming risk—The enterprise outsources activities to leverage a
vendor’s experience with operational risk and corresponding risk mitigation
services. However, the accountability for the adequate performance of those
activities can never be delegated and stays with the enterprise.
• Vendor leveraging scale—Vendors can offer services at a lower cost because
working for multiple customers allows vendors to leverage scale.
Engaging third parties to provide strategic products or services comes with specific
threats and risk. These are further discussed in chapter 3. Threats and Risk Related
to Vendor Management. The first action to mitigate vendor-related risk is to
establish an effective vendor management process with goals and objectives that
ensure the following:
• Vendor management strategy is consistent with enterprise goals.
• Effective cooperation and governance models are in place.
• Service, quality, cost and business goals are clear.
• All parties perform as agreed.
• Vendor risk is assessed and properly addressed.
• Vendor relationships are working effectively, as measured according to
service objectives.
The life cycle of the contractual vendor relationship can be divided into four phases,
as shown in figure 1. Each phase typically consists of a number of activities.
Contract Change
Management
Setup
During the first phase of the contractual vendor relationship life cycle, setup of
the contractual relationship, the enterprise focuses on gathering product or service
requirements from different stakeholders, e.g., business units, legal, compliance
and IT. The main challenge in the first phase of the process is to organize the
requirements into a clearly understandable document on which all parties agree.
The requirements document serves as the basis for the call for tender, which is sent
to the market. A call for tender may include one step or many, depending on the
guidelines established in the sourcing strategy, the size of the sourcing organization,
and the complexity of the product or service being sought. Some enterprises prefer
to send out a request for information (RFI) before the call for tender to identify
candidates and competencies in the market. The outcome of the RFI serves to better
scope the request for proposal (RFP) in terms of potential candidates, technologies,
delivery models, etc. When the enterprise has a clear understanding of the product
or service needed and market options, a request for quote (RFQ) can be sent out to
invite vendors to present their options. Some enterprises send an RFP directly to
vendors, explaining the required products or services and requesting formal offers
from available candidates. Figure 2 illustrates the main differences among the three
bidding documents.
After receiving responses from candidates, the enterprise evaluates them based on
predetermined evaluation criteria and weighting factors and composes a short list of
qualified vendors with which to start negotiations. Vendor selection is based on the
extent to which the vendor meets defined requirements (i.e., service time delivery,
price ranges, communication system, geographic location, training aids, etc.), a
demonstrated ability to deliver high-quality products and services, and interest in
developing long-term relationships. After the short list is finalized, negotiations
with the best-qualified vendors begin. It is recommended to short-list at least two
vendors to have a contingency solution if negotiations with a particular vendor fail.
Contract
In the second phase of the contractual vendor relationship life cycle, the enterprise
and the vendor develop a contract that specifies the details of their business
relationship. This contract accomplishes the following:
• Forms a common understanding of what needs to be achieved
• Defines all deliverables, relevant service levels and metrics
• Defines responsibilities and obligations
• Defines the terms and conditions
• Specifies how risk will be allocated between parties
• Defines legal counsel and jurisdiction stipulations
Good practices dictate that the enterprise have contract templates that can be used
during this phase to ensure that final contracts are in compliance with enterprise
policies and objectives. Using a vendor-provided contract is not recommended
because it may favor the vendor and put the enterprise at a disadvantage.
Often, the contract phase is not executed properly, mainly due to time constraints
and eagerness to get to the operations phase. An example is when an enterprise is
changing vendors and proceeds through the process as fast as possible. This haste
could increase the risk of incumbent demotivation or problems with phasing out
buildings and equipment. However, as explained in chapters 3 and 4, it is critical
to invest the appropriate time and resources to negotiate and document the contract
because this can have substantial business (financial) and legal impact in a later
phase of the relationship cycle.
Operations
The third phase of the contractual vendor relationship life cycle, operations, begins
with a transition-in period, in which the vendor starts delivering new products
or services to the enterprise or takes over operations from another vendor or IT
group. After delivery responsibility is fully assumed by the new vendor, operational
collaboration is initiated and management activities commence to guide the
relationship toward the goals set in the second phase.
When the contract with a current vendor is near expiration or marked for
termination, the vendor selection process starts. Before moving to the
transition-out phase, the enterprise should select a replacement. Once the setup and
contract phases for the new vendor are completed and a new vendor is engaged, the
old vendor starts the transition-out phase, which includes transfer of knowledge and
resources, as needed.
Transition-out
At some point in time, there will most likely be a transition-out phase in the
contractual vendor relationship life cycle. When the vendor is no longer needed
or willing to deliver contracted products or services, arrangements are made to
facilitate the phaseout, preferably in combination with a transfer of knowledge,
data, systems and operations to a new vendor or back in-house. Often, during
contract negotiations, little effort is invested in describing and planning an exit
strategy because of the difficulty in foreseeing how business, people and technology
might evolve. The business case that is explained in chapter 3 demonstrates the
importance of having a defined and documented exit strategy that describes
activities and conditions to ensure business continuation.
C-level Executives
The C-level executive who is accountable for the vendor management process
depends on the scale of outsourcing. When the scope and impact of products and
services are limited to IT, the chief information officer (CIO) is often accountable
for the execution of the contractual vendor relationship life-cycle phases. When the
scope also includes the business, the CIO provides oversight and coordination of
all responsible parties and supports other C-level executives in the decision-making
processes. The CIO provides oversight to ensure that:
• Contract objectives do not conflict among vendors, products and services.
• Contracts comply with internal policies.
• Contracts are managed properly.
• Service level agreements (SLAs) are met.
The CFO is responsible for the enterprise budget, after it is approved by the board;
therefore, the CFO should approve the budget that is available for IT vendors. The
CFO should be at least consulted for the following responsibilities:
• Drafting the call for tender to validate budget specifications
• Negotiating with multiple vendors
• Agreeing on the final vendor contract
The CEO and CFO should be informed of vendor performance during the
operations phase.
in the vendor management life cycle in addition to IT and procurement. Some key
responsibilities of business process owners include:
• Providing business requirements
• Consolidating stakeholder requirements and making sure they are validated and
approved by all parties
• Evaluating potential vendors using specific business knowledge and expertise
• Providing input for contract specifications (e.g., service levels and
transition-out specifications)
Procurement
Many responsibilities within the vendor management life cycle belong to the
procurement function. Involving sourcing professionals from the beginning of
the process enables them to support business units, IT and compliance during
the selection and contract management processes. Following are some key
responsibilities of procurement:
• Help business process owners consolidate business requirements from
various stakeholders.
• Help IT consolidate IT-related requirements.
• Prepare and send out the call for tender.
• Gather vendor offers.
• Facilitate the vendor evaluation process.
• Facilitate vendor negotiations.
• Facilitate contract management activities.
Legal
To effectively mitigate vendor-related risk, the legal function should be involved
throughout the entire vendor management life cycle. Assigning ownership of certain
tasks creates commitment and a close collaboration with the other stakeholders. Key
responsibilities of the legal function include:
• Provide input regarding service requirements, from a legal point of view.
• Consolidate legal requirements and make sure that they are validated and approved
by the other stakeholders.
• Provide boilerplate standard contract language for important legal and
compliance provisions.
• Evaluate potential vendors using specific legal knowledge and expertise.
• Draft the contract, taking into account and reviewing the specifications provided
by other stakeholders.
Risk Function
The risk function should be consulted throughout the vendor management life
cycle to obtain a complete view on risk that is related to the relationship, services
or products. During the setup and contract phases, the risk function provides
requirements to mitigate potential risk. Potential risk during the operations phase is
addressed within the enterprise risk framework, based on information provided by
the business units and the enterprise risk appetite.
If the vendor environment, business model, products or services change, the risk
function initiates an assessment to identify and address new risk. After the risk
assessment is completed, the enterprise identifies controls that are required to
minimize newly identified risk and updates related documentation (e.g., business
impact analyses, business continuity plans [BCPs], disaster recovery plans [DRPs],
insurance policies and the risk framework).
IT
All stakeholders share the responsibility of the vendor management process to
ensure that products and services received from the vendor support enterprise goals
within risk tolerances. However, the IT role is significant because its members may
be more familiar with the products and services and their market availability. Key
responsibilities of IT include the following:
• Identifying potential vendors, products and services
• Providing input regarding requirements for products and services from an IT
point of view
• Providing input associated with baseline standard requirements and
architectural limitations
• Providing expectations associated with good practices and defined
architectural boundaries
• Providing information practices, such as information ownership and co-location
requirements, partnership arrangements and employee checking
• Consolidating the previous inputs and ensuring that they are validated and
approved by all stakeholders
• Evaluating potential vendors using specific IT knowledge and expertise
• Providing input for contract specifications (e.g., transition-in specifications,
transition-out specifications and service metrics)
• Monitoring, reporting and managing vendor performance during operations
Security
Although security is often associated with the IT stakeholder, security is regarded
as a separate stakeholder because it does not always reside within the IT function
and can be involved with other functions as well as IT. Security is responsible for
the following:
• Providing input regarding security requirements for products and services
• Providing input associated with baseline security standard requirements
Human Resources
The HR stakeholder should be consulted throughout the vendor management life
cycle to ensure compliance with the enterprise’s worker statutes, local regulations,
code of conduct and labor law.
Recent research2 reveals that approximately one out of five enterprises (19 percent)
does not invest sufficient effort to manage vendors and vendor-provided services
effectively. This means, e.g., that enterprise requirements and standards are not
properly incorporated into vendor contracts, ownership of information being
handled by vendors remains undefined and, if these vendors go out of business,
access to retrieve this information is not guaranteed.
This research finds that almost 70 percent of enterprises have some awareness about
vendor management and incorporate some requirements into IT vendor contracts,
but do little to nothing to determine whether their vendors comply with terms
specified in the contracts and even less to determine if they are at risk because of
their vendors, often until it is too late.
Following are the most common vendor management threats and related risk
components (financial, operational, legal/compliance and reputational):
T1 Vendor selection:
– Description—The threat of inadequate vendor selection may result during
the operations phase in the nonfulfillment of core vendor contractual
obligations. Proper due diligence before closing the contract can help
mitigate this risk and provide the enterprise with a better view on the long-
term delivery capabilities and sustainability of the vendor.
– Risk—Failure to conduct adequate vendor selection exposes the enterprise to
a financial risk in the form of the considerable costs associated with replacing
the vendor, potential revenue loss and ineffectiveness of financial penalties.
Operational risk includes the inability to operate a certain part of the delivered
service to meet the enterprise goals and the inability to obtain adequate skilled
2
I T Policy Compliance Group, “Vendor Risk Management for IT,” May 2012, Wellington Research Ltd,
www.itpolicycompliance.com/wp-content/uploads/2012/05/Vendor-Risk-Management-May-2012.pdf
Personal Copy of: Mr. Cosmin Ionascu
22 Vendor Management: Using COBIT® 5
resources. Image and market share loss are considerable reputational risk
elements. Legal risk is situated around labor issues and lawsuits.
Risk affected—Financial, operational, reputational and legal/compliance
T2 Contract development:
– Description—An incomplete contract, not covering all the aspects of
the relationship that need to be managed up front, is a major threat to the
sustainability of the contractual relationship.
– Risk—Neglecting to detail payment terms and price-setting mechanisms is a
major financial risk associated with this threat. Related to the financial risk,
but also operational in nature, is requiring unrealistic or inadequate service
levels from the vendor, which results in overengineered solutions and high
prices or underutilization of resources and lost business opportunities. Other
operational risk includes missing end-of-life management stipulations (exit
strategies) in the contract or inappropriately communicating requirements
(not clear and measurable) to the vendor. Legal/compliance risk could
arise when the contract fails to detail liabilities or does not stipulate any
intellectual property rights or specifications on the use, disposal, and
distribution of software and data.
Risk affected—Financial, operational and legal/compliance
T3 Requirements
– Description—The threat of inadequately setting up and detailing the
requirements can have a huge impact on the proper execution of the service
by the vendor.
– Risk—Enterprises tend to focus on solutions instead of defining the
requirements and giving freedom to the vendor to propose the optimal
solution. This could lead to operational (e.g., failing service), financial
(e.g., revenue loss due to failing service), legal (e.g., disputes with vendor
due to not meeting the requirements) and reputational (e.g., unwanted
rumors, image and/or market share loss due to the inability to provide a
service to clients) issues in the long run. Insufficiently detailing reporting
requirements and the right to audit may also expose the enterprise to
an operational risk (e.g., unawareness of the performance of the service
delivery).
Risk affected—Financial, operational, reputational and legal/compliance
T4 Governance
– Description—A lack of governance during the contractual vendor
relationship life cycle can be considered a major threat to proper
vendor management.
– Risk—Failure to define an adequate governance model between the
enterprise and the vendor increases operational and compliance risk. Also
related to a lack of governance is ineffective contract change management
procedures during the contract life cycle, which increases operational risk
(e.g., ineffective execution of the service due to misaligned incentives) and
financial risk (e.g., paying a price that is too high for the desired level of
service provisioning).
Risk affected—Financial, operational and legal/compliance
T5 Strategy
– Description—The enterprise vendor management strategy has considerable
impact on the enterprise’s business activities.
– Risk—Over reliance on a specific vendor, especially for business-critical
tasks, increases operational risk (e.g., lack of in-house knowledge and
demotivation of employees) and, consequently, financial risk (e.g., vendor
can over price its service due to the enterprise’s dependence on the vendor).
Considerable attention must be paid to the applicable law in the vendor’s
physical location, especially with offshore vendors and contracted cloud
computing services, because these regulations can expose the enterprise to
increased legal risk.
Risk affected—Financial, operational and legal/compliance
The financial impact on the enterprise of inadequate vendor management during the
life cycle of the contractual vendor relationship varies depending on the phase (see
chapter 2). During the setup phase, most activities related to vendor management
are internal. This means that minimal financial impact is experienced when an issue
occurs. It is important to note that, during this stage, enterprises are likely to cut
corners to speed up the process, which may result in significant financial impact
during subsequent phases.
In the contract phase, more internal and external stakeholders are involved and
negotiations need to be more formal. Therefore, rectifying issues or correcting
mistakes may require more effort and resources than during the setup phase. If,
during the contract phase, it is discovered that requirements were not properly
defined during setup, certain steps may need to be repeated. Even if no immediate
financial impact is expected due to duplication of efforts, it is recommended that
additional effort be spent during setup to finalize requirements and develop a robust
contract agreement.
The amount of effort and resources required to correct issues or mistakes during
the transition-in period and the operations phase is significantly higher. Problems
in the contract or deficiencies in products and services due to poor requirements
definition should be addressed immediately to prevent additional impact on
operations. These emergency changes may come with a high price for the enterprise
and the additional risk of disrupting processes, depending on the products or
services impacted. Figure 4 is a graphic representation of financial impact over the
contractual vendor relationship life cycle.
Money
Time
Operations
Setup
Out
In
Contract
Investing more time up front, before signing the contract and during contract
negotiations, is clearly worth the effort. Figure 5 is a graphic representation of
the financial impact of adequate vendor management. The red area in the figure
represents the additional financial input that the enterprise needs to spend in the
setup and contract phases to make sure all identified risk and requirements are
addressed and included in the contract. This can reduce effort and cost during
the transition-in period and the operations and transition-out phases, as shown by
the green area in figure 5. Comparing the green area (the money saved in later
phases) with the red area (the money spent in earlier phases) shows clearly that
the green area outweighs the red area, and significant savings can be realized
by investing sufficient time and resources in the preparation phases. Moreover,
smooth operations increase the perception of good vendor performance within the
enterprise, thereby improving the image of the IT organization.
Simply put, spending time and effort during the beginning of the life cycle and
having qualified resources to manage the third party properly will pay off during
the operational phases of the relationship.
Money
Time
Operations
Setup
Out
In
Contract
Managing vendors has many benefits. Some of the benefits reported by enterprises
that have mature processes include the following:
• Data loss reduction
• Decrease in audit findings
• Cost optimization
• Increased availability
• Liability reduction
• Increased end-user satisfaction
• Value creation
This section describes the major mitigation actions related to the previously described
threats and risk. With the implementation of these mitigation actions, the impact and
probability of a risk event can be greatly reduced. However, residual risk may still
exist, and periodic evaluation of vendor management actions is always advised.
