Airport Information Technology Vendor Management

Photo illustration. In the top center, a plane takes off. In the bottom center, two silhouettes show people shaking hands. Various icons in hexagon shapes are overlaid such as a dollar sign, a magnifying glass, a map pin, and a padlock.

Objective

To assess the effectiveness of Business Technologies’ processes for vendor management governance and how well it monitors information technology vendors at Denver International Airport.

Background

An effective information technology vendor management process controls costs, promotes excellent service, and reduces risks to ensure the organization gets the best value from its vendors.

Business Technologies is the division responsible for information technology at Denver International Airport. It provides information technology-related infrastructure, systems, and services for the third-busiest airport in the world.

Business Technologies selects third-party vendors for specialized technology needs — such as baggage handling, badging, and security — and oversees them to ensure they provide the best value to Denver and its airport.

Why this matters

Business Technologies’ delay in establishing a comprehensive governance structure for vendor management puts Denver International Airport at risk of not getting what it pays for from its technology vendors and potentially exposes the airport to vulnerabilities.

If technology vendors do not adequately protect the airport’s data or if they do not deliver services as promised, the airport could lose revenue, passenger services could be affected, and the airport’s reputation could be damaged.

Findings

FINDING — Denver International Airport’s Business Technologies division lacks a robust information technology vendor management program

The airport does not adequately monitor its information technology vendors to ensure third-party systems are monitored and maintained. We found Business Technologies is missing:

  • A formal strategic plan to guide its vendor management governance.
  • Documented and approved policies and procedures to guide its employees, enforce requirements, and hold technology vendors accountable.
  • Training plans to educate staff about how best to monitor technology vendors in line with approved policy.
  • A centralized list of technology vendors.
  • Procedures to periodically assess risks around technology vendors’ security and architectural controls.

Meanwhile, Business Technologies also does not:

  • Hold information technology vendors accountable by requiring service-level agreements and objectives in each technology contract.
  • Consistently document lessons learned after major incidents or evaluate compliance with service-level objectives.

Recommendations

1.1 Document an information technology vendor management strategic plan – Denver International Airport’s Business Technologies division should create and document a strategic plan for information technology vendor management that supports the overall strategic vision at the airport. In developing its vendor management program, Business Technologies should include sufficient detail — and measurable time frames — in its strategic plan for each of the following objectives:

  • Having performance indicators to monitor vendors’ contract compliance.
  • Securing data and network infrastructure.
  • Training airport staff.
  • Engaging proactively with vendors and partners.
  • Improving how it selects and contracts with critical vendors to save money.
  • Monitoring other airport divisions’ compliance with technology plans, budgets, standards, and policies and procedures.

Agency Response – Agree, Implementation Date – Jan. 2, 2024

1.2 Finalize a vendor management policy – As part of implementing the ServiceNow vendor risk management module, Denver International Airport’s Business Technologies division should finalize and approve its draft vendor management policy and ensure it includes details about the organizational structure supporting the airport’s vendor management life cycle, staff resources and roles and responsibilities, and all related activities needed to ensure sufficient governance of information technology vendor management at the airport.

Additionally, Business Technologies should develop and finalize supporting procedures for all vendor management life cycle activities, including but not limited to procedures described in recommendations 1.3, 1.4, 1.5, 1.7, and 1.8 — such as procedures for continuous security and performance monitoring as well as consistent steps to end a relationship with a vendor.

Agency Response – Agree, Implementation Date – April 1, 2024

1.3 Require Business Technologies’ early involvement in technology procurement – As part of implementing Recommendation 1.2, Denver International Airport’s Business Technologies division should work with airport officials to require the division’s involvement during procurement to ensure initial technical, architectural, security, data protection, and privacy risks are addressed upfront for any technology introduced at the airport.

Agency Response – Agree, Implementation Date – July 1, 2024

1.4 Develop a vendor termination process – As part of implementing Recommendation 1.2, Denver International Airport’s Business Technologies division should develop, approve, and document a consistent process for staff to follow when information technology vendors stop working for the airport. This process should include considerations like updating the airport’s vendor inventory list, ensuring vendors return or destroy city data in their possession, and removing vendor accounts from airport systems. Once these procedures are approved, division managers should communicate them to relevant staff.

