Software as a Service: Guiding Principles

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Software as a Service: Guiding Principles"

Transcription

1 Software as a Service: Guiding Principles As the Office of Information Technology (OIT) works in partnership with colleges and business units across the University, its common goals are to: substantially increase IT effectiveness and quality; reduce costs; boost innovation. Software as a Service (SaaS) is a real and attractive option for achieving those goals. However, in implementing the SaaS model, there are guidelines to which the University must adhere in its adoption and use. Many applications can be implemented through a SaaS model, and the industry clearly is embracing this approach. The risk to the University varies with the type of application deployed, the information used in the application, and where the information is stored. The University can use a combination of contracts, monitoring, and internal processes and procedures to manage risk. The costs of managing risk should not be ignored, and should be part of any SaaS cost projection. SaaS Governance Models Vendor accountability The University should consider only vendors who take ultimate responsibility for customer satisfaction. Timely vendor communication of key strategy changes such as product roadmap decisions, organizational shifts, support levels, licensing, and pricing is essential. In addition, escalation processes should be defined and service level agreements should be mutually acceptable. Timely and valuable interactions Vendors should guarantee response times in writing for issues such as service requests and bug fixes. Penalties for significant issues outside the agreed upon Service Level Agreements (SLAs) should be in line with the business impact of a disruption to the University. Vendors should be able to provide a complete picture of University-vendor interaction history. Total ownership of and access to data In any SaaS agreement, the University must obtain contractual agreement that the University owns all its data and will have access to this data at all times throughout the relationship. Tools to access data should be provided to the University. 6/20/2011 Page 1 of 8

2 Ongoing vendor transparency For critical applications, the University should have confidence in the vendor s longterm viability. Transparency of vendor viability allows the University to develop risk management scenarios based on the vendor s actual financial and operational health, permitting time to migrate to a new service provider. Selection This section provides the scope of evaluation options the University should expect from software vendors during the process of making a decision on a product and vendor. Try before buying The University should be given access to the system and provided an environment in which to demonstrate the system. Vendors may charge for the proof of concept as appropriate. Access licensing and pricing terms and conditions Vendors that have existing relationships with the University or are state-approved are preferred. Pricing metrics, discounting criteria, and terms and conditions should be provided. Terms around user and usage metrics should be made clear. Standard contracts and renewal provisions should be made available for review. Provide a TCO analysis of SaaS during the sales cycle Vendors should be able to demonstrate the total cost of ownership (TCO) over a defined period of time. Vendors should project best and worst case scenarios regarding growth in user base, and increase in consumption of technical resources, such as storage. Key metrics should show comparisons of deployment options over multiple time frames. If possible, projections should include disengagement from the vendor at the end of the contract. Understand system configuration and architecture The University should receive details about the application s architecture. Key areas to detail include hardware, operating system, and configuration and customization processes. Other areas for disclosure should include batch processing, job queuing, and system monitoring. It is also critical for the University to receive detailed plans regarding the segregation of University data from other clients data in the hosted location(s). Receive disclosure about solution defects The University should expect full disclosure of known defects that relate to performance, availability, and integration. The vendor should also provide a list of 6/20/2011 Page 2 of 8

3 known bugs, integration risks, performance issues, and functional deficiencies. In addition, disclosure should include incomplete business process flows where the University s required use case scenarios cannot be completed. Stipulate data management requirements The University should expect full disclosure about how its data will be managed. Disclosure should include physical location, security mechanisms, access rights, disaster issues, and regulatory compliance. Critical factors such as host information and availability should also be provided. Perform due diligence on vendors The University should be able to examine a SaaS vendor s financial viability, security risks and legal liability. Key areas should include financial performance, legal risks, management team background, customer lists, and Statement on Auditing Standards No. 70 (SAS 70) compliance. (For a description of SAS 70, see the Regulatory Compliance section below.) The University should have the right to periodic reviews of SAS 70 certification results and have third-party auditors perform regular audits of the vendor data center. The vendor should provide customer references to the University. The University should engage in conversations with those customers about the solution and implementation plans they arrived at with the vendor. The University should also reach out to user-group leaders for honest and candid discussions. Reputation alone does not provide sufficient assurance that the vendor will perform as required and properly protect sensitive information. The depth of investigation must be appropriate to the level of risk the enterprise needs to manage and the security requirements that fall outside of the enterprise s security objectives. Regulatory Compliance To ensure the vendor is in compliance with both their stated security controls, and in alignment with the University s guidelines, the University must usually rely on thirdparty assessments of the vendor s security posture. The most common type of thirdparty assessment is the Statement on Auditing Standards No. 70: Service Organizations (SAS 70). The SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). The SAS 70 provides guidance that enables an auditor to issue an opinion on the organization s controls, but does not specify the controls. Rather, the vendor must specify the controls and the control objectives. The auditor will determine if the specified controls are actually in place. The preferred type of SAS 70 audit is a Type II report that includes the scope of the control, control objectives, and the results of 6/20/2011 Page 3 of 8