Sustainability and success of the relationship are also greatly influenced by the
vendor employees’ ability to adapt to the culture and behavior of the enterprise,
especially for situations where they are required to work on enterprise
premises. Disputes can arise if these employees are not sensitive to specific
behaviors within the enterprise, which may result in high turnover and customer
dissatisfaction.
• Related guidance in COBIT 5:
– Process: APO10 Manage suppliers
– Enabler: People, Skills and Competencies
6. Use standard documents and templates:
• Related threat—T2
• Mitigation—Good practice dictates that an enterprise have standard documents
and templates that can be used during the life cycle to ensure that they comply
with enterprise policies and objectives. Using vendor-provided documents
and templates is not recommended because they may favor the vendor and put
the enterprise at a disadvantage. An example of a call for tender template is
available in appendix B, and an SLA template is available in appendix F.
• Related guidance in COBIT 5:
– Process: APO09 Manage service agreements
– Enabler: Information
3
xamples include Certified Information Systems Auditor (CISA) and Certified Information Security
E
Manager (CISM) from ISACA, and Certified Information Systems Security Professional (CISSP)
from (ISC)2.
Personal Copy of: Mr. Cosmin Ionascu
30 Vendor Management: Using COBIT® 5
However, this does not mean that technical boundaries can never be defined.
On the contrary, existing technical architectures should be considered to
define limitations and help vendors to better define solutions. In specific
cases, the request can be linked to specific technologies, such as operating
– When problems arise, a properly drafted contract may enable the vendor to
provide fast incident resolution and correction. However, damage may not
be completely avoidable and liability issues may be revealed afterward. That
is why both parties should specify in the contract the liabilities that each
is willing to assume and the insurance available to cover incidents. This
information provides a clear view of the risk that both parties are assuming. It
is good practice to define liability caps to avoid expenditures that could lead
to bankruptcy.
– An indemnification clause should be included in the contract to protect the
enterprise from legal issues related to the vendor performing the contract. An
indemnity clause is very important to ensure that the enterprise is not liable
for another party’s wrongdoing. An indemnification clause is usually referred
to as a “hold harmless” clause where the third party assumes the risk and
offers legal protection from any action arising out of the signed contract.
– A change clause should be included in the contract. During the contract life
cycle, several factors can change or influence the way products or services
are delivered. There may be changes to the service model, pricing, risk or
even legislative requirements. These must be incorporated into contracts
and deliverables. The resulting financial and other implications need to be
approved by both parties before becoming effective. Any significant change
should be negotiated properly before the contract can be modified to reflect
the new agreement.
– When no clause is included in the original contract to guide changes,
negotiations between parties may be difficult and unpleasant. Change clauses
should describe the following:
. How to process changes
. What can be changed
. When changes can be processed
. Who has authority to request and approve changes
. Limits to how much change is allowed
– The best time to negotiate and establish contract change procedures is during
the setup phase. When the vendor is fully integrated with the enterprise and
has developed knowledge and efficiencies, negotiations can be extremely
difficult if there are no formal policies and procedures to follow. This contract
weakness can allow vendors to take advantage of the situation and ask for
premium fees for extra services or for changes to the current contract.
• Related guidance in COBIT 5:
– Processes: APO11 Manage quality, APO12 Manage risk
– Enabler: Information
10. Determine the adequate security and controls needed during the relationship:
• Related threat—T4, T2
• Mitigation—Contracts should contain specifications that are related to
the ownership of the assets that are considered intellectual property of the
enterprise, such as data, information, software programs, manuals and other
written documents. Throughout its life cycle, data ownership should be
specified in the contract to avoid any disputes when contracted services are
terminated. For example, the vendor may provide some proprietary software
to enable the service contracted. This software may require enterprise data to
be stored in the vendor’s database to support operations. What happens to the
ultimate disposition of the data, log files, reports, etc., in the case of contract
termination should be determined by the ownership terms included in the
agreement. If the enterprise fails to include ownership terms in the contract,
the vendor may require additional fees to return data and related assets.
During service delivery, the vendor may have access to confidential data
and information. To ensure privacy, security, integrity and confidentiality of
data and information, the enterprise should enforce vendor compliance with
enterprise policies and procedures regarding these matters. The enterprise
should become familiar with the vendor’s policies and procedures, determine
which are more robust, and enforce those. Some vendors may consider
security part of their core services, thus, they may have stronger policies and
procedures. If this is the case, then the enterprise will benefit from enforcing
vendor controls.
The enterprise remains responsible for limiting access to its data. Vendor
access should be extended to data that are needed to deliver the required
services, but no more than that. For example, when working with a database,
the vendor should have access to only the section of the database where
necessary data are stored, not the entire database. In cases where the vendor is
managing data on behalf of the enterprise, security and privacy considerations
must be stipulated in the contract to ensure that the enterprise has a clear
understanding of the following:
– Who will have access to the data
– Where data will be stored
– Backup procedures
– Procedures for destroying data
– Data retention policies
– Capability and willingness to support e-discovery
To facilitate and standardize this evaluation process, the enterprise can use
tools such as a strengths, weaknesses, opportunities and threats (SWOT)
analysis; root cause analysis; or any risk assessment framework.
• Related guidance in COBIT 5:
– Processes: APO09 Manage service agreements, APO10 Manage suppliers,
MEA01 Monitor, evaluate and assess performance and conformance
– Enabler: Information
14. Establish a penalties and reward model with the vendor:
• Related threat—T2
• Mitigation—Establish a detailed penalties and reward model, in line with the
risk and rewards that the vendor is facing for the service provisioning. More
guidance on integrating a penalties and reward model SLA can be found in
chapter 5. Binding Documents, in the section on SLAs.
• Related guidance in COBIT 5:
– Processes: APO09 Manage service agreements, APO10 Manage suppliers
15. Conduct adequate vendor relationship management during the life cycle:
• Related threat—T4
• Mitigation—Providing transparency throughout the contract life cycle, from
the first moment of interaction between the vendor and the enterprise until
the termination of the relationship, is a key element to the success of the
collaboration. This mitigation action has been discussed throughout this
publication. The transparency on budget from the vendor side was discussed
in the call for tender section. Creating transparency, on the pricing strategy
from the vendor and the parameters affecting the price, is described in the
case study at the end of this chapter and more precisely by the proposed
three-tier framework. The transparency from the enterprise on the precise
services expected is also included in the case study. The good practice of
providing transparency on performance (vendor side) and performance
evaluation (metrics and evaluation results on the enterprise side) is explained
in the sections about SLAs, in chapter 5.
• Related guidance in COBIT 5:
– Processes: APO08 Manage relationships, APO10 Manage suppliers
– Enabler: Ethics, Culture and Behaviour
16. Review contracts and SLAs on a periodic basis:
• Related threat—T4
•Mitigation—Define a periodic interval for review of contracts and SLAs to
confirm ongoing validity. The interval frequency can depend on the kind of
contract, e.g., duration or value, or the number of parties involved. Validity
needs to be verified because changes to the service model, pricing, risk or
legislative requirements may occur and will have to be incorporated into the
contract or SLA.
4
SMART metrics are Specific, Measurable, Attainable, Relevant and Timely.
Personal Copy of: Mr. Cosmin Ionascu
Chapter 4. Vendor Managemnt Risk Mitigation Actions 39
It is also important to describe how the relationship will come to an end. For
example, a determination should be made as to whether the discontinuation
of services will be gradual (in which the vendor provides support during the
transition-out period) or complete (in which all vendor activities stop at once).
Vendor obligations relative to transfer of knowledge, deliverables or services
to another vendor or to the enterprise should also be defined. These are
important items to discuss and agree on beforehand because, at the end
of the relationship, there is little incentive for the outgoing vendor to do a
proper transfer, unless it is contractually settled and failure to do so may
incur penalties.
Other provisions that should be included in the contract that are related to the
transition-out phase include:
– Buy-back arrangements for equipment and software and a formula for price
determination
– Transfer of relevant subcontractor contracts and leases (e.g., maintenance
and licensing contracts)
– Transfer of data, data structures and methodologies
– Transfer of staff
– Support during the transition
• Related guidance in COBIT 5:
– Processes: APO09 Manage service agreements; APO10 Manage suppliers;
APO12 Manage risk
– Enablers: Services, Infrastructure and Applications; People, Skills and
Competencies; Information
21. Use a vendor management system:
• Related threat—T1, T2, T3, T4
• Mitigation—Depending on the number of vendors, it is good practice to
implement an IT system to store critical information on vendors, such as
order information, contract and SLA information, and billing information.
Most medium-to-high-end vendor management systems also allow for easier
tracking of vendor performance by monitoring KPIs and generating reports
with automatic warning signals.
Background
The IT department of Company ABC has been managing the entire set of business
applications as well as the supporting network infrastructure spread over numerous
European countries.
As a future goal, Company ABC wants to improve the availability and security of
the applications pool and business continuity capabilities. To achieve these targets,
the strategic vision of Company ABC focuses on increasing the maturity of IT
processes to a defined level over a five-year time frame.
As part of Company ABC’s vision, the decision was made to outsource the entire IT
operation and infrastructures.
Initial Solution
After sending out a call for tender, Company ABC received several offers. The
solution that was selected was a large-scale consortium of different companies
that would provide the services in the scope. The agreement was that Company
ABC would be in contact only with an SPoC for all matters related to the contract.
This SPoC would then coordinate with the responsible parties of the consortium,
as shown in figure 6. The consortium’s scope was to take over everything that
Company ABC was doing in-house for IT at that point in time. This included
providing help desk support to all locations, hosting the infrastructure and running
all processes, namely:
• Application life-cycle management
• Testing
Personal Copy of: Mr. Cosmin Ionascu
Chapter 4. Vendor Managemnt Risk Mitigation Actions 41
Company SPoC
ABC
Consortium of
different companies
What Happened?
It took only a short period of time to realize that the alignment between Company
ABC’s business objectives and the way the consortium had implemented the
solution was inadequate.
The first indication was the volume of request for change (RFC) requests, and,
more specifically, the way they were executed in the change management process,
which created a large and unexpected workload for the change manager function.
It was determined that this problem was the result of poorly defined workload
expectations and unclear roles and responsibilities. Company ABC was not precise
when defining the commitment that was expected from the consortium to handle
workloads in a timely manner.
In this case, the lack of information caused the consortium to define a delivery
cost model that was misaligned with enterprise expectations. The work-unit cost
per problem charged by the consortium to the enterprise was well below the actual
cost incurred by the consortium. It was evident that the consortium was sustaining
heavy losses when performing problem management. After absorbing the losses
for a while, the consortium stopped focusing on solving problems even when this
behavior incurred penalties. The consortium calculated the cost/charge/penalty
ratios of problem management and decided that ignoring problems was financially
beneficial for them, even if it failed to support Company ABC’s targets.
Some of the frustration with having to interface with companies of the consortium
could have been avoided if Company ABC had clearly stated the interfaces and
communications flows and had a strong consortium agreement that would have
kept discussions internal to the consortium. A solution for the inadequate financial
evaluation is proposed in the following “lessons learned” section, in the form of a
three-tier framework.
Lessons Learned
From the first discussions, both parties need to be clear on the roles and responsibilities
they expect from each other and agree on these together. The enterprise’s requirements
need to be clearly defined and the enterprise must make sure that these requirements
are understood in the same way by the vendor. In addition to making roles and
responsibilities clear, it is pertinent that the process and communication flows also be
clear so that people know when action is expected from them.
A proposed three-tier framework is shown in figure 7. In the client input section, the
enterprise provides the key parameters that influence the service, e.g., volumes, locations,
service specifications. In the second section of the framework, the vendor defines the
delivery model, which includes any dependencies on the parameters set in the client input
section. By proceeding this way, the vendor creates transparency for the enterprise to
understand which deliverables the vendor will provide, how cost will be calculated, and
what parameters will impact cost. In the cost model section, a price per service or work
unit (defined by the enterprise) can be determined.
Working with the three-tier framework allows for flexibility and scalability. When
parameters change or the values of key parameters change, the vendor has a solid
basis to renegotiate with the enterprise because it is easy to show the impact that the
changes will have on the cost model, via the delivery model. This could help alleviate
frustration and ensures that pricing is no longer an unknown algorithm. The important
consideration here is to include a formal change management process in the original
contract to allow change to the client input and delivery model sections at a later stage
in the relationship (e.g., when key parameters change).
As good practice, the enterprise can provide the vendor with all relevant client
inputs and impose the cost model, i.e., impose a price per deliverable, as part of the
call for tender. This allows the various participating vendors to propose a delivery
model. In doing so, the enterprise will gain insight into the operating model of
each vendor and a better basis of comparison among proposals. For example, for
the setup of a help desk, a vendor from the enterprise’s home country may have a
price per call that is half a foreign vendor’s price per call. However, if the enterprise
includes in the client input a parameter that requires operations in three different
countries, the local vendor’s price per call may be three times more expensive than
the foreign vendor’s price, making the latter a more viable option.
Client Input
• The enterprise defines the key parameters affecting the product or service provisioning.
• The enterprise provides input on the values of the key parameters.
Delivery Model
• The vendor’s solution architects design a delivery model that takes into account the parameters
from the client input.
• The result of the model is a detailed overview of all the products and services that the vendor will
deliver, the total cost, and transparent detail on the influence that parameters have on cost.
This results in the following cost model, detailing the full price: (100 × Y ) × 2.3 × 1.4 = Z
Total cost = Z
Cost Model
• In the cost model, a detailed price per service activity or work unit is determined as it will be
delivered and charged to the client.
The most important binding documents are discussed in the remainder of this chapter.
Templates and sample structures for selected items are provided in the appendices.
Practical guidance on what should be included in a call for tender is available in
appendix B. A high-level legal checklist for nonlegal stakeholders is included in
appendix D, which provides an overview of what legal elements should be taken into
account when drafting a vendor contract. A sample SLA is provided in appendix H.
It is not always clear which documents are binding. In addition to the information
items shown in figure 8, other documents may be binding and have an impact on
the relationship, such as the following:
• Answers from question-and-answer sessions
• Further clarifications document
• Initial proposal
• Presentations
• Best and final offer (BaFO)
A call for tender is the process in which the enterprise requests from potential
vendors a proposal to provide specific services. A call for tender may include one
step or several, depending on the guidelines established in the sourcing strategy,
Regardless of the number of steps, the call for tender should always make three
elements clear to the vendor:
1. The enterprise context and more specific information on the enterprise IT
governance and management
2. The requested services that the enterprise wants to acquire. It is vital to detail
these service requirements as precisely as possible to enable the vendor to
prepare an adequate offer.
3. The expected roles and responsibilities for the service requirements. Setting
clear expectations in the call for tender phase provides a basis for negotiations,
guarantees that a topic is not overlooked, and may help to avoid confusion or
discussions in a later stage of the collaboration.
Vendor Contract
The enterprise should detail in the vendor contract, among other factors, the
following items:
• Fees
• Roles and responsibilities
• Deliverables
• Workflows
• Fallback procedures
• Penalty and reward mechanisms
• Confidentiality of information
• Intellectual property
• Transition-out procedures
Furthermore, the contract must conform to enterprise standards and legal and
regulatory requirements. Given the differences among local regulations, positive
opportunities as well as negative consequences of the local context should be
considered. A high-level legal checklist for non-legal stakeholders is included in
appendix D.
Another portion of the contract should include the SLA, with specific service levels
and metrics that have been accepted by the vendor. For more information, see the
Service Level Agreements section in this chapter.
The most important inputs for the contract are detailed requirements (business,
IT, compliance, HR, security and legal), the vendor proposal, and the vendor
risk assessment. The vendor risk assessment needs to be completed during the
selection process and should include potential tangible and intangible impacts
that the enterprise could experience. Potential risk related to the products or
services required should also be evaluated and addressed by defining service level
requirements and contingency procedures to mitigate possible vendor failure.
Enterprise rules and policies should be shared with the selected vendor to create
awareness about the internal control environment and requirements for compliance.
