If you can, negotiate the contract for three primary factors: 1) A yearly security assessment / penetration test by a neutral outside firm. An often fair way to do this is to give them a list of three approved assessment vendors and they pick one. That way you can make sure you're getting more than a Nessus scan and they can negotiate price.
2) Make sure that the standard "limited liability" amount cover the risk you face should there be a compromise. Often the de facto level is "reimbursement will not exceed the total monthly costs paid by the client", which is insufficient from a security perspective. 3) If there is a problem with either #1 or #2 and is it not addressed in 30 days (or whatever limit you pick), you can leave the contract with no penalty and all data intact. (I find it interesting that this is the fifth time this topic has come up for me in the last week. The magic cloud must have serious marketing dollars behind it all of a sudden.) -Josh More On Fri, Feb 18, 2011 at 9:23 AM, Andrew Anderson <[email protected]>wrote: > My organization is currently looking at a web-based hosted solution to one > of our needs. > > I am wondering what is the defacto standard with regard to Saas vendors and > communicating the state of their security. My current assumption is that in > the majority of cases, the client has no access to anything other than a > promise that the vendor is secure. Is that true? > > Beyond informing management that they are in the position of having to > blindly trust the provider; I am looking for any advice as to ways of > gaining more comfort with a particular vendor that actually work / have > worked for you? > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
