|Version: 1.00||Issue Date: 10/6/2015|
This Contracting Policy will help ensure that third party services meet quality requirements.
This Contracting Policy requires that all third party services are identified and documented. It requires that third party services meet quality requirements and that contracts require quality standards. It requires assignment of roles and responsibilities for for monitoring third party services, managing relationships, and managing contracts.
This Contracting Policy applies to all third party contracts, and those involved with creating, monitoring, or enforcing the contracts. It applies to all third parties that are contracted to the organization. It applies to all those who depend upon or use third parties for services or acquisition of goods. This policy is effective as of the issue date and does not expire unless superceded by another policy.
4.0 Third Party Service Documentation
All third party services and their internal and external contacts, including business and technical contacts, must be identified and documented in a registry or database.
Management is responsible for ensuring that all third party services and their internal and external contacts are documented.
Procedures must require that third party services and interfaces are documented when they are created and that the appropriate authority has the information.
All third party services must have the name of the service identified along with systems they connect to, the purpose of the service.
5.0 Third Party Service Quality
Management is responsible for ensuring that the implementation and quality of third party services meet requirements.
6.0 Roles and Responsibilities
Responsibility for managing individual supplier contracts must be clearly and formally assigned.
Roles and responsibilities for managing vendor and service provider relationships must be formally assigned.
Roles for managing vendor relationships and contracts must be assigned based on qualifications and experience.
Positions and required qualifications for managing vendor relationships and contracts must be clearly specified and communicated in the organization (as must be done for all positions).
Organizational management and third party supplier management must agree to measurable and specific goals and deliverables that are specific. Goals and deliverables must consider quality, quantity, timeliness, and overall results relative to the business need.
7.0 Contract Requirements
All contracts must specify ownership of deliverables including software source code.
All contracts must provide for software source code escrow when software is involved.
Agreements must be entered into with appropriate third parties to provide software escrow capability where appropriate.
All contracts must require services and all deliverables to meet organizational policies and industry standards including security policies and standards
All contracts must require internal requirements to be met.
Contracts must specify specific policies and standards where possible.
All contracts must contain nondisclosure agreements where appropriate.
Procedures for developing contracts must be developed by qualified personnel and management is responsible for ensuring that the procedures are created and followed.
Procedures for developing contracts must address the needs of internal stakeholders and utilize contract templates for the contract creation process.
Goals of the contract must be clearly defined and service levels must be clearly defined and agreed upon between the organization and third party vendor, contractor, or service provider.
Costs, specific work to be done, deliverables, schedules for deliverables, limits of liability, incentives for service delivery, and penalties for either party must be agreed to by all parties and documented by the contract.
All contracts must be reviewed by legal counsel representing the organization before contracts are approved and signed.
Any party who will work under the terms of a contract must not be allowed to start work until the contract has been formally approved and signed by both parties.
The organization must specify what organizational positions have authority to approve contracts and what the spending limits are.
A method to allow for contract modification or termination must be provided in the contract where it is appropriate.
The contract should provide for the ability to have an independent party check service or security measures in place where they are appropriate to the business function.
All contracts or service level agreements must specify confidentiality, integrity and availability security requirements.
All contracts or service level agreements must comply with all legislation including requirements for data privacy.
The contract must specify a service level agreement (SLA) that addresses problem management. The service level agreement must classify problems based on business impact and identify criticality to the business process which require resolution in specific timeframes. Penalties should be set for meeting required timeframes for problem resolution.
Specific key performance indicators should be specified and documented by the service level agreement and incentives or penalties should be set.
The contract must provide an ability to change the service level in the event that the business requirement changes.
The contract must define what consists of a breach of contract on the supplier part.
The contract must provide for termination of the contract in the case of a breach of contract.
The contract must consider transition support at the end of the contract whether the contract is completed at the end of its period or early termination is implemented. The required supplier activities must be specified.
The contract must specify the documentation required with deliverables and when it is required. The contract must specify minimum documentation and quality requirements.
The contract must require pertinent documentation to be provided to the organization if the contractor goes out of business.
The contract must consider the possibility that the contractor may be taken over by another organization and provide for service to continue. The contract must provide a method to deal with possible degradation of service during a transition period.
The way to exit the relationship with the contractor must be considered in order to prevent breaking the business process in the event that the contractor fails to deliver proper service or goods.
Alternative suppliers must be considered to provide services or goods to replace the contracted supplier in the event that the contracted supplier fails to meet the requirements. Arrangements for alternative suppliers should be made if appropriate for the business need.