4 the auditor s tests of the controls. It should be noted that only certified public accounting firms can perform a SAS 70. The University should also verify that the SAS 70 is a Type II assessment and the vendor s controls meet the University s requirements for risk management. If the latter is true, then the assessment will have some value. If the controls described in the assessment are insufficient, the SAS 70 has limited or no value to the University. Testing This section presents the scope of options and services the University should expect from software vendors as systems are configured and tested prior to deployment. Testing Documentation The University should fully document and execute test plans prior to deployment. If working with an authorized implementation partner, the scope and timeline of this phase must be contractually agreed upon. This phase should include deliverables such as testing strategy, test plans and documentation of results. The scope of the testing should not only be the delivered functionality in the software but also external interfaces, data conversion into the new system, system performance testing and penetration testing. Deployment This section presents the scope of options and services the University should expect from software vendors as they implement and consume the technology. Support multiple implementation options The University should have the option of self-deploying, choosing a third party partner, or working with the vendor. The University should have the option to selfimplement with consideration for the speed of implementation. Receiving a clear statement of work Vendors should deliver large projects in accordance with project management best practices. Projects should follow clearly defined templates for rapid implementation. Deliverables, milestones, and escalation processes should be documented prior to project kick-off. Accessing training programs A vendor should provide access to training programs to ensure the University or their partner is able to complete a deployment. More importantly, the University 6/20/2011 Page 4 of 8

5 should expect adequate knowledge transfer activities from the vendor to ensure self-sufficiency. Impact to University Application Support With the introduction of SaaS into the University s landscape, long-standing processes may have to be modified. For example, incidents may originate within the SaaS vendor and the response procedures will have to be modified to identify new methods for determining an incident has occurred. The enterprise will need to create lines of communication between the vendor and the University response team. This analysis should also include identification of redundant legacy functionality, with documentation, decommissioning of redundant systems and signoff from support managers and key business stakeholders. Adoption This section covers the scope of services the University should expect from vendors as the SaaS solution is utilized across the organization. Freedom of speech The University should not be limited in discussing the SaaS solution with fellow customers, peers or media. The University should be able to freely discuss issues with the software including, but not limited to, security issues, bugs, and pricing. The University should not be limited to non-disparagement clauses. Both sides should be open in their communication. License equivalency If shifting from on-premise software to SaaS or other on-demand models, the University should be given the right to convert user and usage models across different deployment options. Integration and API support Vendors should deliver key access to public Application Programming Interfaces (API), web services, and other integration tools to support hybrid deployment. These integration points should be out-of-the-box, vendor-supported, and provide connectivity with the University s enterprise Identity Management, Enterprise Resource Planning (PeopleSoft ERP), Business Intelligence, Constituent Resource Management, and other enterprise applications. 6/20/2011 Page 5 of 8

6 Data quality support While a vendor cannot guarantee the quality of data being put into the system, tools should be provided to the University to address both a conversion and normal processing perspective. These tools should ensure short-term and long term efficient processing and should include robust reporting capabilities. Optimization This section covers the scope of services the University should request of vendors as changes occur in the expansion, maintenance, or contraction in usage of the solution. Affiliate assignment The University should be able to provide access and usage of the software to a majority of its affiliates. The University and vendors should determine how to treat assignment with related organizations such as the Foundation. Merger and acquisition scenarios The University should be given the option to combine contracts to achieve higher discount levels or tiers during mergers and acquisitions. In cases where the software will no longer be use, limited access licenses should be provided to access pre-merger files, compliance requirements, or historical trending data. Multiple support options The University should request support options that provide tiered pricing and service levels that correspond to actual usage. Install base transparency Vendors should inform the University when multiple installations have been deployed by the University. The University should be able to access information about usage by users to determine if multiple contracts have been signed with a single vendor. Ongoing performance metrics The University should expect a trust site to monitor service level agreements. Vendors should provide a regular, periodic report on key availability and continuity metrics. Renewal This section covers the scope of services the University should expect from software vendors as shifts in usage requirements and changes to how SaaS solutions are adopted occur at the University. 6/20/2011 Page 6 of 8

