|Version: 1.00||Issue Date: 10/27/2015|
This Supplier Policy incorporates most of what is in the Contracting Policy. Where items are being purchased, some of this policy will apply but where services are being purchased other parts of this policy will apply. This policy covers both services and item acquisition from suppliers. The Supplier Policy ensures that services and purchased items meet the needs of the business.
This Supplier Policy will help ensure third party goods meet quality requirements and deliveries are timely.
This Supplier Policy requires that all third party services are identified and documented. It requires that third party services meet quality requirements and that contracts require quality standards. It requires assignment of roles and responsibilities for for monitoring third party services, managing relationships, and managing contracts.
This Supplier Policy applies to all third party contracts, and those involved with creating, monitoring, or enforcing the contracts. It applies to all third parties that are contracted to the organization for the acquisition of goods. This policy is effective as of the issue date and does not expire unless superceded by another policy.
4.0 Third Party Service Documentation
All third party services and their internal and external contacts, including business and technical contacts, must be identified and documented in a registry or database.
Management is responsible for ensuring that all third party services and their internal and external contacts are documented.
Procedures must require that third party services and interfaces are documented when they are created and that the appropriate authority has the information.
All third party services must have the name of the service identified along with systems they connect to, the purpose of the service.
5.0 Third Party Service Quality
Management is responsible for ensuring that the implementation and quality of third party services meet requirements.
6.0 Roles and Responsibilities
Responsibility for managing individual supplier contracts must be clearly and formally assigned.
Roles and responsibilities for managing vendor and service provider relationships must be formally assigned.
Roles for managing vendor relationships and contracts must be assigned based on qualifications and experience.
Positions and required qualifications for managing vendor relationships and contracts must be clearly specified and communicated in the organization (as must be done for all positions).
Organizational management and third party supplier management must agree to measurable and specific goals and deliverables that are specific. Goals and deliverables must consider quality, quantity, timeliness, and overall results relative to the business need.
7.0 Contract Requirements
All contracts must specify ownership of deliverables including software source code.
All contracts must provide for software source code escrow when software is involved.
Agreements must be entered into with appropriate third parties to provide software escrow capability where appropriate.
All contracts must require services and all deliverables to meet organizational policies and industry standards including security policies and standards
All contracts must require internal requirements to be met.
Contracts must specify specific policies and standards where possible.
All contracts must contain nondisclosure agreements where appropriate.
Procedures for developing contracts must be developed by qualified personnel and management is responsible for ensuring that the procedures are created and followed.
Procedures for developing contracts must address the needs of internal stakeholders and utilize contract templates for the contract creation process.
Goals of the contract must be clearly defined and service levels must be clearly defined and agreed upon between the organization and third party vendor, contractor, or service provider.
Costs, specific work to be done, deliverables, schedules for deliverables, limits of liability, incentives for service delivery, and penalties for either party must be agreed to by all parties and documented by the contract.
All contracts must be reviewed by legal counsel representing the organization before contracts are approved and signed.
Any party who will work under the terms of a contract must not be allowed to start work until the contract has been formally approved and signed by both parties.
The organization must specify what organizational positions have authority to approve contracts and what the spending limits are.
A method to allow for contract modification or termination must be provided in the contract where it is appropriate.
The contract should provide for the ability to have an independent party check service or security measures in place where they are appropriate to the business function.
All contracts or service level agreements must specify confidentiality, integrity and availability security requirements.
All contracts or service level agreements must comply with all legislation including requirements for data privacy.
The contract must specify a service level agreement (SLA) that addresses problem management. The service level agreement must classify problems based on business impact and identify criticality to the business process which require resolution in specific timeframes. Penalties should be set for meeting required timeframes for problem resolution.
Specific key performance indicators should be specified and documented by the service level agreement and incentives or penalties should be set.
The contract must provide an ability to change the service level in the event that the business requirement changes.
The contract must define what consists of a breach of contract on the supplier part.
The contract must provide for termination of the contract in the case of a breach of contract.
The contract must consider transition support at the end of the contract whether the contract is completed at the end of its period or early termination is implemented. The required supplier activities must be specified.
The contract must specify the documentation required with deliverables and when it is required. The contract must specify minimum documentation and quality requirements.
The contract must require pertinent documentation to be provided to the organization if the contractor goes out of business.