Important documents include the following:
• Enterprise strategy
• Information security policy
• Physical and environmental security policy
• Access control policy
• List of applicable laws and regulations
The vendor should provide assurance of compliance prior to initiating the operations
phase. Sometimes, it is recommended to include some of these requirements in
the call for tender to ensure that the vendor will have the capabilities necessary to
comply, before starting negotiations.
Different kinds of contracts exist regarding price structure. All vendor contracts can
be classified into one of the following types:
• Time and means (T&M) contracts—The vendor provides resources per
specifications, and payment is based on the performed work hours and used means.
• Fixed-price contracts (FPC)—The completion or performance of certain tasks
per specifications is expected for payment of a fixed price.
• Hybrid contracts—These contracts are a blend of FPC and T&M contracts.
The type of contract also determines partially where the risk center of gravity is
shifted. An FPC shifts more of the financial risk to the vendor as the vendor needs
to complete a task within a fixed fee. A T&M contract shifts more of the financial
risk to the enterprise and is more difficult for the enterprise to manage.
This section discusses the purpose, structure, pitfalls and benefits of SLAs. Sample
SLAs are provided in appendices F and H. Appendix G contains a checklist of items
to include when drafting an SLA.
SLAs Defined
An SLA is an agreement, preferably documented, between a product or service
provider and the enterprise that defines minimum performance targets for a
deliverable and how they will be measured and reported.
SLAs should:
• Contain precise definitions of services and service terms.
• Include performance levels, performance measures, quality levels and error rates,
service constraints, recharging prices and service charge adjustments.
• Be included in an appendix to the contract and referenced in the master agreement.
• Specify the period of time for which the SLA is valid, the circumstances under
which it can be terminated and how changes can be made.
• Match what the enterprise needs and is prepared to pay for. Setting unreasonably
high SLAs may lead to excessive service costs. Exceeding SLAs is an indication
of potentially paying for more than requested.
SLA levels are often categorized into bronze, silver and gold classes:
• Bronze—Modest service level targets to guarantee basic availability and support
for noncritical systems
• Silver—Standard service levels in the industry and recommended for initial
discussions with the business
• Gold—Aggressive service levels to prevent any unscheduled downtime of critical
systems that could impact customer operations or end users
The enterprise wants to • Turning every operational metric into an SLA can result
in excessive bureaucracy, additional management cost
measure too much. and increased risk of incentivizing undesirable behavior.
The enterprise has no • Some SLAs clearly describe the service to be measured,
experience with how to use but they neglect to include how and when the actual
a particular SLA. calculations should occur.
When drafting an SLA, two critical parts should be included. The first part
includes the identification of services and performance metrics, as outlined in the
following steps:
1. Scope services and identify the service users.
2. Identify service descriptions and constraints:
• Be certain to define service deliverables because these are what the
enterprise buys.
• Clearly define service boundaries.
3. Collect and analyze service element data:
• Determine what can be measured.
4. Initiate performance definition:
• Design service measures that reflect the enterprise requirements.
• Define achievable delivery standards.
5. Review data, quality and performance:
• Determine current and required service levels.
• Continue to evaluate SLAs as services and requirements change.
The second part of the SLA discusses processes related to SLA governance and
change management. It describes how service effectiveness will be tracked, e.g.,
through monthly meetings; how information will be reported and addressed,
e.g., through SLA scorecards; and how penalties will be structured. Furthermore,
this second part explains how changes to the SLA are to be managed. SLA reviews
should follow if the environment changes, expectations or key parameters change,
better metrics or measurement tools are available, wrong behavior is detected, etc.
Changing an SLA involves contractual changes and can potentially have significant
financial impacts; therefore, vendor pricing may also need to be revisited.
The enterprise should not try to impose unrealistic or unreasonable service levels
that result in excessive penalties when the vendor fails to meet them. Unrealistic
expectations and excessive penalties may cause the relationship to deteriorate,
leaving both parties with a bitter feeling about the situation and sometimes leading
to a complete cessation of service. Moreover, requiring very high service levels may
lead to overengineered solutions and high prices.
The opposite of defining unrealistic service levels is defining service levels that are
below the levels required to meet business goals. Defining realistic expectations
may require some up-front work; however, it is critical for the enterprise to define
the service levels that will enable the enterprise to succeed. Inadequate service
levels may lead to underutilization of resources and missed business opportunities
when the full potential of the service is not realized.
Confusing words are those that can be interpreted in different ways by different
people. Words such as “around,” “approximately,” “no more,” “less than,” “normal”
and “best effort” are words or expressions that are open for interpretation. These
words and others like them are not appropriate and should be avoided, especially
when setting goals and defining metrics. Good practice is to always use SMART
terminology, as follows:
• Specific—Describe the purpose in a clear and concrete way. It should be an
observable action, behavior or outcome to which a number, amount, percentage or
other quantitative data can be connected.
• Measurable—There must be a system, method or procedure for determining the
extent to which the target at any given time has been reached. A SMART goal is
always normative: It is a measure of the quality of the effort.
• Attainable—Targets should be attainable, otherwise the risk exists that motivation
to reach the target is lost and the target is not pursued. Setting attainable goals can
be done by actively involving people in choosing and formulating the objectives.
It is important to empower them during the process.
• Realistic—An easy target may not be interesting because it does not challenge
people nor provide satisfaction. Good practice is to set goals that are just above
the level of ability of the people or enterprise involved. When individuals feel they
have something extra to do to achieve the goal, they feel proud to display their
best work, and this may work as an incentive to achieve the goal. A goal may be
not relevant if set at a level below what is standard.
• Timely—SMART goals have clear start and end dates. This is always true for
short-term goals, but may not be possible for long-term goals.
Personal Copy of: Mr. Cosmin Ionascu
52 Vendor Management: Using COBIT® 5
Although OLAs are not as comprehensive and detailed as SLAs, the same two main
sections that are in the SLA should be included in an OLA. The first section identifies
services and performance metrics. The second section in the OLA discusses processes
related to OLA governance and change management. The same pitfalls as discussed
in the SLA section are applicable here. The OLA should be tested and changed only
when necessary, it is not static, and contains start and end dates.
The underpinning contract also contains sections about the identification of services
and performance metrics and about governance and change management, like
the SLA. The same pitfalls can also be taken into account. It is important for the
enterprise to verify whether any stipulations exist in the original contract between
the enterprise and the vendor that state that the vendor is (or is not) permitted, to
outsource part of its activities to a third party. Some enterprises consider it to be too
high a risk for the vendor to outsource part of its activities and, therefore, prohibit
the vendor from outsourcing by so stating explicity in the contract.
Chapter 6. Managing a
Cloud Service Provider
In recent years, cloud computing has become more than just another IT buzzword.
It refers to a business trend that is expected to have—and for some enterprises
already has—a significant impact on the way enterprises operate. It is likely that
cloud computing will gain even more importance as both the cloud and cloud
service provider markets mature. Because cloud service providers (CSPs) are, in
many cases, strategic vendors to the enterprise, the concept of cloud computing
constitutes an important part of the vendor management scope.
These vendors, however, have very specific cloud-related risk and challenges.
ISACA’s publication Security Considerations for Cloud Computing provides
practical guidance regarding cloud computing and security considerations of
operating in the cloud. Taking into account the substantial impact that faulty
vendor management of the CSP relationship may have on enterprise operations,
this chapter repeats information on the most important risk as discussed in the
aforementioned publication.
Security and data privacy concerns are typically seen as critical barriers to the
adoption of cloud services. To mitigate identified risk, cloud users can opt to set
in place service level agreements (SLAs) or they can ask cloud service providers
to meet certain control objectives. In the end, however, the discussion comes down
to the key element of trust, which is a major component in the cloud computing
business model. There can never be sufficient controls and agreements to mitigate
all concerns if trust is a missing factor in the client-supplier relationship.
The answer to the question “How can I rely on a CSP to protect my data?” will be
influenced by a number of aspects:
• The possibility for auditing and the verification of controls. Does the cloud user
have a view of the CSP’s mitigating controls to handle risk—controls related to
security, availability, processing integrity, confidentiality and privacy? In this
context, several standards or good practices are available for CSPs to report on
their security status. The American Institute of Certified Public Accountants
(AICPA) SOC 2 report or any security certification (International Organization for
Standardization [ISO 2700x]) can be used to evaluate the security practices of a
possible CSP. Guidance on how to fully understand and use AICPA SOC 2 reports
can be found in ISACA’s SOC 2SM User Guide, scheduled to be available by the end
of September 2012. The enterprise must identify compliance requirements or select
a recognized security framework (e.g., ISO, Statements on Standards for Attestation
Agreements [SSAE] 16, Payment Card Industry Data Security Standard [PCI
DSS], Health Insurance Portability and Accountability Act [HIPAA], US Sarbanes-
OxleyAct [SOX]) and request proof of compliance from the CSP.
• The CSP financial position and market recognition
• Is the CSP certified or recognized by one or more security standards authorities
(e.g., the National Information Assurance Partnership [NIAP], which is a
US government body operated by the National Security Agency [NSA], and NIST)?
• The availability of business continuity plans (BCPs), disaster recovery plans
(DRPs) and robust backup procedures, taking into account multifacility,
multicountry CSPs
• The quality of the user’s own data and data classification; policies, principles and
frameworks; processes; organizational structures; culture, ethics and behaviour;
services, infrastructure and applications; people, skills and competencies; and risk
appetite (see chapter 4)
• General negotiations and relationship with the service provider: contracts, SLAs,
communication processes, roles and responsibilities matrices, etc.
Once the enterprise is aware of the risk and threats, it can implement a series of
mitigating actions and controls to reduce or eliminate the threats related to the
service and delivery model it has chosen and to ensure that the benefits of moving
to the cloud are realized as expected.
Personal Copy of: Mr. Cosmin Ionascu
Chapter 6. Managing a Cloud Service Provider 55
The decision to move to the cloud implies that the information assets of the
enterprise will be “managed” by the CSP. However, the enterprise—the owner of the
assets—is likely to have little knowledge or “visibility” into the people, processes
and technology supporting its information assets. The lack of visibility is also
known as “abstraction;” to counter the effects the CSP should provide to customers
full details on how its assets are managed.
The higher the abstraction level, the higher the risk or the number of threats to take
into account because risk is cumulative (figure 1). However, CSPs often offer only
visibility into the cloud stack corresponding to the service model chosen. Security
professionals must be aware of this factor when evaluating a move to the cloud. A
common mistake is to assume that SaaS will not also be subject to risk related to
infrastructure; however, risk and threats are there. They are on a layer that is less
visible because it is no longer under the operational responsibility of the enterprise,
but is under that of the CSP.
S1. IaaS
With IaaS, the CSP provides the enterprise with fundamental computing
resources/equipment (storage, hardware, servers and network components) while the
enterprise remains in control of the operating system (OS) and applications installed.
Risk-decreasing factors:
S1.A Scalability and elasticity—Lack of physical resources is no longer an
issue. Due to the scalable nature of cloud technologies, the CSP can
provide capacity on demand at low cost to support peak loads (expected or
unexpected). Elasticity eliminates overprovisioning and underprovisioning
of IT resources, allowing better cost optimization. This becomes a great
advantage for resilience when defensive measures or resources need to be
expanded quickly (e.g., during DDoS attacks).
Risk affected—Unavailability
S1.B DRP and backup—CSPs should already have in place, as common practice,
disaster recovery and backup procedures. However, recovery point objective
(RPO), recovery time objective (RTO), and backup testing frequency and
procedures provided by the CSP should be consistent with the enterprise
security policy.
Risk affected—Unavailability, loss
S1.C Patch management—Cloud infrastructures are commonly based on
hypervisors and are controlled through a central hypervisor manager or
client. The hypervisor manager allows the necessary patches to be applied
across the infrastructure in a short time, reducing the time available for a new
vulnerability to be exploited.
Risk affected—Unavailability, loss, theft, disclosure
Risk-increasing factors:
S1.D Legal transborder requirements—CSPs are often transborder, and different
countries have different legal requirements, especially concerning personal
private information. The enterprise might be committing a violation of
regulations in other countries when storing, processing or transmitting data
within the CSP’s infrastructure without the necessary compliance controls.
Furthermore, government entities in the hosting country may require access
to the enterprise’s information with or without proper notification.
Risk affected—Disclosure
S1.E Multitenancy and isolation failure—One of the primary benefits of the
cloud is the ability to perform dynamic allocation of physical resources when
required. The most common approach is a multi-tenant environment (public
cloud), where different entities share a pool of resources, including storage,
hardware and network components. All resources allocated to a particular
tenant should be “isolated” and protected to avoid disclosure of information
to other tenants. For example, when allocated storage is no longer needed
S2. PaaS
PaaS adds a layer to IaaS by providing the capability to deploy applications in
a cloud infrastructure. The applications are developed using the programming
languages and tools supported by the CSP. Thus, physical support, OS and
programming tools are the responsibility of the CSP, while the applications and the
data remain under the control of the enterprise. This service model entails the same
impacts on risk as IaaS, plus the following factors.
Risk-decreasing factor:
S2.A Short development time—Using the service oriented architecture (SOA)
library provided by the CSP, applications can be developed and tested within
a reduced time frame because SOA provides a common framework for
application development.
Risk affected—Unavailability, loss
Risk-increasing factors:
S2.B Application mapping—If current applications are not perfectly aligned with
the capabilities provided by the CSP, additional undesirable features (and
vulnerabilities) could be introduced.
Risk affected—Theft, disclosure
S2.C SOA-related vulnerabilities—Security for SOA presents new challenges
because vulnerabilities arise not only from the individual elements, but
also from their mutual interaction. Because the SOA libraries are under the
responsibility of the CSP and are not completely visible to the enterprise,
there may exist unnoticed application vulnerabilities.
Risk affected—Unavailability, loss, theft, disclosure
S2.D Application disposal—When applications are developed in a PaaS
environment, originals and backups should always be available. In the event
of a contract termination, the details of the application could be disclosed
and used to create more selective attacks on applications.
Risk affected—Theft, disclosure
S3. SaaS
In a SaaS model, the CSP provides to the enterprise the capability to use
applications running on the cloud infrastructure. The enterprise, in turn, provides to
the CSP the data necessary to run the application. The physical infrastructure, OS,
applications and data are the responsibility of the CSP. The enterprise has only the
role of client/user. This service model entails the same impacts on risk as PaaS, plus
the following factors.
Risk-decreasing factors:
S3.A Improved security—CSPs depend on the good reputation of their software
capabilities to maintain their SaaS offering. Consequently, they introduce
additional features to improve the resilience of their software (e.g., security
testing or strict versioning) or to inform users about the exact state of their
business application (e.g., specific software logging and monitoring).
Risk affected—Unavailability, loss
S3.B Application patch management—Due to the fact that the SaaS application
service is managed globally and only by the CSPs, application patch
management is more effective, allowing patches to be deployed in little time
with limited impact.
Risk affected—Unavailability, loss
Risk-increasing factors:
S3.C Data ownership—The CSP provides the applications and the customer
provides the data. If data ownership is not clearly defined, the CSP could
refuse access to data when required or even demand fees to return the data
once the service contracts are terminated.
Risk affected—Unavailability, loss, disclosure
S3.D Data disposal—In the event of a contract termination, the data fed into the
CSP’s application must be erased immediately using the necessary tools to
avoid disclosures and confidentiality breaches (forensic cleaning may be
required for sensitive data).
Risk affected—Theft, disclosure
S3.E Lack of visibility into software systems development life cycle (SDLC)—
Enterprises that use cloud applications have little visibility into the software
SDLC. Customers do not know in detail how the applications were developed
and what security considerations were taken into account during the SDLC.
This could lead to an imbalance between the security provided by the
application and the security required by customers/users.
Risk affected—Unavailability, loss, theft, disclosure
S3.F Identity and access management (IAM)—To maximize their revenues,
CSPs offer their services and applications to several customers concurrently.
Those customers share servers, applications and, eventually, data. If data
access is not properly managed by the CSP application, one customer could
obtain access to another customer’s data.