Agency Response – Agree, Implementation Date – April 1, 2024

1.5 Develop security review procedures – As part of implementing Recommendation 1.2, Denver International Airport’s Business Technologies division should develop, implement, and document procedures to ensure staff continuously monitor all airport information technology vendors for risks and security concerns. These procedures should include, at a minimum:

  • Ensuring security reviews and risk assessments are done at intake and at regular times thereafter, depending on the criticality to the airport and the risks posed by a vendor’s system.
  • Detailing requirements for security reviews and risk assessment reports from independent assessors.
  • Obtaining a copy of vendors’ risk assessments for vendors managed by the city’s Technology Services agency, so Business Technologies has it for its own records and can document these exceptions.

Agency Response – Agree, Implementation Date – June 3, 2024

1.6 Develop an information technology vendor management training plan – Denver International Airport’s Business Technologies division should develop a training plan to ensure staff with roles and responsibilities related to information technology vendor management life cycle activities are aware and informed of how the governance process is structured and how it should operate.

Agency Response – Agree, Implementation Date – Jan. 2, 2024

1.7 Ensure complete and accurate information in ServiceNow – Denver International Airport’s Business Technologies division should continue to implement an automated single system of record for vendor management — such as the ServiceNow vendor risk management module — to monitor all vendor management life cycle activities and ensure the airport’s information technology vendor inventory list is complete and accurate.

Furthermore, as part of implementing Recommendation 1.2, Business Technologies should develop a process, policy, and procedures to ensure data stored in this system of record remains complete and accurate.

Agency Response – Agree, Implementation Date – April 1, 2024

1.8 Define and monitor service-level objectives – As part of implementing Recommendation 1.2, Denver International Airport’s Business Technologies division should:

  • Ensure all technology contracts contain service-level agreements and specific service-level objectives for vendors to meet and that these service-level objectives are relevant, enforceable, and measurable.
  • Refine and supplement procedures to ensure airport staff comprehensively and continuously monitor all technology vendors and verify that these vendors are meeting contract terms — including the requirements of their service-level agreements and objectives.
  • Define and implement a process to seek restitution when vendors do not fulfill their agreed-upon service-level objectives, in accordance with their contracts.
  • Include detailed information about service-level objectives in ServiceNow to support staff’s comprehensive and continuous monitoring.

Agency Response – Agree, Implementation Date – July 1, 2024

1.9 Update policy and procedures for vendor incidents – Denver International Airport’s Business Technologies division should revise its major incident management policy and any associated procedures to require staff to document lessons learned after each major incident to help prevent future events and to hold vendors accountable to service-level objectives agreed to in their service-level agreements. These lessons learned should be documented in ServiceNow, given it is the airport’s system of record for information technology.

Agency Response – Agree, Implementation Date – Jan. 2, 2024

Auditor's Letter

September 21, 2023

We audited how well Denver International Airport’s Business Technologies division manages the airport’s information technology vendors — specifically how effectively it oversees these vendors and monitors performance and whether it has established policies, procedures, and other processes it follows to ensure good governance. I now present the results of this audit.

The audit revealed the airport inadequately monitors its information technology vendors. It has no documented policies, procedures, or training plans for monitoring vendors, and the airport lacks a centralized system to track technology vendors. We also found the airport does not require service-level agreements in each technology contract, does not consistently document lessons learned after major incidents, and does not evaluate compliance with service-level objectives within its system of record.

By implementing recommendations for stronger policies, procedures, training, data management, contract administration, and incident management, the airport will be better able to hold its technology vendors accountable to specific standards while also having the means to enforce those standards through contract- and airport-specific requirements.

This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, “General Powers and Duties of Auditor.” We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

We appreciate the leaders and team members at Denver International Airport who shared their time and knowledge with us during the audit. Please contact me at 720-913-5000 with any questions.

Denver Auditor

Auditor's Signature
Timothy O'Brien, CPA

Timothy O'Brien Official Headshot

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor

Denver Auditor´s Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter
Read our social media policy

Auditors Office Logos for Footer

Back to top