The contract must consider the possibility that the contractor may be taken over by another organization and provide for service to continue. The contract must provide a method to deal with possible degradation of service during a transition period.
The way to exit the relationship with the contractor must be considered in order to prevent breaking the business process in the event that the contractor fails to deliver proper service or goods.
Alternative suppliers must be considered to provide services or goods to replace the contracted supplier in the event that the contracted supplier fails to meet the requirements. Arrangements for alternative suppliers should be made if appropriate for the business need.
The contract must provide an ability for audits to be done on the contractor as appropriate to ensure that standards, legal requirements, and/or required policies and procedures are being met.
The contract must provide an ability for the contractor to have penetration tests performed by the orgainzation or representative agents as appropriate.
Someone in the organization must manage the contract. The contract manager must act as a point of contact with the contractor (supplier or vendor).
The contract must clearly define the roles and responsibilities of the contractors.
The contract must specify the level of documentation required for contractor work.
8.0 Supplier Assessment
The supplier must be assessed to determine their ability to meet contract requirements over the duration of the contract. This must be done during the initial contracting process. Factors that should be considered include financial factors, supplier delivery capacity, and supplier commitments.
A process for ensuring that suppliers can deliver the expected service or products must be established. The process should include a request for proposal (RFP) process, reference checks, and an invitation to tender (ITT) process.
Supplier selection should be based on preset evaluation criteria based on requirements compared with supplier responses.
The supplier selection should include consideration for supplier compliance with internal policies.
The supplier quality assurance policies, procedures, and programs should be considered when considering who to accept as a supplier. Independent assessments of the supplier and documentation showing compliance with industry standards should be considered (COBIT, SAS 70).
Interactions with the supplier during the bidding or contract proposal process should be used as an indicator to help determine the ability of the supplier to deliver the services or products which are to be supplied.
Supplier references should be checked to help determine the ability of the supplier to deliver the services or products which are to be supplied.
Where practical and pertinent, a visit to the supplier site should be used to help determine the ability of the supplier to deliver the services or products which are to be supplied.
When appropriate, third parties should be tasked to independently review the supplier to help determine their qualifications to provided requested services or products.
When supplier user groups exist, group members should be queried to help determine satisfaction levels of the customers with the supplier.
Checks of publically available material such as the internet should be done to locate any appropriate documentation about the prospective supplier.
A database of suppliers that provide equipment or support to the information technology function must be created. The database should include the supplier name, type of service or equipment provided, and contact details.
The supplier database must be reviewed every six months to be sure it is current. It must be reviewed by a committee formed by the head of the information technology department. The committee must include individuals actively involved in making purchases. A procedure for reviewing the supplier database and creating roles and responsibilities must be developed.
The supplier database must be available to all members of the information technology department that are involved in making purchases.
Vendor relationships should be evaluated annually to determine whether a vendor relationship should be changed based on reliability and performance of the vendor.
9.0 Policies and Procedures
Procedures for determining when work may or should be outsourced must be created. The procedures should describe the type of work that can be outsourced, along with how it should be done and controlled.
Procedures for selecting contractors must be created specifying metrics where possible.
Procedures to help determine and ensure that contractors are properly skilled and/or trained must be developed. The procedures should consider relevant standards and methods for the type of work.
Contract procedures must require contracts to include service level agreements covering the aspects of the service or product needed for the business function. consideration for the quality and quantity of service must be specified.
Contract procedures must require contracts to specify audit, security, and other requirements. Requirements must be documented in the contract or reference material which documents the requirements.
Contracts must require the contractor to abide by organizational policies.
Contract procedures must require contracts to include monitoring of contract performance. Agreements must be reached about what will be measures, expected performance, and rewards or penalties for success or failure or meeting set metrics.
Contractor information security responsibilities that must be considered for all contracts must include nondisclosure agreements, physical access controls, and logical access controls. Nondisclosure agreements are required.
The contract must consider revocation of access to the contractor at the end of the contract.
Contractors who work internally and use internal resources of the organization must sign an agreement allowing organizational management to inspect or monitor all use of information technology resources including internet access, email, telephone, and data.
A procedure for defining who must communicate with suppliers and the roles of management and staff involved must be defined.
A procedure must be created for documenting and resolving issues with contractors.