Risk affected—Loss, theft, disclosure
Cloud deployment models do not have the same abstraction as cloud service
models. That is, risk is not cumulative, but particular to each model. However,
“trust” among the different entities (CSP, customers, CSP’s third-party service
providers, etc.) is an important factor—not just trust between the CSP and the
customer, but enough trust in the other tenants sharing computing resources
Personal Copy of: Mr. Cosmin Ionascu
Chapter 6. Managing a Cloud Service Provider 61
hosting the enterprise’s information assets. If a user abuses the infrastructure and
services of the public cloud, the entire infrastructure might be at risk of failure,
theft or seizure (for forensics), including the services used by other enterprises. It
is important as part of the decision process to carefully consider which assets can
securely be hosted in a public cloud and which cannot.
Risk-decreasing factors:
D1.A Public reputation—Providers of public cloud services are aware that they are
generally perceived as more “risky.” It is critical for them to ensure a good
reputation as a secure provider or customers will simply move elsewhere.
Risk affected—Unavailability, loss, theft, disclosure
Risk-increasing factors:
D1.B Full sharing of the cloud (data pooling)—The cloud infrastructure is
shared by multiple tenants of the cloud service provider. These tenants have
no relation to the enterprise or other tenants in the same space, therefore no
common interest and concerns for security.
Risk affected—Unavailability, loss, theft, disclosure
D1.C Collateral damage—If one tenant of a public cloud is attacked, there could
be an impact to the other tenants of the same CSP, even if they are not
the intended target (e.g., DDoS). Another possible scenario of collateral
damage could be a public cloud IaaS that is affected by an attack exploiting
vulnerabilities of software installed by one of the tenants.
Risk affected—Unavailability, loss, theft, disclosure
Risk-decreasing factors:
D2.A Same group of entities—The component of “trust” among the entities in
a community cloud makes the level of risk lower than in a public cloud.
(However, it remains higher than in a private cloud.)
Risk affected—Unavailability, loss, theft, disclosure
D2.B Dedicated access for the community—Dedicated access can be configured
for authorized community users only.
Risk affected—Theft, disclosure
Risk-increasing factor:
D2.C Sharing of the cloud—Different entities may have different security
measures or security requirements in place, even if they belong to the
same enterprise. This could render an entity at risk because of the faulty
procedures or SLAs of another entity, or simply because of differing security
levels for the same type of data.
Risk affected—Loss, theft, disclosure
Risk-decreasing factors:
D3.A Can be built on-premises—Physical or location-related considerations can
be more closely controlled by the enterprise because the cloud infrastructure
can be located on the enterprise’s premises. Global enterprise security
policies would apply.
Risk affected—Unavailability, loss, theft, disclosure
D3.B Performance—Affects on-site private clouds. Because the private cloud is
deployed inside the firewall on the enterprise’s intranet, transfer rates are
dramatically increased (fewer nodes to cross). Storage capacity can also be
higher; private clouds usually start with a few terabytes and can be increased
by adding disks.
Risk affected—Unavailability, loss
Risk-increasing factors:
D3.C Application compatibility—While applications that have already been confirmed
to be virtualization-friendly are likely to run well in a private cloud environment,
problems can occur with older and/or customized software that assumes direct
access to resources. Larger applications that currently run on dedicated specialized
clusters with hardwiring into proprietary runtime and management environments
may also be questionable candidates for migration, at least until standards settle
and vendors take steps to make their solutions private-cloud-compatible. In the
meantime, compatibility testing and remediation are critical.
Risk affected—Unavailability, loss
D3.D Investments required—Making a business case for shared infrastructure
and the necessary training or recruitment to acquire associated skills is
notoriously hard at the best of times. Although the word “cloud” has a high
profile, messages from vendors and service providers are often confusing
and contradictory, making seeking support from senior stakeholders even
more of an issue. If the head of finance thinks cloud is all about getting rid
of infrastructure, it can be difficult to explain that investments are needed in
new equipment, software and tools. The enterprise must conduct a cost-benefit
analysis and prepare a business case to determine whether the cloud is a viable
solution to meet specific business requirements, and justify any expenses.
Risk affected—Cost
Personal Copy of: Mr. Cosmin Ionascu
Chapter 6. Managing a Cloud Service Provider 63
Because hybrid clouds are a mix of the other three models, their risk-increasing or
risk-decreasing factors are the same as those models. There is, however, one
risk-increasing factor related mainly to this model:
D4.A Cloud-interdependency—If the enterprise mixes two or more different
types of clouds, strict identity controls and strong credentials will be needed
to allow one cloud to have access to another. This is similar to a common
network infrastructure problem: how to allow access from a low-level
security zone to a high-level security zone?
Risk affected—Unavailability, loss, theft, disclosure
When considering these implementation strategies, service models and related risk,
it is noteworthy that most of the risk-increasing factors affect theft and disclosure
while most of the risk-decreasing factors affect unavailability and loss. This could
be interpreted as a trade-off.
This section addresses the possible threats that could exploit any of the risk-increasing
factors previously described. It also maps the threats to mitigating actions found in
COBIT 5 for Information Security, which explains in more detail selected terminology
and how to implement certain actions within the enterprise. (A table mapping threats
and mitigating actions can be found in the appendices section.)
With the implementation of these mitigation actions, the impact and probability of
a risk event are greatly reduced, depending on the level of severity of the controls
involved. But risk and threats still exist, although reduced. Specific risk assessments
must be conducted periodically to evaluate the risk situation of the assets specific to
the enterprise and identify improvement opportunities.
Personal Copy of: Mr. Cosmin Ionascu
64 Vendor Management: Using COBIT® 5
Technical 3
A. Vulnerable access management (infrastructure and application, public cloud):
• Related risk factors: S1.D, S3.F, D1.B, D2.C
• Description: Information assets could be accessed by unauthorized entities due
to faulty or vulnerable access management measures or processes. This could
result from a forgery/theft of legitimate credentials or a common technical
practice (e.g., administrator permissions override).
• Mitigation:
– A contractual agreement is necessary to officially clarify who is allowed to
access the enterprise’s information, naming specific roles for CSP employees
and external partners.
– Request that the CSP provide detailed technical specifications of its IAM
system for the enterprise’s CISO (or equivalent authority) to review and
approve. If necessary, include additional controls to ensure robustness of the
CSP’s IAM system. Most CSPs will not provide such details due to internal
security policies, but the enterprise can request controls and benchmarks as
an alternative (e.g., result of penetration testing on the CSP’s IAM systems).
– Use corporate IAM systems instead of CSP’s IAM systems. The IAM remains
the responsibility of the enterprise, so no access to assets can be granted
without the knowledge of the enterprise. It requires the approval of the CSP
and the establishment of a secure channel between the CSP infrastructure and
the corporate IAM system.
• Related guidance in COBIT 5 for Information Security:
– Appendix A. Detailed Guidance: Principles, Policies and Frameworks Enabler
. A.2 Information Security Policy
– Appendix F. Detailed Guidance: Services, Infrastructure and Applications
Enabler
. F.6 User Access and Access Rights in Line With Business Requirements
. F.10 Monitoring and Alert Services for Security-related Events
B. Data visible to other tenants when resources are allocated dynamically
• Related risk factor: S1.E
• Description: This refers to data that have been stored in memory space or
disk space that can be recovered by other entities sharing the cloud by using
forensics techniques.
• Mitigation:
– A contractual agreement is necessary to officially clarify who is allowed to
access the enterprise’s information, naming specific roles for CSP employees
and external partners. All controls protecting the enterprise’s information
assets must be clearly documented in the contract agreement or SLA.
– Encrypt all sensitive assets that are being migrated to the CSP, and ensure
that proper key management processes are in place. This will consume part
of the allocated resources due to the encrypt/decrypt process and global
performance can be affected.
– Request the CSP’s technical specifications and controls to ensure that the data
are properly wiped when requested.
– Use a private cloud deployment model (no multitenancy).
3
elated guidance on technical threats and mitigating actions can also be found in COBIT 5, DSS05
R
Manage security services.
Personal Copy of: Mr. Cosmin Ionascu
Chapter 6. Managing a Cloud Service Provider 65
G. Collateral damage
• Related risk factor: D1.C
• Description: The enterprise can be affected by issues involving other entities
sharing the cloud. For example, DDoS attacks affecting another entity in the
cloud can leave the enterprise without access to business applications (for SaaS
models) or extra computing resources to handle peak loads (for IaaS models).
• Mitigation:
– Ask the CSP to include the enterprise in its incident management process that
deals with notification of collateral events.
– Include contract clauses and controls to ensure that the enterprise’s contracted
capacity is always available and cannot be directed to other tenants without
approval.
– Use a private cloud deployment model (no multitenancy).
• Related guidance in COBIT 5 for Information Security:
– Appendix E. Detailed Guidance: Information Enabler:
. E.6 Information Security Requirements
– Appendix G. Detailed Guidance: People, Skills and Competencies Enabler:
. G.3 Information Risk Management
– Appendix F. Detailed Guidance: Services, Infrastructure and Applications
Enabler:
. F.8 Adequate Incident Response
H. SaaS access security
• Related risk factor: S3.K
• Description: Access to SaaS applications (either via browser or specific
end-user clients) must be secure in order to control the exposure to attacks and
protect the enterprise and his assets.
• Mitigation:
– Use hardened web browsers and/or specific end-user client applications
which include appropriate security measures (anti-malware, encryption,
sandboxes, etc.).
– Use secure virtual desktops or specific browser clients when connecting to
cloud applications.
– Educate corporate users about the risk of running SaaS applications using
insecure devices.
• Related guidance in COBIT 5 for Information Security:
– Appendix F. Detailed Guidance: Services, Infrastructure and Applications
Enabler:
. F.6 User Access and Access Rights in Line With Business Requirements
. F.10 Monitoring and Alert Services for Security-related Events
– Appendix G. Detailed Guidance: People, Skills and Competencies Enabler:
. G.5 Information Security Operations
I. Outdated VM security
• Related risk factor: S1.K
• Description: An inactive VM could be easily overlooked and important
security patches could be left unapplied. This out-of-date VM could become
compromised when activated and expose other VM connected to the cloud.
• Mitigation:
– Introduce procedures within the enterprise to verify the state of software
security updates prior to the activation of any VMs.
– Contractually request the CSP to apply security patches on inactive VMs.
• Related guidance in COBIT 5 for Information Security:
– Appendix A. Detailed Guidance: Principles, Policies and Framework
Enabler:
. A.2 Information Security Policy
– Appendix F. Detailed Guidance: Services, Infrastructure and Applications
Enabler:
. F.5 Adequately Secured and Configured Systems, Aligned With Security
Requirements and Security Architecture
Regulatory 4
A. Asset ownership
• Related risk factors: S2.D, S3.C
• Description: Any asset (data, application or process) migrated to a CSP could be
legally owned by the CSP based on contract terms. Thus, the enterprise can lose
sensitive data or have data disclosed because the enterprise is no longer the sole
legal owner of the asset. In the event of contract termination, the enterprise could
even be subject (by contract) to pay fees to retrieve its own assets.
• Mitigation:
– Include terms in the contract with the CSP that ensure that the enterprise
remains the sole legal owner of any asset migrated to the CSP.
– Encrypt all sensitive assets being migrated to the CSP prior to the migration
to prevent disclosure and ensure proper key management is in place. This can
affect the performance of the system.
• Related guidance in COBIT 5 for Information Security:
– Appendix C. Detailed Guidance: Organizational Structures Enabler:
. C.5 Information Custodians/Business Owners
B. Asset disposal
• Related risk factors: S1.I, S2.E, S3.D
• Description: In the event of contract termination, to prevent disclosure of
the enterprise’s assets, those assets should be removed from the cloud using
tools and processes commensurate to data classification; forensic tools
may be necessary to remove sensitive data (or other tools that ensure a
complete wipeout).
• Mitigation:
– Request CSP’s technical specifications and controls that ensure that data are
properly wiped and backup media are destroyed when requested.
– Include terms in the contract that require, upon contract expiration or any
event ending the contract, a mandatory data wipe carried out under the
enterprise’s review.
• Related guidance in COBIT 5 for Information Security:
– Appendix G. Detailed Guidance: People, Skills and Competencies Enabler:
. G.3 Information Risk Management
4
elated guidance on regulatory threats and mitigating actions can be found in COBIT 5, MEA03
R
Monitor, evaluate and assess compliance with external requirements.
Personal Copy of: Mr. Cosmin Ionascu
Chapter 6. Managing a Cloud Service Provider 69
C. Asset location
• Related risk factor: S1.D
• Description: Technical information assets (data, logs, etc.) are subject to the
regulations of the country where they are stored or processed. In the cloud, an
enterprise may, without notification, migrate information assets to countries
where regulations are less restrictive or their transmission is prohibited
(personal information in particular). Unauthorized entities that cannot have
access to assets in one country may be able to obtain legal access in another
country. Conversely, if assets are moved to countries with stricter regulations,
the enterprise can be subject to legal actions and fines for noncompliance.
• Mitigation:
– Request the CSP’s list of infrastructure locations and verify that regulation in
those locations is aligned with the enterprise’s requirements.
– Include terms in the service contract to restrict the moving of enterprise
assets to only those areas known to be compliant with the enterprise’s own
regulation.
– To prevent disclosure, encrypt any asset prior to migration to the CSP, and
ensure proper key management is in place.
• Related guidance in COBIT 5 for Information Security:
– Appendix G. Detailed Guidance: People, Skills and Competencies Enabler:
. G.4 Information Security Architecture Development
. G.6 Information Assessment and Testing and Compliance
– Appendix F. Detailed Guidance: Services, Infrastructure and Applications
Enabler:
. F.2 Security Awareness
business disruption or failure should the CSP go bankrupt, face legal action, or
be the potential target for an acquisition (with the likelihood of sudden changes
in CSP policies and any agreements in place). Another possibility is the “run
on the banks” scenario, in which there is a crisis of confidence in the CSP’s
financial position resulting in a mass exit and withdrawal on first-come,
first-served basis. If there are limits to the amount of content that can be
withdrawn in a given time frame, then the enterprise might not be able to retrieve
all its data in the time specified. Another possibility may occur if the enterprise
decides, for any reason, to end the relationship with the CSP. The complexity of
the business logic and data models could make it impossible for the enterprise to
extract its data, reconstruct the business logic and rebuild the applications.
• Mitigation:
– Ensure by contract or SLA with the CSP an exit strategy that specifies the
terms that should trigger the retrieval of the enterprise’s assets in the time
frame required by the enterprise.
– Implement a DRP, taking into account the possibility of complete CSP
disruption.
• Related guidance in COBIT 5 for Information Security:
– Appendix B. Detailed Guidance: Processes Enabler:
. B.2 Align, Plan and Organize: APO09 Manage Service Agreements
– Appendix B. Detailed Guidance: Processes Enabler:
. B.4 Deliver, Service and Support: DSS04 Manage Continuity
– Appendix G. Detailed Guidance: People, Skills and Competencies Enabler:
. G.3 Information Risk Management
G. Solid enterprise governance:
• Related risk factor: S3.I
• Description: Enterprises turn to CSPs in search of solutions that can be
implemented easily and at low cost. This ease can be tempting, especially when
the enterprise is facing urgent deadlines that require an urgent solution (e.g.,
the expiration of application licenses or the need of more computing capacity).
This can become an issue because enterprises may contract cloud applications
without proper procurement and approval oversight, thus bypassing compliance
with internal policies.
• Mitigation:
– Ensure that internal governance controls are in place within the enterprise to
involve the necessary governance organization (legal, compliance, finance,
etc.) during the decision process of migrating to cloud services.
• Related guidance in COBIT 5 for Information Security:
– Appendix B. Detailed Guidance: Processes Enabler:
. B.1 Evaluate, Direct and Monitor: EDM01 Ensure Governance Framework
Setting and Maintenance.
. B.5 Monitor, Evaluate and Assess: MEA02 Monitor, Evaluate and Assess
the System of Internal Control
Figure 9—Cloud Threats and Mitigating Actions Mapped to COBIT ® 5 for Information Security
Risk Mapping to
Threat Description Factors Mitigation COBIT 5 for Information Security
Technical Threats
A. Vulnerable Information assets could be accessed S1.D • A contractual agreement is necessary to • A ppendix A. Detailed Guidance:
access by unauthorized entities due to faulty or S3.F officially clarify who is allowed to access Principles, Policies and Frameworks
management vulnerable access management measures D1.B the enterprise’s information, naming Enabler
(infrastructure or processes. This could result from a D2.C specific roles for CSP employees and – A.2 Information Security Policy
Vendor Management: Using COBIT® 5
and application, forgery/theft of legitimate credentials external partners. • Appendix F. Detailed Guidance: Services,
public cloud) or a common technical practice (e.g., • Request that the CSP provide detailed Infrastructure and Applications Enabler
administrator permissions override) technical specifications of its IAM system – F .6 User Access and Access Rights in
for the enterprise’s CISO to review and Line With Business Requirements
approve. Include additional controls to – F .10 Monitoring and Alert Services for
ensure robustness of the CSP’s IAM Security-related Events
system. Most CSPs will not provide such
details due to internal security policies,
(no multitenancy).