7 Provide input into future capabilities Vendors should provide an input mechanism for prioritization of requirements. Acceptance criteria for decisions regarding the application roadmap should be open to the University. The University should understand vendors might set aside a portion of future investment for upgrades. Vendors should provide confirmation and status on feature requests. Give ample notice before deployment While most SaaS solutions implement upgrades without notifying the end users, where applicable, vendors should proactively communicate regarding modifications to the software. For significant changes, vendors should give the University adequate time to prepare for an upgrade. This includes preparing the appropriate training materials, performing appropriate testing, and working with end users regarding functional risks and impacts. Transition to alternative deployment options Vendors with multiple deployment options for similar code lines should provide mechanisms for the University to transition among the different options. At no time should the University be locked in to one deployment option. The University should be able to access all its data at any given time. Vendors should provide access to public and private APIs to support transitions. Determine termination criteria Both the University and vendor should communicate clear termination criteria. Termination criteria should include transition language and migration assistance conditions for the University. Regardless of the contract, the University should always own its data and have the capability to migrate it. Receive migration assistance When leaving a SaaS provider, the University should be provided with the necessary transition tools to ensure business continuity. Tools could include temporary hosting privileges, data migration, and historical archive capabilities. Key items would include business rules that govern the data structures within which the data is stored, data models, and logical models. Cost for these transition tools and services should be determined during the selection process. Purchase the source code In some cases, such as vendor insolvency, the University may leave a SaaS vendor and require more than just the flat file extract of their data. Under these conditions, the University may find it necessary to purchase the source code. Such scenarios should be discussed during conversations with the vendor. 6/20/2011 Page 7 of 8

8 Summary of Contractual Terms The following list provides topics that a purchaser of SaaS should bring to the attention of the Office of Information Technology and The Office of General Counsel. Information ownership: It should be clear that any University information stored by the vendor still belongs to the University. Unauthorized disclosure: The vendor must take reasonable care to avoid unauthorized disclosure and modification of University information. Right to audit: The University must assert its right to perform audits of the vendor and to have periodic third-party assessment reports provided by the vendor. Source code in escrow: If the long-term viability of the vendor is in doubt, the University may wish to escrow the application source code so that the University can maintain the service if the vendor goes out of business. Export capabilities: If the University decides to leave a vendor, capabilities to export or transfer the University s data to another vendor should be clearly defined. Investigations: If there is an incident or security breach, the University retains the right to conduct an investigation at the vendor s facilities or at minimum, be kept abreast of developments in the vendor s investigation at the executive-level. E-discovery: The University s legal team should consider the ramifications of a subpoena for another customer s information given to the vendor and how this might bypass the University s legal team. Intellectual property (IP) indemnification: Vendors faced with lawsuits must provide the University with indemnification from IP legal claims. Remedies may include refund of the subscription costs, provision of a replacement solution at zero cost, and vendor-developed solution. 6/20/2011 Page 8 of 8

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

Development, Acquisition, Implementation, and Maintenance of Application Systems

Development, Acquisition, Implementation, and Maintenance of Application Systems Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of

More information

Request for Proposal for Application Development and Maintenance Services for XML Store platforms

Request for Proposal for Application Development and Maintenance Services for XML Store platforms Request for Proposal for Application Development and Maintenance s for ML Store platforms Annex 4: Application Development & Maintenance Requirements Description TABLE OF CONTENTS Page 1 1.0 s Overview...

