We can help you build and transform your internal ICT Teams into a Cloud Broker.
|
Control Areas |
Activities/Responsibilities |
|
IT governance model |
Assign executive sponsor or leadership team with primary responsibility for incorporating SaaS delivery into the organisation’s IT governance structure. Set strategic direction and objectives for the managing SaaS delivery and relationship between parties. Align business case, value metrics, and measurements to expected value to be realised. Develop governance operating model to supply decision-making rights, management reviews, resolution of escalated service issues/conflicts, service performance, and change management to the service requirements. Determine key roles, responsibilities, and accountabilities between the two organisations. Assign individuals to roles within IT governance structure |
|
Enterprise account management functions of software as a service vendor |
Develop business control process to maintain oversight of software as a service vendor performance per criteria defined for governance. Require the software as a service vendor to provide reporting that compares actual service delivery against the applicable SLA or performance metrics. Establish regular meeting schedules to review service level performance and changes requirements to software as a service delivery needs. Review and monitor delivery of SaaS according to contractual terms and conditions. Assess whether the expected business value sought is being realised. Monitor stakeholder adoption levels, escalated issue resolutions, and new stakeholder business requirements to ensure the relationship meets expectations. Establish a feedback loop with software as a service vendor to ensure that timely communication of employee issues, system errors, or process problem trends occurs for strategic resolution. Review internal change requests and analysis documentation and liaison with software as a service vendor to secure changes and approvals to the agreement scope. Consider making software as a service vendor management a dedicated account management function rather than a function of another job. Non-dedicated personnel performing vendor management can lead to poor oversight of the vendor performance. Consider assigning multiple layers of account management as part of the governance model. Develop a plan to rotate account managers periodically to ensure that arm’s-length relationships are maintained. |
|
Expectations for software as a service vendor IT operations |
Manage the day-to-day service operations with clearly defined, mature IT control processes. Maintain a multi-pronged, multi-tiered security approach to ensure customer information/data assets are protected at all times. Monitor all service level and other performance metrics defined by the SLA. Provide around-the-clock, in-house technical expertise to support and resolve any internal operational issues/problems affecting service delivery. Notify customer organization of unresolved or escalated issues/problems affecting SaaS vendor’s delivery of SaaS. Constantly monitor all critical components of the applications, databases, and infrastructure-related components to ensure that availability, performance, and capacity expectations for the service are being maintained. Provide full lifecycle management services including administrative, technical, and engineering resources required to install, maintain, troubleshoot, and operate the offered software systems and services. Report operational performance showing actual service delivery against the applicable SLA or performance metrics. Review and implement approved changes requested to the agreement scope. Facilitate integration with customer’s identity management and access control systems, data exchange interfaces, and compliance reporting. Participate in governance forums to make sure that compliance objectives are met and that the people in identified roles regularly meet and fulfill their mutual obligations. |
|
Business intelligence / data reporting services |
Because SaaS delivery may involve giving up direct control to some level of corporate data, accurate and useful reporting services may be needed across internal and SaaS vendor-hosted systems to verify that data is in synch and that interfaces are operating as expected. Determine what reporting services the software as a service provider offers and whether they are compatible with your business-intelligence requirements. Develop a process to identify software as a service vendor data errors and to research and resolve possible data integrity issues. |
|
Regulatory compliance |
Develop a process to systematically coordinate policy changes, regulatory compliance procedures, and new initiatives to the SaaS vendor and define responsibility for this function in the governance model. If the software as a service vendor has a SAS 70 accreditation, determine if it applies to a Type I or Type II audit. Review the software as a service vendor’s SAS 70 report thoroughly to determine if the processes and controls being tested apply to the data centre, infrastructure, or application services provided by the SaaS vendor’s offerings under consideration. Be aware that many providers will claim SAS 70 Type II, but it only applies to the hosting infrastructure and not the hosted applications. Examine the report thoroughly to determine whether the provider is able to comply with your own internal standards for service management, privacy, data security, and so on. |
|
Billing and invoicing |
Review the SaaS vendor’s pricing model for costs/charges related to any initial setup, installation, or implementation fees, monthly recurring subscription/usage fees, and one-time charges (such as customizations or data migrations). Establish controls and respective ownership around invoice review, reconciliation, authorization, and payments. Establish a linkage between invoicing and SaaS vendor performance, SLA adherence, satisfaction survey results, and contract requirements. Develop a process whereby the organization’s vendor account management team reviews the invoices for accuracy, validates that SLAs and performance requirements were met, and payments were authorized accordingly. |
|
Confidentiality and privacy |
Regularly assess the SaaS vendor’s privacy and confidentiality compliance defined by your internal policies, and assign responsibility for this function in the governance model. Determine if the SaaS provider privacy policies and practices are in compliance with requirements set forth by the U.S. Department of Commerce “Safe Harbour” framework. Certifying to the safe harbor will assure EU organizations that your company provides "adequate" privacy protection for transferring personal data. Develop a process to manage privacy and confidentiality complaints related to the SaaS provider outsourcing arrangement. This should include defining an escalation path and a process to resolve complaints with the SaaS vendor. Verify that the SaaS vendor’s employees and subcontractors with access to your organization’s data are required to sign a non-disclosure agreement and undergo background checks as a condition of employment. Require the SaaS vendor to administer privacy and confidentiality training to all employees and subcontractors handling your organization’s personal data. Limit vendor and subcontractor access to sensitive, employee-personal data, such as government-provisioned identification credentials (for example, social security or driver’s license numbers), financial transaction authorization data (for example, credit card information), financial or medical profiles, and other highly sensitive information where unauthorized disclosure would cause considerable material loss. |
|
Satisfaction surveys |
Develop an employee satisfaction survey about the success of the SaaS offering. Include questions about the success of the transition process and identify issues and opportunities for improvement. Define the timing, frequency, and population of employees that will be surveyed, and develop a process to systematically collect and summarize survey results. Develop a process to confirm that the survey results are reviewed by the appropriate management teams and to address and resolve concerns identified in the surveys in a timely manner. |
|
Data-security standards |
Assess your information security policy and data-security needs to ensure the SaaS provider has sufficient security measures and data protections in place to meet your corporate standards. Evaluate the SaaS provider’s security measures for their data centre, networks, servers, and SaaS application security. Additional considerations for protecting data include firewalls, digital certificates, security scans, vulnerability assessments, and industry-recognized security certifications. Review the SaaS vendor’s backup and data recovery capabilities—frequency and type of backups, off-site storage, retention periods, and archiving services. Review the SaaS vendor’s disaster recovery/business continuity plans and the testing of those plans. |
|
Preparing for implementation |
Review SaaS provider implementation methodology and procedures it uses, including any provisions for data-migration and identity integrations required for single sign-on. Develop a plan for migrating to the new SaaS provider. Include a complete list of activities each party is responsible for during the implementation process. Identify risk factors, risk mitigation strategies, necessary security tasks, data preparation tasks, communication plans, and other measures necessary to minimize disruption to the organization during implementation. Training services and other measures that provide a transfer of knowledge to facilitate using the SaaS application. |
|
Termination of services |
Develop exit plan for migrating data out of the application in the event the contract is terminated prematurely for reason or expires naturally. Ensure the contract language specifically addresses:
|
| < Prev | Next > |
|---|