76
Figure 9—Cloud Threats and Mitigating Actions Mapped to COBIT ® 5 for Information Security (cont.)
Risk Mapping to
Threat Description Factors Mitigation COBIT 5 for Information Security
Technical Threats (cont.)
C. Multitenancy Due to the nature of multitenancy, some S1.E •R equest the CSP’s technical details for • Appendix E. Detailed Guidance:
visibility assets (e.g., routing tables, MAC addresses, D1.B CISO approval and require additional Information Enabler
internal IP addresses, LAN traffic) could D2.C controls to ensure data privacy. – E.8 Information Security Review
be visible to other entities in the same • A contractual agreement is necessary to Reports
cloud. Malicious entities in the cloud could officially clarify who is allowed to access • Appendix C. Detailed Guidance:
take advantage of the information, e.g., by the enterprise’s information, naming Organizational Structures Enabler
utilizing shared routing tables to map the specific roles for CSP employees and – C.1 Chief Information Security Officer
internal network topology of an enterprise, external partners. All controls protecting (CISO)
preparing the way for an internal attack. the enterprise’s information assets must • Appendix F. Detailed Guidance: Services,
be clearly documented in the contract Infrastructure and Applications Enabler
agreement or SLA. – F.10 Monitoring and Alert Services for
Vendor Management: Using COBIT® 5
Figure 9—Cloud Threats and Mitigating Actions Mapped to COBIT ® 5 for Information Security (cont.)
Risk Mapping to
Threat Description Factors Mitigation COBIT 5 for Information Security
Technical Threats (cont.)
G. Collateral The enterprise can be affected by issues D1.C • Ask the CSP to include the enterprise • Appendix E. Detailed Guidance:
damage involving other entities sharing the cloud. in its incident management process Information Enabler
For example, DDoS attacks affecting that deals with notification of collateral – E.6 Information Security Requirements
another entity in the cloud can leave the events. • Appendix F. Detailed Guidance: Services,
enterprise without access to business • Include contract clauses and controls to Infrastructure and Applications Enabler
applications (for SaaS models) or extra ensure that the enterprise’s contracted – F.8 Adequate Incident Response
computing resources to handle peak loads capacity is always available and cannot • Appendix G. Detailed Guidance: People,
(for IaaS models). be directed to other tenants without Skills and Competencies Enabler
approval. – G.3 Information Risk Management
•U se a private cloud deployment model
(no multitenancy).
Vendor Management: Using COBIT® 5
H. S aaS access Access to SaaS applications (either via S3.K •U se hardened web browsers and/or • Appendix F. Detailed Guidance: Services,
security browser or specific end-user clients) must specific end-user client applications Infrastructure and Applications Enabler
be secure in order to control the exposure which include appropriate security – F.6 User Access and Access Rights in
to attacks and protect the enterprise and measures (anti-malware, encryption, Line With Business Requirements
assets. sandboxes, etc.). – F.10 Monitoring and Alert Services for
•Use secure virtual desktops or specific Security-related Events
browser clients when connecting to cloud • Appendix G. Detailed Guidance: People,
(or other tools that ensure a complete • Include terms in the contract that require,
wipeout). upon contract expiration or any event
ending the contract, a mandatory data
wipe carried out under the enterprise’s
79
review.
80
Figure 9—Cloud Threats and Mitigating Actions Mapped to COBIT ® 5 for Information Security (cont.)
Risk Mapping to
Threat Description Factors Mitigation COBIT 5 for Information Security
Regulatory Threats (cont.)
C. Asset location Technical information assets (data, logs, S1.D •R equest the CSP’s list of infrastructure • Appendix G. Detailed Guidance: People,
etc.) are subject to the regulations of the locations and verify that regulation Skills and Competencies Enabler
country where they are stored. In the cloud, in those locations is aligned with the – G.4 Information Security Architecture
an enterprise may, without notification, enterprise’s requirements. Development
migrate information assets to countries • Include terms in the service contract – G.6 Information Assessment and
where regulations are less restrictive or to restrict the moving of enterprise Testing and Compliance
their transmission is prohibited (personal assets to only those areas known to • Appendix F. Detailed Guidance: Services,
information in particular). Unauthorized be compliant with the enterprise’s own Infrastructure and Applications Enabler
entities that cannot have access to assets regulation. – F.2 Security Awareness
in one country may be able to obtain legal • To prevent disclosure, encrypt any asset
access in another country. Conversely, prior to migration to the CSP, and ensure
Vendor Management: Using COBIT® 5
Figure 9—Cloud Threats and Mitigating Actions Mapped to COBIT ® 5 for Information Security (cont.)
Risk Mapping to
Threat Description Factors Mitigation COBIT 5 for Information Security
Information Security Governance Threats (cont.)
B. Visibility of The cloud is similar to any infrastructure S1.F •R equest the CSP’s detailed schemes of • Appendix E. Detailed Guidance:
the security in that security measures (technology and the technical security measures in place Information Enabler
measures put in processes) should be in place to prevent and determine whether they meet the – E.6 Information Security Requirements
place by the CSP security attacks. The security measures requirements of the enterprise. – E .8 Information Security Review
provided by the CSP should be aligned •R equest that the CSP provide proof Reports
with the requirements of the enterprise, of independent security reviews or – E.9 Information Security Dashboard
including management of security certification reports (e.g., AICPA SSAE 16 • Appendix F. Detailed Guidance: Services,
incidents. SOC 2 report or ISO certification). Infrastructure and Applications Enabler
• Include in the contract language – F .10 Monitoring and Alert Services for
that requires the CSP to provide the Security-related Events
enterprise with regular reporting on
Vendor Management: Using COBIT® 5
Figure 9—Cloud Threats and Mitigating Actions Mapped to COBIT ® 5 for Information Security (cont.)
Risk Mapping to
Threat Description Factors Mitigation COBIT 5 for Information Security
Information Security Governance Threats (cont.)
F. Service Currently, there is very little available in S3.G • Ensure by contract or SLA with the CSP • Appendix B. Detailed Guidance:
termination terms of tools, procedures or other offerings an exit strategy that specifies the terms Processes Enabler
issues to facilitate data or service portability that should trigger the retrieval of the – B.2 Align, Plan and Organize (APO)
from CSP to CSP. This can make it very enterprise’s assets in the timeframe . APO09 Manage Service Agreements.
difficult for the enterprise to migrate from required by the enterprise. • Appendix B. Detailed Guidance:
one CSP to another or to bring services • Implement a DRP, taking into account Processes Enabler
back in-house. It can also result in serious the possibility of complete disruption of –B.4 Deliver, Service and Support
business disruption or failure should the the CSP. . DSS04 Manage Continuity.
CSP go bankrupt, face legal action, or be • Appendix G. Detailed Guidance: People,
the potential target for an acquisition (with Skills and Competencies Enabler
the likelihood of sudden changes in CSP – G.3 Information Risk Management
Vendor Management: Using COBIT® 5
Partnership
Customer Name: ______________ Weight Rating
Approach
Technical
Managed
Services
%
(25-50- Vendor Vendor Vendor Vendor
Business Objective 75-100) X Y Z W
Business understanding ● ● ● ● x
Unified data/voice/video ● ● ● ● x
Results as opposed to means ● ● ● ● x
Scalability
• Europe ● ● ● ● x
• World ● ● ● ● x
Security ● ● ● ● x
Long-term vision ● ● ● ● x
Design of the solution ● ● ● ● x
Resilience
• Production ● ● ● ● x
• Backup ● ● ● ● x
Capacity
• Production ● ● ● ● x
• Backup ● ● ● ● x
Bandwidth optimization ● ● ● ● x
SLA (end-to-end) ● ● ● ● x
KPIs (reporting-trend-capacity ● ● ● ● x
planning)
Transition IN (no big bang) ● ● ● ● x
Courts of justice ● ● ● ● x
Languages for support ● ● ● ● x
(incident management)
Black = 0, red = 1, yellow = 2, green = 3
Partnership
Approach
Technical
Managed
Services
%
(25-50- Vendor Vendor Vendor Vendor
Business Objective 75-100) X Y Z W
Key processes (change management- ● ● ● ● x
planned/unplanned maintenance)
Supplier internal processes (others) ● ● ● ● x
Partnership relation ● ● ● ● x
Negotiation time duration and ● ● ● ● x
complexity
Company internal workload at ● ● ● ● x
minimum
Black = 0, red = 1, yellow = 2, green = 3
Weights and ratings should be multiplied and summarized per vendor to determine
a final score as shown in figures 12 and 13. It is advisable to select the two highest
rating vendors and start negotiations with them.
0 1 2 3 4 5
0%
Ranking weighted
according to company
25%
business requirements Vendor Ranking Pricing
Vendor X 3.66 110%
Vendor Y 2.95 163%
50% Vendor Z 3.44 10%
Vendor W 2.99 141%
75%
Best pricing
100% Z
X
125%
W
150%
Y
175%
The purpose of the first chapter in the call for tender is to provide insight into
the enterprise strategy and the business context in which the enterprise operates.
This information is important for potential vendors to understand the enterprise
environment and activities, key parameters for service delivery and potential
opportunities or threats. The information in this chapter forms the basis for the
vendor to develop a tailored approach for the enterprise and adequately respond to
the call for tender. The following sections could be included:
• Enterprise profile:
– Enterprise strategy
– Enterprise goals
– Enterprise services
– Organizational structure
• Enterprise IT mission and vision
In the second chapter, more specific information is provided regarding the enterprise
IT governance and management. The following sections should be included:
• IT goals and strategic orientations
• High-level insight into the enterprise architecture
• Overview of the IT organization and services
• Roles and responsibilities
• IT process management frameworks or standards
• Applicable policies and regulations
Once the potential vendor is informed about the enterprise context and the
enterprise IT governance and management, the key purpose of the call for tender
should be communicated by detailing the services that the enterprise is requesting
from the market. It is important to detail the service requested as precisely as
possible to enable the vendor to prepare an adequate offer. The enterprise should
focus on the needs rather than defining solutions. The challenge for potential
vendors is to provide the enterprise with the best solution to meet the requirements.
However, limitation to use specific applications or infrastructure can be added to
comply with architectural boundaries. The following sections could be included:
• High-level description of the service requested
• Current situation
As a conclusion, this chapter should provide some general rules and guidelines.
These could be either fixed rules, which are not negotiable, e.g., security
requirements, or suggested guidelines that the vendor should take into account when
drafting the offer, e.g., vendor capabilities. It is recommended to indicate whether
the enterprise considers an item to be a fixed rule or a guideline. The following
sections should be included:
• Relationship governance structure
• Escalation procedures
• System and service management tools
– Objectives
– Requirements
– Reference documents
• Performance evaluation
– Procedure
– Metrics
• Vendor capabilities
– Security management capabilities
– Project management capabilities
– Service continuity capabilities
–S ervice reporting capabilities
– Continuous improvement capabilities
– Asset and innovation management capabilities
Appendix
When making a distinction between a request for information (RFI) and a request
for proposal (RFP) in the call for tender process, the elements described previously
should be split between the two information documents. When sending out an RFI,
it is important to begin with a description of the enterprise context, as explained
in the first chapter of the call for tender template. As a general guideline, the RFI
document is not as specific as the RFP document. The RFI provides an insight into
the enterprise context and the objectives of a potential vendor relationship, without
specifying too much detail. The RFI purpose is to find out who the interested
parties in the market are, what possible solutions might be interesting to investigate
further and potentially phase out vendor candidates that do not fit the requirements
at an early stage, for reasons such as global spread or potential to serve large
enterprises.
An RFP that was preceded by an RFI should not necessarily repeat this information,
unless new vendor candidates are included in the RFP process.
1. S
cope of Services
The IT contract must clearly define the services that will be performed, to
avoid any dispute among the parties regarding scope of services. For a time and
materials (T&M) contract, it is especially important to clearly describe the scope
of the services to be provided, the scheduling of the services and the number of
services to be delivered. Alternatively, when the IT contract is for a well-defined
deliverable (e.g., specific software that will be developed), establishing the scope
becomes less important as long as the deliverable specifications and requirements
are clearly defined in the contract.
IT projects may have a dynamic nature, so the contract may be subject to frequent
changes, especially in the case of long-term agreements. For this type of project,
establish a method to modify the scope, i.e., a change management procedure,
or include a consultation clause in the agreement. This allows the parties to
distinguish the “must have” and the “nice to have,” assess risk associated with
proposed changes while the project progresses and jointly approve changes.
2. C
ore Obligations of Parties
After the scope of services has been clearly defined, parties should agree on the
performance standards regarding the delivery of services.
IT contracts usually contain a description of mutual rights and obligations for the
parties. Most often, these obligations consist of general responsibilities, such as
information obligation, cooperation obligation and obligation to comply with the
applicable legislation.
The parties should set sufficient interim delivery milestones to enable the
project to be completed successfully and in due time. Such milestones allow the
enterprise to monitor the project progress and to maintain control of the various
interim deliverables. Each milestone and the corresponding interim deliverables
should be clearly defined by the parties in the contract.
3. O
wnership of Intellectual Property and Data
During the implementation of an IT project, the parties may have to manage
different forms of intellectual property rights. The contract should clarify
the distinction between intellectual property that existed before the start of
the contract, the intellectual property developed during the project and the
intellectual property of third parties.
If the enterprise does not obtain full ownership rights of the relevant intellectual
property upon termination of the agreement, the contract should explicitly allow
the use of intellectual property, for example, with a license agreement. The
range of such rights should be defined (e.g., only for internal purposes, only in
a specific country, for a limited or unlimited period, limited number of users
and exclusive or nonexclusive), and the contract should stipulate whether the
intellectual property can also be used by parties related to the enterprise (e.g.,
subsidiaries and external service providers) or can be sublicensed and transferred.
If the enterprise obtains the intellectual property rights at the end of the
agreement, it should be determined whether a license should be given to the
service provider for future projects.
4. E
nd of Contract
The way in which a contract is terminated depends on the term for which it has
been concluded (definite or indefinite) and on the termination possibilities for
the parties included in the contract. Including specific exit arrangements in the IT
contract is important. A smooth transfer to another service provider or in-house
prevents endangering the continuity of business operations. Ownership rights
and the right to use intellectual property after the end of the contract, discussed
previously, are part of the end of contract arrangements.
During IT projects, personal data are often processed and transferred. When this
is the case, both the client and the service provider must follow the applicable
private data legislation. Because each country has its own privacy regulations,
the compliance of the IT contract with the applicable national legislation should
be checked. Private data legislation can differ substantially between different
jurisdictions. Some jurisdictions have extensive privacy legislation, while
other jurisdictions have only limited legislation or a total lack of protection of
private data. The latter situation may cause serious problems if private data are
transferred to such jurisdictions. All European companies have similar private
data regulations because these regulations were the result of a European directive.
However, certain differences between European countries are possible because
of the differences in implementation of the directive. In those countries where
extensive private data protection is in place, the national private data regulations
generally provide for the obligation to include a guarantee in the IT contract that
the service provider will process any personal data in line with the applicable
legislation. The service provider must ensure that private data that are transferred
to a country that is not considered to be a safe harbor are sufficiently protected.
The contract must include a clear assignment of roles regarding the processing of
personal data. The contract must clarify the following:
• Who will process the data?
• During which period the data will be processed and kept?
• Who will have access to the data?
• Which data will be kept?
• Where will the data be kept and during which period?