The contract must provide an ability for audits to be done on the contractor as appropriate to ensure that standards, legal requirements, and/or required policies and procedures are being met.
The contract must provide an ability for the contractor to have penetration tests performed by the orgainzation or representative agents as appropriate.
Someone in the organization must manage the contract. The contract manager must act as a point of contact with the contractor (supplier or vendor).
The contract must clearly define the roles and responsibilities of the contractors.
The contract must specify the level of documentation required for contractor work.
The supplier must be assessed to determine their ability to meet contract requirements over the duration of the contract. This must be done during the initial contracting process. Factors that should be considered include financial factors, supplier delivery capacity, and supplier commitments.
A process for ensuring that suppliers can deliver the expected service or products must be established. The process should include a request for proposal (RFP) process, reference checks, and an invitation to tender (ITT) process.
Supplier selection should be based on preset evaluation criteria based on requirements compared with supplier responses.
The supplier selection should include consideration for supplier compliance with internal policies.
The supplier quality assurance policies, procedures, and programs should be considered when considering who to accept as a supplier. Independent assessments of the supplier and documentation showing compliance with industry standards should be considered (COBIT, SAS 70).
Interactions with the supplier during the bidding or contract proposal process should be used as an indicator to help determine the ability of the supplier to deliver the services or products which are to be supplied.
Supplier references should be checked to help determine the ability of the supplier to deliver the services or products which are to be supplied.
Where practical and pertinent, a visit to the supplier site should be used to help determine the ability of the supplier to deliver the services or products which are to be supplied.
When appropriate, third parties should be tasked to independently review the supplier to help determine their qualifications to provided requested services or products.
When supplier user groups exist, group members should be queried to help determine satisfaction levels of the customers with the supplier.
Checks of publically available material such as the internet should be done to locate any appropriate documentation about the prospective supplier.
Policies and Procedures
Procedures for determining when work may or should be outsourced must be created. The procedures should describe the type of work that can be outsourced, along with how it should be done and controlled.
Procedures for selecting contractors must be created specifying metrics where possible.
Procedures to help determine and ensure that contractors are properly skilled and/or trained must be developed. The procedures should consider relevant standards and methods for the type of work.
Contract procedures must require contracts to include service level agreements covering the aspects of the service or product needed for the business function. consideration for the quality and quantity of service must be specified.
Contract procedures must require contracts to specify audit, security, and other requirements. Requirements must be documented in the contract or reference material which documents the requirements.
Contracts must require the contractor to abide by organizational policies.
Contract procedures must require contracts to include monitoring of contract performance. Agreements must be reached about what will be measures, expected performance, and rewards or penalties for success or failure or meeting set metrics.
Contractor information security responsibilities that must be considered for all contracts must include nondisclosure agreements, physical access controls, and logical access controls. Nondisclosure agreements are required.
The contract must consider revocation of access to the contractor at the end of the contract.
Contractors who work internally and use internal resources of the organization must sign an agreement allowing organizational management to inspect or monitor all use of information technology resources including internet access, email, telephone, and data.
A procedure for defining who must communicate with suppliers and the roles of management and staff involved must be defined.
A procedure must be created for documenting and resolving issues with contractors.
Services provided by third parties must be managed by organizational management and a quality assurance process must be developed. Third party testing of software or services and development of software or hardware systems must be properly monitored to assure quality.
Auditing by either the contracting organization or an independent third party should be used to ensure security and quality controls are in place through the life of the contract.
Meetings must be held with contractors regularly to evaluate the effectiveness of the contract in meeting the business needs along with addressing any additional needs.
The contractor must be required to capture service performance information and report results. Service levels should have been specified by the contract which the captured metrics can be compared to. The organization must validate accuracy of metrics reported by the contractor.
Costs of the contract and service levels should be compared to market conditions on a periodic basis.
User feedback about the service quality should be obtained on a regular basis using a set feedback mechanism.
Penalties or incentives provided by the contract based on metrics must be enforced on a timely basis.
When contractor work includes information technology work, a member of IT management with appropriate authority must review and approve contractor work and payment for it.
Relationships with vendors must be evaluated annually considering performance, support, and scalability of the service or systems provided.
Since following the Contracting Policy is important for the welfare of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
8.0 Other Policies
9.0 Additional Requirements
Procedures for selecting contractors
Procedures for determining when work may or should be outsourced.
A procedure for defining who must communicate with suppliers.
Procedures to help determine and ensure that contractors are properly skilled.
A quality assurance process for monitoring third party services must be developed.
A procedure must be created for documenting and resolving issues with contractors.
Approved by:__________________________ Signature:_____________________ Date:_______________