More information

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University. Data Sheet Cisco Optimization s Optimize Your Solution using Cisco Expertise and Leading Practices Optimizing Your Business Architecture Today, enabling business innovation and agility is about being able

More information

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security

More information

On Premise Vs Cloud: Selection Approach & Implementation Strategies

On Premise Vs Cloud: Selection Approach & Implementation Strategies On Premise Vs Cloud: Selection Approach & Implementation Strategies Session ID#:10143 Prepared by: Praveen Kumar Practice Manager AST Corporation @Praveenk74 REMINDER Check in on the COLLABORATE mobile

More information

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,

More information

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs Cloud Computing In a Post Snowden World Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs Guy Wiggins Director of Practice Management Kelley Drye & Warren

More information

Driving Excellence in Implementation and Beyond The Underlying Quality Principles

Driving Excellence in Implementation and Beyond The Underlying Quality Principles SAP Thought Leadership Paper SAP Active Quality Management Driving Excellence in Implementation and Beyond The Underlying Quality Principles 2014 SAP AG or an SAP affiliate company. All rights reserved.

More information

Enabling Data Quality

Enabling Data Quality Enabling Data Quality Establishing Master Data Management (MDM) using Business Architecture supported by Information Architecture & Application Architecture (SOA) to enable Data Quality. 1 Background &

More information

A new paradigm for EHS information systems: The business case for moving to a managed services solution

A new paradigm for EHS information systems: The business case for moving to a managed services solution White Paper A new paradigm for EHS information systems: The business case for moving to a managed services solution Business solutions through information technology TM Entire contents 2005 by CGI Group

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

Software as a Service Decision Guide and Best Practices

Software as a Service Decision Guide and Best Practices Software as a Service Decision Guide and Best Practices Purpose of this document Software as a Service (SaaS) is software owned, delivered and managed remotely by one or more providers [Gartner, SaaS Hype

More information

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement Auditor General s Office Governance and Management of City Computer Software Needs Improvement Transmittal Report Audit Report Management s Response Jeffrey Griffiths, C.A., C.F.E Auditor General, City

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis

More information

Frontier helps organizations develop and rollout successful information security programs

Frontier helps organizations develop and rollout successful information security programs C O N S U L T I N G F O R I N F O R M A T I O N S E C U R I T Y Frontier helps organizations develop and rollout successful information security programs F R O N T I E R B U S I N E S S S Y S T E M S A

More information

Hosted ediscovery: Adoption, Use, and Results. September, 2011

Hosted ediscovery: Adoption, Use, and Results. September, 2011 Hosted ediscovery: Adoption, Use, and Results September, 2011 SaaS is a Delivery Model Of Cloud Computing Attitudes About SaaS Are Still Evolving Legal Community Embracing SaaS In general, are you leaning

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Hosting JDE EnterpriseOne in the Cloud Hear how one company went to the cloud

Hosting JDE EnterpriseOne in the Cloud Hear how one company went to the cloud Hosting JDE EnterpriseOne in the Cloud Hear how one company went to the cloud October 2015 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T Agenda Organizational

More information

Software as a Service (SaaS) Requirements

Software as a Service (SaaS) Requirements Introduction Software as a Service (SaaS) Requirements Software as a Service (SaaS) is a software service model where an application is hosted as a service provided to customers across the Internet. By

More information

VMware vcloud Powered Services

VMware vcloud Powered Services SOLUTION OVERVIEW VMware vcloud Powered Services VMware-Compatible Clouds for a Broad Array of Business Needs Caught between shrinking resources and growing business needs, organizations are looking to

More information

3 rd Party Vendor Risk Management

3 rd Party Vendor Risk Management 3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced

More information

Cloud Computing in a Regulated Environment

Cloud Computing in a Regulated Environment Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2

More information

Appendix A-2 Generic Job Titles for respective categories

Appendix A-2 Generic Job Titles for respective categories Appendix A-2 for respective categories A2.1 Job Category Software Engineering/Software Development Competency Level Master 1. Participate in the strategic management of software development. 2. Provide

More information

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

The Changing IT Risk Landscape Understanding and managing existing and emerging risks The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015

More information

Validating Enterprise Systems: A Practical Guide

Validating Enterprise Systems: A Practical Guide Table of Contents Validating Enterprise Systems: A Practical Guide Foreword 1 Introduction The Need for Guidance on Compliant Enterprise Systems What is an Enterprise System The Need to Validate Enterprise