6. F
ees and Payment Terms and Modalities
The contract should be explicit about the method to calculate price. It should
be clearly specified whether the project will be executed for a fixed price, on
the basis of actual time spent (e.g., an hourly rate or a man per day rate) or a
combination of both.
clause, which allows parties to modify certain conditions (e.g., the price) of
the agreement at specific stages of the project. Depending on the applicable
legislation, an indexation clause could be inserted into the contract. This clause
should contain, at a minimum, the index, the indexation formula and the
frequency of the indexation. Other price revision methods can also be included
(e.g., consultation clause).
7. Performance
A service level agreement (SLA) is very common in IT contracts and can be
an effective tool to create a common understanding between contracting parties
regarding services, priorities and/or responsibilities in the framework of
an agreement.
As discussed previously, only measurable and realistic SLAs are defined in the
contract. Unrealistic SLAs might cause disputes between parties. SLAs should be
measurable to allow meaningful reporting among the parties. The reports can be
used during consultations between parties about the achievement of the SLA.
If required, an audit clause can be included in the contract that allows the
enterprise to obtain the right to access relevant financial data, accounting
information, operational and technical data, safety standards, etc., of the other
party. It is strongly recommended to insert this audit clause into a contract
because it allows the enterprise to check, among others, the co-contracting party’s
performances, compliance and achievements.
8. T
erm and Termination Possibilities
Contracts can be established for a definite or indefinite term. A contract for an
indefinite term can be terminated at any moment in time, subject to due notice.
The parties can define which circumstances or events of default will lead to an
early dissolution of the agreement with entitlement to compensation. As indicated
previously, proper exit arrangements should be negotiated to ensure a smooth
transfer to another provider in case of termination under any circumstances.
9. Liabilities
Dependent on the jurisdictions involved, the legal rules regarding liability are
quite stringent. However, contracting parties might be able to negotiate different
arrangements regarding liabilities. The service provider, in particular, will benefit
from a limitation of liability because the service provider bears the biggest
responsibilities. The limitation of the liability of the service provider regarding
the security, protection and loss of data is a common liability clause in contracts.
In most cases, the service provider will try to limit its liability to the minimum
extent possible.
Contractual clauses regarding the limitation of liability can take several forms,
for example, the liability can be capped to a maximum amount or certain
damages can be excluded from any compensation. It is common practice for
a service provider to try to limit its liability as much as possible. However,
the service provider should bear some liability, especially regarding its core
obligations. Furthermore, such limitation of liability should be evaluated in view
of the enterprise’s liability toward its own customers as well as the liabilities
covered by insurance policies.
Parties can also define how third-party claims will be addressed (e.g., in case
of an infringement on intellectual property rights). Include indemnity clauses in
the contract that define how these claims will be handled. When a contracting
party of the enterprise bears damages because of a fault of the service provider,
the enterprise will be held responsible by the contracting party. Because of the
indemnity clause, the enterprise can seek to have the service provider reimburse
it for monies that the enterprise had to pay to the damaged party.
Certain jurisdictions have special liability laws for online providers (e.g., laws
of the member states of the European Union [EU] and the Digital Millennium
Copyright Act of the USA).
10. D
ispute Resolution and Applicable Law
The IT services contract may involve different countries and, therefore, cover
different jurisdictions, for example, the service provider and the enterprise are
located in different countries. The contract must determine the governing law
and the competent jurisdiction in case a dispute arises related to the agreement.
The choice of the applicable law has an impact on the validity and enforceability
of the clauses of the agreement. A legal procedure under foreign law or in
front of a foreign court may involve additional costs (e.g., the intervention of a
foreign lawyer) and risk.
<date>
and
I. The Agreement
For ENTERPRISE
NAME
Function
NAME
Function
3. Notifications
All correspondence concerning this Agreement, is to be sent to the following
address. Any changes to the above particulars will be notified in writing.
For Supplier
<Address>
For Enterprise
<Address>
2.7 Enterprise reserves the right to monitor supplier performance during the
term of any Subagreement, in accordance with clause 9.
The Parties will jointly determine how many working days Enterprise
will have to accept the Deliverables or reject them in writing. If
Enterprise does not accept or reject the Deliverables within this period
or, in any case, when Enterprise makes any productive or live use of
the Deliverables, whichever occurs first, they will be incontrovertibly
deemed to have been Accepted.
If no Acceptance took place three months after delivery, and if the non-
Acceptance is attributable to the Supplier, Enterprise has the right to terminate
the relevant Subagreement with immediate effect in whole or in part, by
means of a registered letter and without prior judicial intervention.
to two percent of the Contract Price for the Assignment for each week's
delay, up to a maximum of 10 percent of the Contract Price.
4. Contract Price
4.1. Time-based Contract Services
Time-based Contract Services will be provided on a Time and Materials
fee basis. Save as otherwise expressly provided, a fixed per diem rate
shall be laid down according to the Ratecard, a normal working day
consisting of eight (8) hours of work between 07:45 and 18:00, excluding
lunch time and breaks.
All rates must include any accommodation and travel expenses incurred
by the Contractors. They should not include taxes.
If for the project, Enterprise requires the supplier to travel, the Enterprise
travel policy will be applied if this policy has been communicated to
Supplier (bookings made by xxxx + 50 EUR per diem/day).
The Contract Price shall include any accommodation and travel expenses
incurred by the Contractors. They should not include taxes.
The Contract Price indicated in the Subagreement shall be valid for the
entire duration of the Assignment.
Where:
P1 = the revised price
P0 = the price in the year n-1
S1 = “Agoria” index for the current month preceding year n - 1
S2 = “Agoria” index for the current month preceding year n
year n = the contract year for which the revised price will apply
year n - 1 = the contract year preceding year n
5. Payments
The Supplier shall invoice within twelve (12) months after delivery of
the relevant Contract Services. Each claim of the Supplier with respect to
outstanding amounts that are not invoiced becomes prescribed after this period
of twelve (12) months.
Invoices are payable within the 30 days of invoice date. Interest for late
payments are computed on the legal rate.
6. Intellectual Property
6.1 The Supplier acknowledges that all proprietary software of Enterprise, or
software which has been licensed to Enterprise by a Third Party, is and
will remain the property of Enterprise or of the Third Party. Enterprise
will grant, free of charge, a temporary, nontransferable and nonexclusive
license to use or modify all Enterprise software, tools, methods and
know-how in such a way as agreed on in each Subagreement. The
Supplier will not infringe any existing property right in respect of this
software or these tools, methods and know-how, and will comply strictly
with all obligations Enterprise has towards the Third Parties concerned.
6.2 The intellectual, nonmoral property rights to all Deliverables identified in
the Subagreements as client materials will be automatically transferred to
Enterprise as the development thereof progresses. Therefore, the Supplier
guarantees that he has the explicit authorization of the Contractors to
transfer such intellectual, nonmoral property rights, within the meaning
of the European Directive of 14 May 1991 on the legal protection of
computer programs. Enterprise grants Supplier a nonexclusive,
royalty-free, worldwide, perpetual right to use, reproduce, copy, adapt,
modify, multiply, sublicense and market the Client Materials.
6.3 The copyright and all other intellectual property rights in any materials
or software (whether written or machine-readable) created by or licensed
to Supplier prior to this Frame Agreement or outside a Subagreement and
any subsequent modifications to the same (“Pre-existing Works”) will
remain vested in Supplier (or our licensor). To the extent that these are
part of any of the Deliverables, Supplier will grant Enterprise a license to
use them in accordance with Clause 6.4. below.
6.4 Supplier is the sole owner of the copyright and all other intellectual
property rights in any materials in all Deliverables that are not identified
as Client Materials and in all other materials or software created
under a Subagreement. Supplier grants Enterprise a nonexclusive,
nontransferable license to use these Deliverables, which are not identified
as Client Materials (and any Pre-existing Works to the extent that these
form part of the Client Materials) for their own internal use and only for
the purposes for which they were delivered. Enterprise will refrain from
copying, reproducing, modifying, multiplying, adapting, sublicensing
these Deliverables (or any Pre-existing Works to the extent that these
form part of the Client Materials) to any Third Party.
6.5 Each party will at the request and reasonable expense of the other
execute all such documents and do all such acts as may be reasonably
necessary in order to vest in the other the rights granted to the other
under this Clause 6.
6.6 Without prejudice to the above, the Supplier will retain the right to
use ideas, methods or concepts developed in the performance of the
Assignment, regardless of whether they are patentable or not, in other
situations or for other clients.
The parties will cooperate in mounting a defense against any and all
Third-party Claims. Such cooperation shall include providing records and
all information, which can reasonably be considered relevant and making
employees available to provide additional information and explanation.
The indemnifying Party will not be entitled to assume responsibility for the
defense against a Third-party Claim if there is a conflict of interest, in which
case the indemnified Party will be entitled to be compensated for the expenses
it reasonably incurs in defending itself against any such claim.
The Supplier guarantees for the purposes hereof that any Contractor under
this first paragraph will be bound to the Supplier by means of a contract of
employment, that it will withhold and transfer the payroll taxes and social
security contributions due and that it will not act in contravention of labor
laws and social security regulations in force.
Enterprise is permitted, within the limits of Art. 31§1 of the Law of 24 July
1987 on Temporary Work, Temporary-Employment Business Work and
Provision of Labor for Users, to give the Contractors instructions, in executing
the Agreement, with regard to both working and rest times and the execution
of the work agreed upon with Supplier. However, the Supplier will be
responsible for the actual management and supervision of the Contractors.
In no case shall Enterprise be deemed to be the legal or actual employer
of the Contractors.
However, without prejudice to the first paragraph of this clause, the Supplier
may be allowed to employ any subcontractors, freelance personnel or
interim personnel for the execution of the Agreement after explicit and prior
written agreement by Enterprise, which shall be confirmed in any relevant
Subagreement.
The Supplier will take all steps necessary to ensure that the Contractors have
the required experience and competence to perform the Assignment properly
with respect to the Contractor Profile required by Enterprise.
9. Progress Monitoring
The Supplier shall appoint a Project Manager for each Assignment in the
Subagreement, who shall act as point of contact. The Project Manager
appointed by the Supplier shall undertake the actual direction and exercise
the supervision of the Contractors of said Assignment.
The Project Manager and the Enterprise Project Coordinator shall meet at
regular intervals for discussions on the progress of the work. The Project
Manager shall prepare the minutes of the discussions on the progress of the
work. These minutes shall be submitted to the Enterprise Project Coordinator
for approval and shall not be binding upon Enterprise unless signed by the
Enterprise Project Coordinator.
The Project Manager will inform the Enterprise Project Coordinator of each
Progress Meeting and its agenda at least two business days beforehand.
The Project Manager will send minutes of the Progress Meetings to the
Enterprise Project Coordinator within two business days of the meeting.
Because any such change might have an impact on the quality, duration and
the price of the Assignment and its Deliverables, strict mutual agreement
regarding the implementation of the change and the impact on the price and
duration is required. Any and all changes must be handled via the change
procedure outlined below.
The other party, on receipt will register the change request. The Supplier
will handle the administrative follow-up of the change request.
11. Training
No in-house training will be provided except by mutual consent of the Parties.
The Supplier guarantees that the Contractors shall use the resources provided
by Enterprise simply and solely for the performance of and in relation to
the Agreement.
Supplier will not be liable for any loss or damage arising from reliance on
any information or materials supplied by Enterprise or any third party, or for
any inaccuracy or other defect in any information or materials supplied by
Enterprise or any third party.
In addition, the Supplier will comply with any and all safety regulations
and codes of conduct required by Enterprise with respect of the use of these
resources, to the extent these regulations and codes are communicated
to Supplier.
13. Confidentiality
Parties acknowledge that the existence and content of the relationship with
between Enterprise and Supplier, as well as the information and knowledge
concerning one of the parties obtained or received in the performance of the
Assignment (such as technical, financial, statistical, personal and
customer-related information of Enterprise-affiliated Companies,
transactional data, information on the management of a business, etc.) which
is marked confidential or manifestly confidential is confidential information.
For the purposes of this article, the Enterprise-affiliated Companies will not
be considered Third Parties. Likewise, member firms of the Supplier’s global
network will not be considered Third Parties.
Parties will use best efforts to ensure that in no way, either directly or
indirectly, verbally or in writing or by any other means, divulge this
confidential information to Third Parties unless the other party has given
its prior written consent or unless this is necessary for legal, accounting or
regulatory reasons.
The parties must also ensure that any person to whom Confidential
Information is disclosed is aware of the above obligations and are
contractually bound to comply with them.
This article will remain in effect both during the Frame Agreement and after
it has come to an end.
If the dispute is not resolved within 30 days through such negotiations, each
party shall have the right to submit the unresolved issue to the <city> courts,
which shall have exclusive jurisdiction to settle any such dispute, controversy
or claim which may arise in connection with the legal relationships
established by the present Agreement.
The Supplier will take out insurance for this with a reputable insurance
company. Evidence of such insurance shall be presented to Enterprise, on
Enterprise’s simple request.
Neither Party will be liable under the Agreement for indirect loss in any
form whatsoever, such as a loss of earnings, business interruption or
stagnation, losses resulting from a loss of data, personnel costs and costs of
personnel depletion. For the purpose of the Agreement, indirect loss does not
include damage to hardware and other movable and immovable items, such
as software, nor the costs of repairing the hardware and data files, the costs
of fallback to another system or the necessary intervention by Third Parties.
This liability limitation will not apply in case of intentional fault by Supplier.
The Services and the Deliverables are provided solely for Enterprise’s benefit
and use and only for the purpose stated in the Subagreement. As such
Services and Deliverables may not be appropriate for any other purpose,
any use Enterprise makes of Services and Deliverables for such another
purpose is at its sole risk and responsibility. Enterprise may not disclose
the Deliverables, provide copies of the Deliverables or make the benefit
of the Services available to any third party without Supplier’s prior written
consent which Supplier may, at its sole and absolute discretion, refuse or
grant, subject to the third party agreeing to appropriate terms stipulated by
Supplier. Supplier accepts no liability or responsibility to any third party who
benefits from or uses the Services or gains access to the Deliverables, without
its aforementioned written consent. Enterprise agrees to hold harmless and
indemnify Supplier against any liabilities, losses, expenses or other costs
Supplier reasonably incurs in connection with any claims against Supplier or
any other Supplier Entity by third parties in connection with or arising out of
the Frame Agreement or any Subagreement.
In the event of material damage, the total liability of each Party will be
limited to 125.000 euro per event, with a series of related events being
counted as a single event.
This liability limitation will not apply in case of intentional fault by Supplier.
The total liability of each Party in the event of death or physical injury will
be determined in accordance with the applicable law.
The Parties will take out insurance for this with a reputable insurance
company. Evidence of such insurance shall be presented to the other Party,
on that Party’s simple request.
In the event of force majeure as described above, the Party which invokes
force majeure will notify the other Party thereof in writing within seven (7)
days, stating the nature of the force majeure and of the underlying
circumstances. In the event of force majeure which continues for longer
than three (3) months, the Party against which the force majeure has been
invoked will be entitled to terminate the Agreement with immediate effect by
registered letter.
For the purpose of the Agreement, force majeure does not include a failure
to comply or a failure to comply on time by a subcontractor, with the
obligations which that party has assumed vis-à-vis one of the Parties, unless
the Party in question demonstrates that the failure to comply or comply on
time with that obligation is attributable to force majeure.
If Enterprise forms the opinion that, for pressing reasons that could seriously
jeopardize the success of the Assignment, all cooperation with a Contractor
has become impossible, Enterprise must notify the Supplier thereof by
registered letter, requesting the replacement of that Contractor. The Supplier
must then, within one month of receiving the registered letter, appoint a
replacement that is capable of working on the Assignment.
25. Severability
If any provision in the Agreement is deemed to be invalid, unlawful or
unenforceable, both Parties will be relieved of all rights and obligations
arising from that provision, but only in so far as that provision is invalid,
unlawful or unenforceable. The provision in question will be amended in
so far as this is necessary in order to make it valid, lawful or enforceable,
without affecting the spirit of the Agreement.
In the event of any inconsistency between the terms and conditions
contained in the Frame Agreement and the provisions of the Subagreement,
the provisions that shall prevail are the provisions of the Subagreement. In
the event of any inconsistency between the provisions of the Subagreement
and the Statement of Work or any attachment or appendix, the Subagreement
will prevail.
