Evaluating a potential ASP’s security takes time and expertise. The details of authentication, packet filtering, encryption, and other technologies call for investigation by specialists, either in-house IT analysts or outside security consultants. But here are some of the broad questions that management should be asking:
- How does the ASP control physical access to its site?
- Does the ASP have a disaster-control program that includes restoring data in the event of power loss or other emergency?
- How are access rights controlled to ensure that only authorized personnel are dealing with the client’s data?
- Does the ASP perform background checks on employees?
- Are corporate-training programs in place to keep employees aware of the need for constant security monitoring?
- How are passwords protected, and what kind of corporate policy governs their use?
- Are authentication procedures — digital certificates, tokens, and biometric methods such as iris scanners or fingerprint identifiers — used to back up password control?
- Who has the right to make changes to the servers used in handling the client’s data?
- Does the ASP use encryption to protect data moving between the client and its site?
- Is the ASP’s internal network protected by firewalls?
- Are change procedures in place to lock down any access points that may have been opened up through new equipment or software, or changes to the existing firewalls?
- What procedures ensure that the latest software patches are always installed to seal off vulnerabilities?
- What measures are being taken to prevent virus and other malicious code from damaging the ASP’s systems?
- Do the company’s audit logs demonstrate that the ASP is using its procedures in a correct and consistent way?