More information

COMESA Guidelines on Free and Open Source Software (FOSS)

COMESA Guidelines on Free and Open Source Software (FOSS) COMESA Guidelines on Free and Open Source Software (FOSS) Introduction The COMESA Guidelines on Free and Open Source Software are a follow-up to the COMESA Regional FOSS Framework of 2009 whose main objective

More information

Auditing Software as a Service (SaaS): Balancing Security with Performance

Auditing Software as a Service (SaaS): Balancing Security with Performance Auditing Software as a Service (SaaS): Balancing Security with Performance Goals for Today Defining SaaS (Software as a Service) and its importance Identify your company's process for managing SaaS solutions

More information

SAP Managed Services SAP MANAGED SERVICES. Maximizing Performance and Value, Minimizing Risk and Cost

SAP Managed Services SAP MANAGED SERVICES. Maximizing Performance and Value, Minimizing Risk and Cost SAP Managed Services SAP MANAGED SERVICES Maximizing Performance and Value, Minimizing Risk and Cost WE RE FOCUSED ON YOUR GOALS Increase productivity with fewer resources. Optimize IT systems while cutting

More information

Software Self-Audit Checklist

Software Self-Audit Checklist Software Self-Audit Checklist An Introduction to Software Self-Audits Authorized Use = Actual Use A software audit is a defensible comparison of the actual Software Programs, quantities, and uses within

More information

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds. ENTERPRISE MONITORING & LIFECYCLE MANAGEMENT Unify IT Operations Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid

More information

SaaS A Product Perspective

SaaS A Product Perspective SaaS A Product Perspective Software-as-a-Service (SaaS) is quickly gaining credibility and market share against traditional packaged software. This presents new opportunities for product groups and also

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects Cloud Computing An insight in the Governance & Security aspects AGENDA Introduction Security Governance Risks Compliance Recommendations References 1 Cloud Computing Peter Hinssen, The New Normal, 2010

More information

Vistara Lifecycle Management

Vistara Lifecycle Management Vistara Lifecycle Management Solution Brief Unify IT Operations Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid

More information

Checklist for a Watertight Cloud Computing Contract

Checklist for a Watertight Cloud Computing Contract Checklist for a Watertight Cloud Computing Contract Companies of all industries are recognizing the need and benefit of moving some if not all of their IT infrastructure to a Cloud whether public or private.

More information

Cloud Computing An Internal Audit Perspective. Heather Paquette, Partner Tom Humbert, Manager

Cloud Computing An Internal Audit Perspective. Heather Paquette, Partner Tom Humbert, Manager Cloud Computing An Internal Audit Perspective Heather Paquette, Partner Tom Humbert, Manager March10 2011 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,

More information

Software-as-a-Service: Managing Key Concerns and Considerations

Software-as-a-Service: Managing Key Concerns and Considerations Software-as-a-Service: Managing Key Concerns and Considerations A research report Publication sponsored by: TABLE OF CONTENTS Introduction: Cloud IT, including SaaS, is Real IT Managing The Key Concerns

More information

Technical Management Strategic Capabilities Statement. Business Solutions for the Future

Technical Management Strategic Capabilities Statement. Business Solutions for the Future Technical Management Strategic Capabilities Statement Business Solutions for the Future When your business survival is at stake, you can t afford chances. So Don t. Think partnership think MTT Associates.

More information

The Power of BMC Remedy, the Simplicity of SaaS WHITE PAPER

The Power of BMC Remedy, the Simplicity of SaaS WHITE PAPER The Power of BMC Remedy, the Simplicity of SaaS WHITE PAPER TABLE OF CONTENTS EXECUTIVE SUMMARY............................................... 1 BUSINESS CHALLENGE: MANAGING CHANGE.................................

More information

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are

More information

Cloud Service Rollout. Chapter 9

Cloud Service Rollout. Chapter 9 Cloud Service Rollout Chapter 9 Cloud Service Topics Cloud service rollout plans vary depending on the type of cloud service SaaS, PaaS, or IaaS and the vendor. Unit Topics Identifying vendor roles and

More information

Reference Table of Special Terms & Conditions for IT Contracts

Reference Table of Special Terms & Conditions for IT Contracts Reference Table of Special Terms & Conditions for IT Contracts Definitions Term & Termination Software License Transition of Services Contract Kick- Off Meeting Contract Closeout License Grant License

More information

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013 IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.