Parties confirm that they each accept the risks of, and authorize, electronic
communications between them. They each agree to use commercially
reasonable procedures to check for the then most commonly known viruses
before sending information electronically. They will each be responsible
for protecting their own systems and interests in relation to electronic
communications and neither Enterprise nor Supplier (in each case including
The exclusion of liability in this clause shall not apply to the extent such
liability cannot by law be excluded.
Subagreement No. C…
This Agreement is concluded between ……………....., with registered office
at ....................., ..............................................., entered in the
Register of Legal Persons under No. .................. and hereinafter referred to as
the Supplier,
and
Subject Matter
[Description of the Assignment]
Acceptance
[Procedure, Criteria]
Contract Price
Performance of this Assignment shall be effected at … euro < a day, in total,
etc. >, VAT excluded.
Invoicing shall be effected monthly, on the basis of …..
Time Line
Start of the Assignment: ../../….
Termination of the Assignment: ../../….
with an option for extension.
Coordination
Project Manager: ......................…..
Enterprise Project Coordinator: ......................…..
Location: ......................…..
IV. Ratecards
1. Time-based Contract Services
2. Project-Based Contract Services
3. Discounts
This section gives an overview of all the elements taken into account in the mission
of the vendor, which can be represented visually by means of a spider diagram,
as shown in figure 15. Other elements in this chapter can contain the precise
definitions of the RACI (responsible, accountable, consulted and informed) matrix
and the roles and stakeholders described throughout this publication:
• RACI formalism
• Definition of roles
• Definition of stakeholders
References Plan
SLA Document Implementation
Roles Information Project Implement
RACI Control/Monitor
Penalties
Technical Framework
Appendices Quality Plan
Contacts
SLA Configuration
Management
Incident
Management
KPIs
Problem
Service Level Management
Reporting Management Recurring
Activities Release
Management
Quality
Availability
Management
Control/Monitor
Penalties
Description of Services
This section begins with a description of the scope of the services that are being
delivered to the enterprise. In a subsequent section, the exclusion and applicability
conditions can be documented. The general principle here is that any element not
listed in the scope of services is considered to be out of scope of the service level
agreement (SLA). In the force majeure section, any event or circumstance that is
beyond the control of the vendor can be described. The penalties that are set in the
SLA are not applicable to the events and circumstances that are in the force majeure
section. In the last part of this section, the services provided are detailed, including
a description of service deliverables, the time frame in which the SLA is valid and
the fees related to the delivered services:
• Scope of the services
• Exclusion and applicability conditions:
– General principle
– Force majeure
• Services provided in the context of this SLA:
– Description of deliverables
– Validity period
– Fees
Levels of Service
The first part of this section should detail a number of key performance indicators
(KPIs) measuring the level of services and define a claim or bonus for each KPI
to motivate the client and the vendor to deliver on time and with the required
quality. The next part details the penalties and bonuses related to the KPIs. Good
practice defines different penalties for different ranges of the KPI outcome.
It is also possible to add a repetition factor to address the event of continuous
underperformance. When a certain unwanted value for a KPI is reached multiple
periods in a row, for a specified number of months per year, the repetition factor
guides how to proceed. Good practice is also to include bonuses when KPI outcome
is better than required ranges. This section is in line with the COBIT 5 enabling
process APO09.04 Monitor and report service levels.
Key performance indicators can be presented in a table with the following headers:
• ID
• KPI
• Description
• Specification (calculation method)
• Client justification
• Unit
• Target
• Limit
• Bonus
• Computations for penalties or bonus
This section provides an overview of all the other quality expectations. Specific
topics will vary depending on each enterprise’s needs. The following example topics
show the content for this section:
• Complaint management
• Escalation procedure
• Periodic service review report:
– Contents
– Frequency
Personal Copy of: Mr. Cosmin Ionascu
Appendix F. SLA Template 127
– Distribution list
• Service review report meetings:
– Goals
– Frequency
– Attendees
• Change management procedure
• Process of dissolution
• Level of access provided to the vendor
• Guarantees of nondisclosure
• Agreements with potential subcontractors
An SLA requires regular monitoring to allow for corrections to achieve its defined
goals, gauge any variations and register penalties or bonuses. It is important to
detail the content, frequency and distribution list of performance reports. Periodic
meetings with the vendor to review meeting performance reports should be properly
defined. These periodic meetings will contribute to the transparency of both parties
to specify the goals, frequency and attendees of these meetings.
This section is a good place to document the termination conditions of the SLA
(process of dissolution), level of access provided to the vendor at client premises,
guarantees of nondisclosure and agreements with potential subcontractors.
RACI Matrix
The last section details, for each service or activity, the stakeholders (identified
in the overview of the approach) that are accountable, responsible, consulted
or informed.
Appendix
The appendix can provide additional important information for a vendor that
describes services or calculates KPIs. A contact information list of key stakeholders
or responsible parties for the SLA can be helpful for the client and the vendor.
Template
This file is based on the template “Sample Service Level Agreement” file name
egsla.doc from the website http://helpdeskclientsupport.wikispaces.com Lesson 9.
Full link to document is: http://helpdeskclientsupport.wikispaces.com
/file/detail/egsla.doc
Table of Contents
2. <VENDOR> Responsibilities
2.1 Functional Overview
2.2 Hours of Operation
2.3 Response Times
2.4 Priority Level Response Times
2.5 Support Available
3. <CLIENT> Responsibilities
3.1 Functional Overview
3.2 Hours of Operation
3.3 Response Times
3.4 Service Level Targets
4. Supported Products/Applications/Systems
4.1 Hardware Support Services
4.2 Software Support Services
4.3 Training Services
between
<VENDOR>
and
<CLIENT>
1.1 Goal
The goal of this agreement is to provide a basis for cooperation between
<VENDOR> and <CLIENT> for support services. <VENDOR> commits itself
to ensuring timely and efficient support. This agreement will contribute to the
environment of achievement and maintenance of targeted service levels.
1.2 Objectives
• Enhance the business relationship between <CLIENT> and <VENDOR> to
guarantee effective support.
• Document the responsibilities of all parties.
• Guarantee that <VENDOR> delivers the agreed-on quality with adequate support
for <CLIENT>.
• Define in detail the service to be delivered by <CLIENT> and the level of service
that can be expected by <VENDOR> to meet both <CLIENT> and <VENDOR>
expectations.
• Provide a system of monitoring to have objective measurement.
• Provide a mutual understanding of the service level requirements.
1.5 References
The following documents will serve as a basis for the policies and procedures
of <VENDOR> operation. They also will define the support levels required and
prioritization of computer faults by <VENDOR>.
The constant monitoring of service factors is a must, considering that they are
meaningful and measureable. Measured levels must be compared with agreed-on
levels on a regular basis by both parties.
Service level monitoring and reporting is performed on response times for faults, as
specified in Section 3.4 of this agreement.
1.7 Complaints
All complaints relating to the operation of the help service, including:
• Expected level of support
• Actual support offered and delivered
• Personnel responsible for providing or administering support
• Any other issue relating to this document or the relationship between <VENDOR>
and <CLIENT>
2. <VENDOR> Responsibilities
Response Time
Priority Level (Minutes)
1 12
2 25
3 40
4 50
5 90
Notification Path
The purpose of this telephone contact with <CLIENT> is to notify <CLIENT> of
the receipt of the fault/request from <VENDOR> and provide <CLIENT> with
details of the proposed action to be taken in response to the particular fault/request.
Internally External
Support Level Internal Support Conducted Training Priority Support/Training
Advised Full Available High Yes
Supported Full Not available Medium Yes
Acknowledged Limited Not available Low Yes
Not recommended None Not available None Yes
3. <CLIENT> Responsibilities
4. Supported Products/Applications/Systems
Generic
Table of Contents
1. Introduction
1.1 Goals and Objectives
1.2 Service Catalog
1.3 Roles and Responsibilities
2. Services in Scope
2.1 E-procurement Modules and Platforms
2.1.1 Description
2.1.2 Responsibilities
2.2 IT Operations Activities
2.2.1 Description
2.2.2 Responsibilities
2.3 Standard Changes
2.4 Incident Management
2.4.1 Description
2.4.2 Classification of Incidents
2.4.3 Responsibilities
2.5 Release Management
2.5.1 Description
2.5.2 Responsibilities
2.6 Change Management
2.6.1 Description
2.6.2 Responsibilities
3. Service Level Management
3.1 KPIs
3.1.1 Modules and Platforms
3.1.2 Incident Management
3.1.3 Change Management
3.1.4 Release Management
3.2 Reports
3.3 Governance Structure
3.3.1 Escalation Procedure
3.3.2 Service Level Reviews
4. Glossary
1. Introduction
Role Responsibility
Service manager • Accountable for the services and service levels delivered
• Coordinates meetings with <CLIENT> to provide status reports
• Provides service metrics to <CLIENT>
• Coordinates service requests
• Escalates issues to necessary parties for resolution
Incident manager • Manages incidents and solutions
• Reports incidents to <CLIENT> within agreed-on times
Change manager • Manages all change requests from <CLIENT>
• Manages all internal change requests
• Keeps <CLIENT> informed about all changes that are approved, and
provides release plans
• Collaborates with release manager to move changes to production
• Helps document changes to services and supporting technology
Role Responsibility
Release manager • Collaborates with change manager to process change requests and move
changes to production
• Makes sure that training and support material is created and delivered
before a major release
• Keeps <CLIENT> informed about the status of the release and confirms the
release date before the implementation
• Helps document changes to services and supporting technology
IT manager • Takes care of all IT operations activities and is responsible for the
availability of the service
2. Services in Scope
In this section, the services covered by this SLA are detailed. It contains a description of
each service and the responsibilities on both supplier and customer sides.
The supporting services that are detailed in the remainder of this document apply to
all items listed previously.
2.1.2 Responsibilities
<VENDOR> IT manager ensures 98 percent availability of the modules and the
platforms, maintenance time excluded.
Within the scope, three kinds of technical maintenance, which affect the availability
of the system, are distinguished as shown in the following table.
If for any reason the proposed time slot is in conflict with other maintenance job
schedules, <CLIENT> should contact the service manager.
2.2.2 Responsibilities
<VENDOR> IT manager takes care of all IT operations activities. All
communication about maintenance and infrastructure are handled between
<CLIENT> and service manager. Service manager will make sure that <CLIENT>
is informed about maintenance within the previously determined notice period, and
any conflicts for <CLIENT> will be handled by service manager.
Closure of a ticket is only possible with a final fix. In the event that a final fix is
not feasible, a workaround shall be proposed and a problem ticket will be created to
allow further investigation. Cross-referencing of problem and incident shall allow
proper follow-up.
he priority of the incident will determine the resolution time or mean time to
T
repair (MTTR):
• Low: MTTR 120 hrs
• Medium: MTTR 24 hrs
• High: MTTR 4 hrs
2.4.3 Responsibilities
<VENDOR> incident manager is responsible for solving the reported incidents
within the agreed-on time frame.
2.5.2 Responsibilities
Service manager guarantees that a new release remains backward compatible with
documents created with older versions. A minimum notice period of four months will be
respected in the event of a release that contains changes that are not backward compatible
with <CLIENT> systems. <CLIENT> has to make sure that the interface changes on its
side and on the supplier side happen within these four months.
<CLIENT> ensures availability of the people involved in UAT. The period of UAT is
planned in advance of the release planning and communicated by release manager.
Release manager shall provide training and support material a minimum of two
weeks before a release goes live.
Release manager also keeps <CLIENT> informed about the status of the release
and confirms the release date two weeks before implementation.
2.6.1 Description
A change is the addition, modification or removal of anything that could have an
effect on IT services. Change management is a process comprised of identification,
prioritization, initiation, evaluation and controlling changes to the application. The
change advisory board (CAB) will analyze and discuss the collected changes.
The change requests (CRs) coming from <CLIENT> are discussed first in the
business CAB, consisting of <VENDOR> service manager and representatives
of <CLIENT>. In this CAB, the CRs are approved for further analysis by the
technical CAB. The outcome of the business CAB is a prioritized short list of CRs.
The business CAB convenes on ad hoc basis when service manager has collected
enough CRs to organize the meeting. However, <CLIENT> is entitled to request a
business CAB twice per quarter.
The technical CAB convenes every week regarding the CRs approved by the business
CAB and the CRs coming from <VENDOR>. The purpose of this CAB is to approve
or reject CRs on technical grounds, and to assign approved CRs for release.
Personal Copy of: Mr. Cosmin Ionascu
Appendix I. Example Generic SLA 143
2.6.2 Responsibilities
<VENDOR> service manager tracks all CRs received from <CLIENT> on a
tracking page. Once the tracking page has been updated with a new CR, service
manager informs the requestor via email. This happens within two working days
after the request has been made.
The business CAB is organized by the service manager. The service manager also
is the main person responsible for logging approved CRs, resulting in adding those
CRs to the agenda of the technical CAB. In the event of rejection of a CR from the
technical CAB, the service manager will provide feedback to <CLIENT>.
<VENDOR> change manager keeps <CLIENT> informed within one week after
the technical CAB about all changes that are approved and the release to which they
are assigned.
This section describes how the agreed-on service levels will be managed. It defines
the KPIs for the services:
• What will be measured
• How these measurements will be performed
• The agreed-on service level targets
3.1 KPIs
3.1.1 Modules and Platforms
Calculation:
∑ [(Actual Uptime + Excusable Downtime)/Scheduled Hours]
= (100)
∑ All metrics
Incident Prevention
Objective System stability is important to maintain availability. The following calculation
measures the number of incidents addressed within a given time.
Calculation = ∑ High incidents
method = ∑ Medium incidents
= ∑ Low incidents
Frequency Every two weeks
Source of Monitor reporting
information
Target High incidents: <1
Medium incidents: <5
Low incidents: <20
Release Communication
Objective The business shall always be adequately and timely informed about the planning
and implementation of changes. This KPI measures how well the business is being
informed.
Calculation ∑ Release date confirmations at least three weeks before release
= (100)
method ∑ Releases
Frequency Every three months
Source of Formal communications to the <CLIENT> to notify that a release will be implemented
information
Target 100 percent
3.2 Reports
Problem record
marked closed.
If no resolution has been found at level one, the following procedure applies.
Problem owner
Problem record
verifies customer
marked closed.
satisfaction.
If no resolution has been found at level two, the following procedure applies.
Yes
Problem record
marked closed.
4. Glossary
Term Description
Change The addition, modification or removal of anything that could have an
effect on IT services
Change request (CR) A request to change something on the application (e.g., new features)
Incident An unplanned interruption of the IT service or a reduction in the
quality of an IT service
Key performance A quantifiable measure to compare the actual performance against
indicator (KPI) the agreed-on levels
Mean time to repair The average time to fix an incident or problem
(MTTR)
Problem The underlying cause of incidents
Release A set of changes that will be implemented simultaneously
Service level The formal definition of the services offered
agreement (SLA)
User acceptance Test conducted by end users of the system to determine whether the
training (UAT) requirements are met.
Working hours From Monday to Friday, between 09:00 and 17:00, except on
official holidays
Table of Contents
1.1 Purpose
The purpose of this service level agreement (SLA) is to formalize an arrangement
between <CLIENT> and <VENDOR> to deliver equipment and support services, at
specific levels of support, and at an agreed-on cost.
This SLA will evolve over time, with additional knowledge of the client requirements
as well as the introduction of new devices and services into the support portfolio
provided by <VENDOR>.
1.2 Scope
The following states the equipment and services provisioned by <VENDOR>
to <CLIENT>.
The minimum acceptable level of uptime for any device shall be 98 percent as
determined by the following formula: Uptime = [(Total Time – Lost Time)/Total
Time] (100).1, 2
Uptime
Level Response
During any 20-day work period:
98-90% Charge to <CLIENT> shall be reduced or credited by 20% on that device.
89-80% Charge to <CLIENT> shall be reduced or credited by 30% on that device.
<79% No monthly payment shall be charged to <CLIENT> on that device.
During 3 consecutive 20-work day periods:
<98% <VENDOR> will replace the device with an equivalent device for the remaining term of
the contract at no additional cost to <CLIENT>.