10.0 Contract Monitoring
Services provided by third parties must be managed by organizational management and a quality assurance process must be developed. Third party testing of software or services and development of software or hardware systems must be properly monitored to assure quality.
Auditing by either the contracting organization or an independent third party should be used to ensure security and quality controls are in place through the life of the contract.
Meetings must be held with contractors regularly to evaluate the effectiveness of the contract in meeting the business needs along with addressing any additional needs.
The contractor must be required to capture service performance information and report results. Service levels should have been specified by the contract which the captured metrics can be compared to. The organization must validate accuracy of metrics reported by the contractor.
Costs of the contract and service levels should be compared to market conditions on a periodic basis.
User feedback about the service quality should be obtained on a regular basis using a set feedback mechanism.
Penalties or incentives provided by the contract based on metrics must be enforced on a timely basis.
When contractor work includes information technology work, a member of IT management with appropriate authority must review and approve contractor work and payment for it.
Relationships with vendors must be evaluated annually considering performance, support, and scalability of the service or systems provided.
Procurement procedures must be developed and used in making purchases.
Procurement procedures and policies (Supplier Policy) must be published.
The procurement procedures must consider risk of purchases including price and business criticality of affected systems. Purchases that have high risk mut be approved by a higher level of management. If risk is high enough, a team including legal staff must evaluate the purchase.
High cost or high risk purchases should be made using a competitive bid process unless approved by an authorized member of high level management.
Roles and responsibilities for service, software, and hardware acquisition must be defined in the procurement procedures.
The combination of delivery, reliability, quality, performance, security, cost, vendor reliability, operational cost, and technology must be considered when making purchasing decisions.
All purchases of hardware, software, or services must be evaluated to be sure they meet the organizational business needs including reliability, quality, performance, security, initial cost, and operational cost.
Methods and metrics for evaluating hardware and software performance must be established. A process must be created to be sure that hardware and software performance is compared to required metrics of performance. Test results must be documented and kept.
Software and hardware must be standardized as much as possible to minimize cost of support and maintenance.
Software and hardware purchases must comply with the technological direction of the organization. Software and hardware purchases, such as purchases of older technologies, must have an exception approval based on a business need.
Staff must not be allowed to make purchasing commitments to suppliers unless they are authorized members of the purchasing department or a negotiating team. Staff can only contact suppliers for information but are not allowed to disclose internal information about the available budget, time constraints, or any other pricing by competitors.
The purchasing department should select preferred suppliers who have provided quality products and services in the past. This practice should improve speed of purchases along with quality.
Staff that may have a conflict of interest should not be involved in the purchasing process where a conflict of interest may exist. Any potential conflict of interest must be immediately reported to the staff member's supervisor. The code of Conduct must be followed.
A procedure must provide a method for receiving purchases and checking to be sure the items received are according to the purchase order. The procedure must ensure that goods that do not comply with purchase orders are returned to the supplier.
Purchase orders should specify where the goods (what loading dock) the purchased items should be delivered to.
The requestor must check the received goods within a week to determine whether any quality issues exist. The vendor must be informed within a week about any quality issues.
The requestor must use acceptance procedures to determine whether the product or service meets the requirements (including functionality and security) according to the purchase order, contract, or service level agreement specifications.
The purchase order should provide a statement indicating that the requestor has one week after delivery to notify the supplier, through the purchasing department, about any quality issues.
A procedure for receipt of services must be created. Once services are performed, the requestor must inform the accounts payable department.
When any purchased products or services are found to not comply with a contract or purchase order, the requestor must immediately inform the purchasing department. The purchasing department must document steps taken to resolve issues and use the services of the legal department if necessary.
All purchases must comply with local, national, and international laws including laws that limit export or import of encryption technology.
Since following the Supplier Policy is important for the welfare of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
12.0 Other Policies
13.0 Additional Requirements
Procedures for selecting contractors
Procedures for determining when work may or should be outsourced.
A procedure for defining who must communicate with suppliers.
Procedures to help determine and ensure that contractors are properly skilled.
A quality assurance process for monitoring third party services must be developed.
A procedure must be created for documenting and resolving issues with contractors.
A competitive bid process should be created.
A procedure for receiving purchases.
A procedure for receipt of services must be created.
A process must be created to be sure that hardware and software performance meets required metrics of performance.
Product and service acceptance procedures must be created.
Approved by:__________________________ Signature:_____________________ Date:_______________