More information

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations Topics What is SaaS? How does SaaS differ from managed hosting? Advantages of SaaS

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Credit Union Liability with Third-Party Processors

Credit Union Liability with Third-Party Processors World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with

More information

TEST MANAGEMENT SOLUTION Buyer s Guide WHITEPAPER. Real-Time Test Management

TEST MANAGEMENT SOLUTION Buyer s Guide WHITEPAPER. Real-Time Test Management TEST MANAGEMENT SOLUTION Buyer s Guide WHITEPAPER Real-Time Test Management How to Select the Best Test Management Vendor? The implementation of a Test Management system to automate business processes

More information

Public Cloud Service Agreements: What to Expect & What to Negotiate. April 2013

Public Cloud Service Agreements: What to Expect & What to Negotiate. April 2013 Public Cloud Service Agreements: What to Expect & What to Negotiate April 2013 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-led guidance to the multiple

More information

Practical and ethical considerations on the use of cloud computing in accounting

Practical and ethical considerations on the use of cloud computing in accounting Practical and ethical considerations on the use of cloud computing in accounting ABSTRACT Katherine Kinkela Iona College Cloud Computing promises cost cutting efficiencies to businesses and specifically

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

Compliance Management Systems

Compliance Management Systems Certification Scheme Y03 Compliance Management Systems ISO 19600 ONR 192050 Issue V2.1:2015-01-08 Austrian Standards plus GmbH Dr. Peter Jonas Heinestraße 38 A-1020 Vienna, Austria E-Mail: p.jonas@austrian-standards.at

More information

ROUTES TO VALUE. Business Service Management: How fast can you get there?

ROUTES TO VALUE. Business Service Management: How fast can you get there? ROUTES TO VALUE Business Service : How fast can you get there? BMC Software helps you achieve business value quickly Each Route to Value offers a straightforward entry point to BSM; a way to quickly synchronize

More information

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014

More information

Project Risk and Pre/Post Implementation Reviews

Project Risk and Pre/Post Implementation Reviews Project Risk and Pre/Post Implementation Reviews Material Changes to the System of Internal Control VGFOA Conference (Virginia Beach, VA) May 20, 2015 Agenda/Objectives Understand why system implementations

More information

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture

More information

BUYING AN ERP SYSTEM. How to avoid common pitfalls and maximize your ROI SHARE THIS EBOOK

BUYING AN ERP SYSTEM. How to avoid common pitfalls and maximize your ROI SHARE THIS EBOOK BUYING AN ERP SYSTEM How to avoid common pitfalls and maximize your ROI SHARE THIS EBOOK THE GROWING POPULARITY OF ERP SYSTEMS Market competition has transformed the modern business environment. Companies

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

SOC 3 for Security and Availability

SOC 3 for Security and Availability SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2013 through September 30, 2014 Independent SOC 3 Report for the Security and Availability Trust

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

Contracting Guidelines with EHR Vendors

Contracting Guidelines with EHR Vendors Contracting Guidelines with EHR Vendors In general, if a contract is presented to your group from a software company, it will be written from the perspective of the software company. You can request language

More information

OUTSOURCING DUE DILIGENCE FORM

OUTSOURCING DUE DILIGENCE FORM OUTSOURCING DUE DILIGENCE FORM SERVICE TO BE OUTSOURCED 1. Type of service to be outsourced: Accounting/Finance: Compliance Consulting: Legal Services: Administrative Functions: Information Technology:

More information

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011 APPENDIX 1 GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT January 7, 2011 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

Sage ERP I White Paper

Sage ERP I White Paper Sage ERP I White Paper On-Demand or On-Premise: Understanding the Deployment Options for your Business Management System Introduction Does this situation sound familiar? You started out with an off-the-shelf

More information

Integrating Project Management and Service Management

Integrating Project Management and Service Management Integrating Project and Integrating Project and By Reg Lo with contributions from Michael Robinson. 1 Introduction Project has become a well recognized management discipline within IT. is also becoming