Exception Response
Technician cannot repair <VENDOR> shall provide or loan a multifunctional printer equal to the
a machine fault within existing model. <VENDOR> shall ensure that the loaned device connects
one business day to the network and prints with existing drivers and controllers. This loaned
device shall be provided at no additional cost to <CLIENT>, including no
additional meter costs and no additional delivery costs, until the existing
device is fully operational and functioning in the intended manner.
More than four service A service manager shall evaluate the performance of the device and fully
calls for the same fault correct all problems with the device. If that device then requires a further
in any quarter period service call for the same fault within the next 90 days, <VENDOR>
will remove the device and loan the department a similar or equivalent
model until the problem device is repaired and tested at <VENDOR>
service facility.
1
Total Time = Available time for 09:00 to 17:00 hrs for 10 days (8 hrs × 10 days = 180)
2
Lost Time = Lost time in hours. The total elapsed time, within an eight-hour day, between 09:00 and
17:00, Monday through Friday (excluding public holidays), that the equipment is unable to produce
copies or other primary functions in accordance with the specification for reasons attributable to
equipment failure or withdrawal of equipment for remedial maintenance repair or testing. Lost Time
shall commence upon notification by the <CLIENT> to < VENDOR>-specified service dispatch of a
fault condition which prevents full utilization of the equipment and shall end when the equipment is
powered up and ready to execute <CLIENT> work, and the fault call has been logged as complete by
the service technician.
Personal Copy of: Mr. Cosmin Ionascu
152 Vendor Management: Using COBIT® 5
1.2.4 Metrics
• Metrics reporting—Regular reporting will be provided monthly by <VENDOR>
to <CLIENT> on available metrics as related to target performance. These reports
are expected to be produced by <VENDOR> problem-ticket system, which will
detail ticket management performance against SLA targets in <VENDOR> case
management process. Two categories of metrics are of the utmost importance:
(1) the availability of the device, and (2) the availability of the system.
Calculation:
∑ [(Actual Uptime + Excusable Downtime)/Scheduled Hours]
= (100)
∑ All metrics
Calculation:
∑ [(Actual Uptime + Excusable Downtime)/Scheduled Hours]
= (100)
∑ All metrics
Appendix 1. Definitions
Levels of support—Two levels of support are included in this SLA. These levels
are integrated with <VENDOR> support processes and are defined as standard
coverage and extra coverage.
These support levels represent generalist support. If the Help Desk is unable to
solve the issue, the ticket is escalated to <VENDOR> Level 2 support.
The Help Desk will take care of support requests as shown in the following table.
Telephone
Help Desk Hours Contact
Standard coverage 09:00 to 17:00, Monday through Friday TBD
Extra coverage 17:00 to 09:00, seven days a week TBD
During critical processing periods, support is extended to extra support. This must
be requested by <CLIENT> contacting <VENDOR>. <CLIENT> shall notify
<VENDOR> 24 hours in advance by phone or email.
Role Responsibilities
<VENDOR> • <VENDOR> will conduct business in a courteous and professional manner
with <CLIENT>.
• <VENDOR> will use its own appropriate Help Desk to provide Level 1 support,
including creating problem tickets and work orders and assigning responsibility to the
appropriate Level 2 resource.
• <VENDOR> will use its own appropriate internal group to provide Level 2 server,
network and infrastructure support services.
• <VENDOR> will obtain <CLIENT> approval before ticket closure.
• Once a support request has been submitted, <CLIENT> will make itself available to
work with <VENDOR> support resource assigned to the support request.
• <VENDOR> will attempt to resolve problems over the telephone on first call.
• <VENDOR> will log all information from <CLIENT> required to establish contact
information, document the nature of the problem and <CLIENT>
hardware/network environment (as applicable).
<CLIENT> • <CLIENT> will conduct business in a courteous and professional manner with
<VENDOR>.
• <CLIENT> will provide all information required to open a support request.
• <CLIENT> end users will not contact <VENDOR> support resources directly to report
a problem. All problem calls must be logged through the appropriate Help Desk.
Program • Liaise between <CLIENT> and <VENDOR> team and project managers.
manager • Liaise with <CLIENT> user departments.
<CLIENT> • Ensure that all required documentation, information and knowledge items have been
prepared according to the transition checklist and turned over prior to the start of
support for a new application.
• Identify resource requirements.
• Identify all access requirements.
• Meet with <VENDOR> team to set up timeline and develop
transition/deployment plans.
• Ensure that SLA targets are met (coordinating all activities to ensure that all tasks are
performed in a consistent manner and on schedule).
• Ensure that all work is performed according to the agreed-on work methods and
standards that are in effect within <CLIENT> and <VENDOR>.
• Act as point of escalation for issues beyond usual scope.
Infrastructure • Liaise with other organization groups.
support • A ssess the workload for each support request and assign work to the team member
manager having the appropriate technical knowledge.
<VENDOR> • Assist in conducting all root-cause analysis and bug-fix isolation and resolution
activities, and associated documentation for the individual tasks, as assigned by
<CLIENT> program manager.
• Act as a point of contact for all issues for <CLIENT> infrastructure.
• Determine (for enhancements) the potential high-level effort for all changes.
• Identify all tasks associated with each support request and derive estimates for the
completion of each task for organization staff and resources.
• Conduct and participate in testing as needed.
• Provide knowledge transfer to key organization support specialists on a regular basis.
Table of Contents
1. Introduction
2. Metrics and Validation of Service Levels
3. Reporting
4. Service Level Review
5. Service Levels for New Service or Additional Services
6. Method of Measurement
6.1 Classification of Values
6.2 Excusable Downtime
7. Attachment 1: Service Level Measurements
1. Introduction
After the transition period end date, the measurement period follows. The
measurement period takes three calendar months, during which time
<VENDOR> will:
• Use standard measurement tools to monitor and report the performance levels
for the services. If during the measurement period the parties detect a particular
service level that cannot reach the target specified in this schedule, <VENDOR>
and <CLIENT> will agree to review the required conditions and time frames for
achieving this particular SLM expected value1.
• Submit to <CLIENT> a standard report by country or set of standard reports
assessing <VENDOR> performance during the previous calendar month against
the levels of service specified in the tables set forth in Attachment 1 to
this schedule.
• Define and communicate the method of measurement for the service levels.
1
he SLM expected value is the value that <CLIENT> and <VENDOR> agree should be achieved by
T
<VENDOR> during the execution of the service.
3. Reporting
By the tenth day after the first full calendar month following the establishment of
the service levels pursuant to section 2 (measurement and validation of service
levels) and monthly thereafter, <VENDOR>will submit to <CLIENT> a standard
report or set of standard reports assessing <VENDOR> performance during the
previous calendar month against the service levels.
<VENDOR> also will be responsible for promptly investigating failures to meet the
service levels by:
• Initiating problem investigations to identify root causes of failures related to not
achieving the service levels
• Promptly reporting problems related to the services, as identified, to <CLIENT>
that reasonably could be expected to have a material adverse effect on
<CLIENT> operations
• Making written recommendations to <CLIENT> for improvement in procedures
related to the services
<VENDOR> will identify root causes, correct problems and make reasonable
technical efforts to minimize recurrences of missed service levels for which the
<VENDOR> or its suppliers are the only responsible parties. <CLIENT> agrees
to correct problems and attempt to minimize the recurrence of problems for
which <CLIENT> or its suppliers are the only responsible parties and that prevent
<VENDOR> from meeting the service levels.
<CLIENT> and <VENDOR> will review the service levels at least once per year
and mutually agree whether to:
• Add to, delete or change the services to be measured, the corresponding service
levels and their measurement methodology to reflect changes in <CLIENT>
business operations.
• Improve the existing service levels, where warranted, to reflect operational or
technical improvements.
During these 90 days, <VENDOR> and <CLIENT> will conduct the process set
forth in section 2 of this schedule (measurement and validation of service levels) to
validate the initial service levels and agree on the actual service levels, if applicable,
for such new services or additional services.
6. Method of Measurement
The service level agreement (SLA) will be composed of a series of SLMs. The
parties agree that the result of the SLMs will constitute the only way to measure the
quality of the services being given by <VENDOR> to <CLIENT>.
<CLIENT> and <VENDOR> agree that although this agreement refers to numerous
specific services which <VENDOR> is required to provide, only the SLA and SLM,
defined as follows, will be used to reflect the overall and complete quality evaluation of
<VENDOR> execution and performance of its responsibilities.
Term Definition
SLM alarm trigger A value that, if achieved by an SLM, indicates a reduction in the quality of the
(SLMAT) services that <VENDOR> is providing to <CLIENT>
SLM expected value The value that <CLIENT> and <VENDOR> agree should be achieved by
(SLMEV) <VENDOR> during the execution of the service
SLM measurement The period of time that will be used to collect and aggregate the data and
period report the SLM
SLM method of The mathematic or algorithmic transformation to be performed on the data
calculation collected to produce the SLM
SLM method of The method or mechanism that will be used to collect the data to be used to
measurement calculate the SLM
SLM metric A literal name for the SLM
SLM number An identifier that will be used to uniquely identify each SLM
SLM objective A description of the objective of the measurement
SLM tolerance range The percentage of the SLM expected value indicating the variation or error that
(SLMTR) a particular SLM measurement can have with respect to the SLM expected
value, without affecting the quality of the services that <VENDOR> is providing
to <CLIENT>.
SLM unit of measure The unit of the SLM expected value and SLM alarm trigger. If the expected
value is dimensionless, for example a percentage, it will be indicated as not
available (N/A).
SLM value (SLMV) The value that results from collecting data using the SLM method of
measurement during the SLM measurement period, and applying the SLM
method of calculation. SLMV will be calculated monthly.
<VENDOR> will take the measurements or perform the data collection activities
that are required to calculate the SLM, based on tools such as the call management
database of the Help Desk and the availability of the services to end users. Further,
<VENDOR> will produce the SLM value as defined by the SLM measurement
period, and using the SLM method of calculation defined for each SLM. This
calculation is the one that will be reported to <CLIENT>.
For SLMs where a value toward positive infinity represents a better service:
BLUE GREEN
SLA exceeded SLA accomplished
SLMV ≥ (SLMEV + SLMTR) (SLMEV − SLMTR) ≥ SLMV <
The SLM value is greater than or equal to (SLMEV + SLMTR)
the SLM expected value plus the SLM The SLM value is greater than or equal to
tolerance range. the SLM expected value minus the SLM
tolerance range, and less than the SLM
expected value plus the SLM tolerance range.
YELLOW RED
SLA almost accomplished SLA not accomplished
(SLMEV − SLMAT) ≥ SLMV < SLMV < (SLMEV − SLMAT)
(SLMEV − SLMTR) The SLM value is less than the SLM
The SLM value is greater than or equal to expected value minus the SLM
the SLM expected value minus the SLM alarm trigger.
alarm trigger, and less than the SLM
expected value minus the tolerance.
For SLMs where a value toward zero or negative infinity represents a better service:
BLUE GREEN
SLA exceeded SLA accomplished
SLMV ≤ (SLMEV + SLMTR) (SLMEV − SLMTR) ≤ SLMV <
The SLM value is less than or equal to the (SLMEV + SLMTR)
SLM expected value plus the SLM The SLM value is greater than or equal to
tolerance range. the SLM expected value minus the SLM
tolerance range, and less than the SLM
expected value plus the SLM tolerance range.
YELLOW RED
SLA almost accomplished SLA not accomplished
(SLMEV + SLMTR) < SLMV ≤ SLMV > (SLMEV + SLMAT)
(SLMEV − SLMV) The SLM value is greater than the SLM
The SLM value is greater than the SLM expected value plus the SLM alarm trigger.
expected value plus the SLM tolerance range,
and less than or equal to the SLM expected
value minus the SLM value.
During the week following the monthly review meeting, <VENDOR> will present a
detailed action plan for any SLM whose value has fallen within the YELLOW or RED
area to restore the SLM to the GREEN or BLUE area.
Personal Copy of: Mr. Cosmin Ionascu
162 Vendor Management: Using COBIT® 5
During the transition period, the <VENDOR>, with the assistance of the
<CLIENT>, will make reasonable technical efforts to minimize impact to current
service levels, even if no measurement methodology has been established yet.
Central notes recovery time SLA calculations: Recovery time = max (uptime – downtime)
*For those ITO requests not completed in time, <VENDOR> will provide to <CLIENT> an action plan to complete them in a
timely manner. This procedure will be defined in the procedure manual.
†This SLMEV will be measured from the trouble ticket registration at <VENDOR> Help Desk at <VENDOR> data center.
Communication Services
SLMEV SLMTR SLMAT
Category* (%) (%) (%)
LAN availability—campus sites 97.0 0.2 0.5
LAN availability—non-campus sites; business hrs 97.0 0.2 0.5
LAN availability—non-campus sites; non-business hrs 97.0 0.2 0.5
*Subject to IT infrastructure as set forth in Master Agreement
Communication Requests
SLMTR SLMAT
Category SLMEV (%) (%)
Access list configuration • Normal: 95% within 1.0 3.0
(IP restrictions) 24 business hrs
• Critical (problem resolution):
97.5% within 6 business hrs
User administration • Normal: 95% within 1.0 2.0
(creation/deletion)—remote access 32 business hrs
• Urgent (business reasons; less
than 8% of total requests): 96%
within 6 business hrs
• Critical (security issues; less
than 2% of total requests): 97.5%
within 6 business hrs
Proxy: URL filtering • Normal: 95% within 2.5 3.0
24 business hrs
• Critical (business reasons; less
than 8% of total requests): 97.5%
within 6 business hrs
Proxy user insertion or deletion • Normal: 95% within 0.5 3.0
32 business hrs
• Urgent (business reasons; less
than 10% of total requests): 9 6%
within 6 business hrs
• Critical (security issues; less
than 2% of total requests): 97.5%
within 6 business hrs
Proxy: access report • Normal: 95% within 1.5 3
48 business hrs
• Critical (less than 2% of total
requests): 97.5% within
6 business hrs
Acronyms
Abbreviation Full Term
BaFO Best and final offer
BCM Business continuity management
CAPEX Capital expenditures—used to acquire or upgrade physical assets such as
buildings, infrastructure and equipment
CFI Call for interest
CFO Chief financial officer
CIO Chief information officer
CISO Chief information security officer
CSP Cloud service provider
DDoS Distributed denial of service
DRP Disaster recovery plan
IaaS Infrastructure as a Service
IAM Identity and access management
IDS/IPS Intrusion detection system/intrusion prevention system
ISM Information security manager
ISO International Organization for Standardization
KPI Key performance indicator
MAC Material adverse change
OLA Operating level agreement
OPEX Operating expenditures—ongoing cost for running a product, business or
organization
OS Operating system
PaaS Platform as a Service
Q&A Questions and answers
QoS Quality of service
RACI Responsible, accountable, consulted, informed
RFI Request of information
RFP Request for proposal
RFQ Request for quote
RPO Recovery point objective
RTO Recovery time objective
SaaS Software as a Service
SDLC Systems development life cycle
Glossary
AICPA SOC 2—A report on controls at a service organization, relevant to security,
availability, processing integrity, confidentiality or privacy
Availability—Ensuring timely and reliable access to, and use of, information
Call for tender—Procedure for generating competing offers from different vendors
Hold harmless—Clause where the third party assumes the risk and offers legal
protection from any action arising out of the signed contract
Key performance indicator (KPI)—A measure that determines how well the
process is performing in enabling the goal to be reached
Scope note: A lead indicator of whether a goal will likely be reached and a good
indicator of capabilities, practices and skills. It measures an activity goal, which is
an action that the process owner must take to achieve effective process performance.
Request for quote (RFQ)—A document distributed to vendors to request price and
delivery quotations that meet a minimum set of specifications. Generally used when
sourcing commodities
Residual risk—The remaining risk after management has implemented a risk response
Risk—The combination of the probability of an event and its consequence (ISO/IEC 73)
Root cause analysis—A process of diagnosis to establish the origin of an event, which
can be used for learning from consequences—typically from errors and problems
Source code escrow—A legal arrangement whereby an asset (often money, but
sometimes other property such as art, a deed of title, web site, software source code
or a cryptographic key), is delivered to a third party (called an escrow agent) to be
held in trust or otherwise, pending a contingency or the fulfillment of a condition or
conditions in a contract