Information Technology Vendor Management

Technology Services’ delay in establishing a comprehensive governance structure risks the city not getting what it pays for from outside vendors. If technology vendors do not adequately protect city data or if they do not deliver services as promised, city agencies and residents could be affected and the city’s reputation is at risk.

FINDING — Technology Services Does Not Systematically Manage Its Vendors

The agency’s oversight of its information technology vendors is inadequate. Agency leaders delayed finalizing a proposed vendor management policy — a crucial component of a comprehensive governance structure — until after this audit was completed.

Specifically, Technology Services is missing:

• Official policies and procedures to guide its employees, enforce requirements, and hold vendors accountable.
• Defined roles and responsibilities or designated authority for the specific employees involved with vendor management.
• Budgetary plans to fund and adequately staff the vendor management function.
• Training plans to educate employees about how to monitor vendors in line with approved policy.

Meanwhile, we also found Technology Services does not:

• Consistently monitor its vendors for existing security controls.
• Hold these vendors accountable for meeting contract requirements.
• Have a consistent process when vendors stop working for the city.
• Store vendors’ data in a central system.

1.1 Establish Organizational Structure – The city’s Technology Services agency should perform a staffing analysis to determine budget and staffing needs for the vendor management process. Based on this staffing analysis, the chief information officer should establish a staffing plan and designate an organizational structure, with a designated authority, for the vendor management team. The chief information officer should then document this structure in an approved vendor management policy.

Agency Response: Agree, Implementation Date – March 14, 2023

1.2 Refine Strategic Plan Objectives – The city’s Technology Services agency should refine its strategic plan to include sufficient detail about how it will plan the vendor management process — including:

• Performance indicators for monitoring vendors’ contract compliance.
• Securing data and network infrastructure.
• Training city staff.
• Engaging proactively with vendors and partners.
• Improving how it selects and contracts with critical vendors to save taxpayer money.
• Monitoring other city agencies’ compliance with technology plans, budgets, standards, and policies and procedures.

Each objective should have a measurable timeline.

Agency Response: Agree, Implementation Date – March 14, 2023

1.3 Refine, Approve, and Implement Vendor Management Policy and Procedures – The city’s Technology Services agency should refine its draft vendor management policy with more detail about the organizational structure, how it will communicate staff’s roles and responsibilities, and how it will train staff. In addition, Technology Services should create all needed procedures that will be referenced in the policy, including but not limited to procedures described in recommendations 1.5, 1.6, and 1.7. Once the agency completes these procedures, the chief information officer should approve the revised draft vendor management policy as soon as possible.

Agency Response: Agree, Implementation Date – March 14, 2023

1.4 Develop and Conduct Training – The city’s Technology Services agency should develop a training plan to ensure staff with roles and responsibilities for information technology vendor management are aware and informed of how the process is structured and how it should operate.

Agency Response: Agree, Implementation Date – March 14, 2023

1.5 Develop and Approve Security Review Procedures – As part of implementing Recommendation 1.3, the city’s Technology Services agency should develop and implement security review procedures to ensure staff comprehensively and continuously monitor all information technology vendors for security concerns. These procedures should include at a minimum:

• Security reviews at intake and on a regular basis thereafter, at least once a year.
• Documentation for why a vendor is excluded from annual security reviews.
• Current independent security assessments.

Agency Response: Agree, Implementation Date – March 14, 2023

1.6 Develop and Approve Performance-Monitoring Procedures – As part of implementing Recommendation 1.3, the city’s Technology Services agency should:

• Populate ServiceNow with the service-level objectives.
• Develop and incorporate procedures to ensure staff are comprehensively and continuously monitoring all vendors to verify they are meeting contract terms and the requirements of their service-level agreements.
• Include steps in procedures to ensure contracts contain service-level agreements and service-level objectives and that these service-level objectives are relevant, enforceable, and measurable.
• Define and implement a process for seeking restitution when vendors break agreed-upon performance objectives.

Agency Response: Agree, Implementation Date – Dec. 14, 2022

1.7 Develop and Approve Vendor-Separation Procedures – As part of implementing Recommendation 1.3, the city’s Technology Services agency should develop and approve a process for when vendors separate from the city, and then management should communicate these procedures to relevant staff.

Agency Response: Agree, Implementation Date – Nov. 14, 2022

1.8 Implement a Single System of Record for Vendor Management – The city’s Technology Services agency should establish a single system of record, such as ServiceNow, for vendor management data and monitoring activities. Once Technology Services establishes a single system of record, it should create a process for reviewing vendor management-related data to ensure accuracy.

Agency Response: Agree, Implementation Date – Sept. 15, 2023