More information

Commercial Software Licensing

Commercial Software Licensing Commercial Software Licensing CHAPTER 6: Prepared by DoD ESI January 2013 Chapter Overview Government contracts must comply with FAR and DFARS. They include terms and conditions (Ts & Cs) from GSA, BPAs,

More information

We are live on KFS Now What? Sameer Arora Director Strategic Initiatives, Syntel

We are live on KFS Now What? Sameer Arora Director Strategic Initiatives, Syntel We are live on KFS Now What? Sameer Arora Director Strategic Initiatives, Syntel Agenda Introduction Application Management Testing Kuali Financial System (KFS) using itap Syntel Fast Facts 2 Agenda Introduction

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

More information

InForm On Demand Single Trial Services Description

InForm On Demand Single Trial Services Description InForm On Demand Single Trial Services Description Version 7.0 Effective Date: 0 25-Sep-2014 This is the Services Description for Oracle InForm On Demand Single Trial ( Schedule ) to Your Study Order for

More information

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie

More information

state of south dakota Bureau of Information & Telecommunications Provide a Reliable, Secure & Modern Infrastructure services well-designed innovative

state of south dakota Bureau of Information & Telecommunications Provide a Reliable, Secure & Modern Infrastructure services well-designed innovative Strategic Plan 2015-2017 state of south dakota Bureau of Information & Telecommunications 1GOAL ONE: Provide a Reliable, Secure & Modern Infrastructure services security technology assets well-designed

More information

Strategies for assessing cloud security

Strategies for assessing cloud security IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary

More information

Security & Trust in the Cloud

Security & Trust in the Cloud Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

Hosted, Installed, or Hybrid: Emergency Notification Deployment - Cost Benefit Analysis

Hosted, Installed, or Hybrid: Emergency Notification Deployment - Cost Benefit Analysis Technical Whitepaper Hosted, Installed, or Hybrid: Emergency Notification Deployment - Cost Benefit Analysis Table of Contents Intelligent Notification in the Enterprise...1 Hosted Service vs. Deliverable

More information

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Cloud Computing: Background, Risks and Audit Recommendations

Cloud Computing: Background, Risks and Audit Recommendations Cloud Computing: Background, Risks and Audit Recommendations October 30, 2014 Table of Contents Cloud Computing: Overview 3 Multiple Models of Cloud Computing 11 Deployment Models 16 Considerations For

More information

Colorado Department of Health Care Policy and Financing

Colorado Department of Health Care Policy and Financing Colorado Department of Health Care Policy and Financing Solicitation #: HCPFRFPCW14BIDM Business Intelligence and Data Management Services (BIDM) Appendix B BIDM Project Phases Tables The guidelines for

More information

Empowering the Enterprise Through Unified Communications & Managed Services Solutions

Empowering the Enterprise Through Unified Communications & Managed Services Solutions Continuant Managed Services Empowering the Enterprise Through Unified Communications & Managed Services Solutions Making the transition from a legacy system to a Unified Communications environment can

More information

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners. Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international

More information

Cloud Vendor Evaluation

Cloud Vendor Evaluation Cloud Vendor Evaluation Checklist Life Sciences in the Cloud Cloud Vendor Evaluation Checklist What to evaluate when choosing a cloud vendor in Life Sciences Cloud computing is radically changing business

More information

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation Market Offering: Package(s): Oracle Authors: Rick Olson, Luke Tay Date: January 13, 2012 Contents Executive summary

More information

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures?

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures? SOLUTION BRIEF: CA IT ASSET MANAGER How can I reduce IT asset costs to address my organization s budget pressures? CA IT Asset Manager helps you optimize your IT investments and avoid overspending by enabling

More information

Qlik UKI Consulting Services Catalogue

Qlik UKI Consulting Services Catalogue Qlik UKI Consulting Services Catalogue The key to a successful Qlik project lies in the right people, the right skills, and the right activities in the right order www.qlik.co.uk Table of Contents Introduction

More information

ICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS)

ICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS) ICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS) TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIMS OF THE POLICY...

More information

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

More information

White Paper. Regulatory Compliance and Database Management

White Paper. Regulatory Compliance and Database Management White Paper Regulatory Compliance and Database Management March 2006 Introduction Top of mind in business executives today is how to meet new regulatory compliance and corporate governance. New laws are

More information