Thanks Marn, I'll have a look at creating an over-arching policy. Chris
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Williams, Marn PENC:EX Sent: 03 August 2011 18:28 To: 'PaulDotCom Security Weekly Mailing List' Subject: Re: [Pauldotcom] Terms and Conditions for external hosting Chris We have had similar considerations in our Canadian business, and I can add a couple of recommendations for you. You are correct in considering vetting supplier and host employees, ISO27001, segregation of data, and encryption in transit and at rest. Perhaps this is implied by your ISO27001 requirement, but ensure that the host's backend is secure - backups, disaster recovery plan, data centre security, AV and IPS, media sanitation policy, specific responsibilities in the event of data loss or corruption, service level agreements on data availability, who has access to the encryption keys, their security incident handling process, data ownership and a plan to regain your data if the hosting company fails. Ensure that you know who actually owns the company hosting the solution. Several US companies have set up their services here in Canada and their prime selling point is that the servers reside in Canada, too. Safe, right? However, the U.S. Patriot Act stipulates that U.S. owned or subsidiaries of U.S. owned companies are subject to the Act. If desired, data can be requested from these companies by the Patriot Act, and they are under no obligation to inform you that they have complied. Data Protection Act notwithstanding. Keep it in mind if that concerns you. Many providers of externally hosted solutions provide a web based front end. This is very convenient, but adds risk. If one of your employees decides to maintain the Health Information on a wireless connection with a laptop in a coffee shop (for example)- or even at home - then the data may be at risk even if they use an SSL connection. Wireless exploits are fairly trivial and it is not difficult to acquire a username and password in a situation like that. You may wish to address this with policy or require that all access into the hosted solution uses, for instance, VPN. Finally, I recommend your business creates a security policy for using hosted solutions, so you have all your external hosting guidelines in place for any future considerations - avoid that slippery slope. Regards Marn Williams -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Hembrow, Chris Sent: August 3, 2011 1:52 AM To: [email protected] Subject: [Pauldotcom] Terms and Conditions for external hosting Hi folks. I'm looking at Occupational Health systems for our business, which will hold potentially sensitive medical information on our employees. We are potentially looking at externally hosted solutions, and I'm trying to get an idea of what sort of things I should look to ensure are included in any contract. So far, all I can think of specifically is around ensuring an appropriate employee vetting process for the suppliers employees and the hosts employees, ISO27001 for the hosts, and segregation of data from their other customers. I'll also push for encryption of data at rest. We're in the UK, and I'm not aware of any regulations which apply apart from the Data Protection Act. Thanks, Chris "This email and any file attachments do not form a contract unless expressly stated. They may contain privileged, confidential and/or copyright information. If you are not the intended recipient or the service provider responsible for delivering this please delete the material from any computer and return to the sender at once; do not use, disclose or reproduce its contents. We do not accept liability for any error or omission in the message arising from corruption of, delay in or interference with, its transmission. We reserve the right to monitor email communications through normal internal and external networks. We believe but do not warrant that the email and the file attachments are virus free." Interservefm Ltd. Registered in England, Number : 2820560. Registered Office: Capital Tower, 91 Waterloo Road, London SE1 8RT. _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com This e-mail has been scanned for all viruses by WebSense MailControl. www.websense.com Click https://www.mailcontrol.com/sr/yLvbfVeobi3TndxI!oX7UnqIHF!Df9sdbYTEvW4RG5fcFrMso4jkI87KYzRpxZv1ueCj+bnWY5GjfskgLULbMA== to report this email as spam. _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
