Application Service Providers and Outsourcing:
Protect Your Assets Theresa Rowe
Oakland UniversityCopyright Theresa Rowe 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.
Managing the ASP / Hosted Relationship
• Managing the relationship
• Reducing your risks
• Contract and agreement language
• Managing the contract
Take With You
• Staff skills may change
• Not a “outsource it and ignore it” environment
• Contracts, software and vendor performance need monitoring
• Push your culture and standards
• Insurance and contract language protect your university
Application Service Provider
• Webopedia:– Abbreviated as ASP, a third-party entity that manages
and distributes software-based services and solutions to customers across a wide area network from a central data center.
• Whatis.com– Hosted CRM is an arrangement in which a company
outsources some or all of its customer relationship management (CRM) functions to an application service provider (ASP).
From the Point of Purchase
• Document requirements into RFP process
• Security requirements
• Compliance regulations – FERPA, HIPAA, SOX
• IT controls
Vendor Relations
• Time and energy
• Possible issues– Product performance– Methods– Data quality– Operations– Security
Know your Culture
• Every standard enforced on your own campus must be written into the contract.
• Standards for IT controls:– Performance standards– Segregation of duties– Access controls (account activation, deletion)– Software development security– Change and risk management
Risk Management
• Denial of Service
• Unauthorized access or use
• Theft of identity or other personal information
• Sabotage and espionage
• Extortion
• Derogatory or libelous content
Risk Assessment
• References, Better Business Bureau, Dun & Bradstreet checks
• New technologies may not have university references
• What can go wrong?
Consequences
• “Bad” or corrupt data
• Interruption of critical processes
• Operational and financial losses
• Harm to reputation
Risks May Not Be Covered
• Many risk exposures are not covered by standard insurance policies – no tangible loss– Liability for theft of private or confidential information– Business interruption income loss or extra expense
due to events that disrupt operations (including intrusion by insiders and denial of service attacks)
– Loss, theft or destruction of data– Liability for attacks against third parties – Theft of passwords by non-electronic means
Impact of Outsourcing
• Outsourcing, hosted solutions and ASPs reallocate some of the liability to the vendor
• Outsourced agreements typically provide only a limited source of recovery
• Need technology errors and omissions coverage and cyber security coverage
Network Security / Cyber Liability
• Coverage for:– Intent to destroy or expose electronic data or
make it inaccessible– Computer viruses, Trojan horses, worms
and any other type of malicious or damaging code
– Dishonest, fraudulent, malicious, or criminal use of a computer system
– Denial of Service or loss of service– Unauthorized access
Sample Insurance Standards
• Network Security/Cyber Liability covers liabilities resulting from data damage / destruction / corruption / disclosure.
• Include unauthorized access or use, virus transmission, denial of service and income loss from network security failures.
• Typical limits are $5 million per occurrence and $5 million in the aggregate.
Technology Errors & Omissions Insurance
• Covers:– Systems analysis, design, consulting, development,
programming, modification, integration, and training services– Management, repair and maintenance of computer products,
networks and systems– Professional exposures relating to marketing and servicing
hardware or software– Data entry, modification, verification, maintenance, storage,
retrieval or preparation of data output.
• Limits are typically recommended at $5 million for each wrongful act or a series of wrongful acts
– Insurance endorsed to include subsidiaries and affiliates
Other Needed Insurance Coverages
• Commercial General LiabilityCommercial General Liability, including blanket contractual liability covering liability assumed under this agreement, with limits not less than $1 million per occurrence and $2 million in the aggregate; $1 million each occurrence sublimit for personal injury and advertising; $2 million for products/Completed Operations; and the policy adding the university as additional insureds.
• Worker’s Compensation• Automobile Liability• Crime/Fidelity Bond
Indemnification
• Vendor should indemnify University for all loss incurred as a result of a loss caused directly or indirectly by or resulting from a security breach of University’s system that results from its connectivity with vendor.
• Indemnification should extend to University for actions caused by third party service providers that the Vendor relies upon to provide IT services if such loss is that entity’s fault.
• Loss includes direct or consequential damages, punitive, exemplary damages, or fines and penalties assessed to University, its affiliates, subsidiaries, etc.
• University should seek indemnity from the intentional/willful misconduct of the Vendor.
Limitation of Liability
• University should seek to have no limitation on liability for any damages, but the likely outcome is that there will be a cap on consequential damages (if they will agree to that indemnification at all). Limitations for willful misconduct and intellectual property infringement should not be accepted.
Sample Non-Disclosure Language
• Each Receiving Party agrees to hold any information furnished to it by a Disclosing Party in the same manner that it holds its own confidential and proprietary information, to keep the information secret and treat it confidentially…
Sample Disclosure Language
• Vendor shall immediately notify university in writing of any use or disclosure of data other than as allowed by this contract, and, the extent practicable, shall mitigate any harmful effect of such use/or disclosure.– Report to the university any attempted or successful
unauthorized access, use, disclosure, modification, or destruction of electronic data, or interference with system operations in an Information System, of which it becomes aware.
The Contract
• Finalize in the contract– Clearly stated purpose and expectations– Insurance and disclosure statements– Performance measures– Methods– Avoid URLs in the agreement– Complete definitions
Specific Deliverables
• Specified milestones
• Measurable results
• Transition period
• Assign the contract for internal management
Acceptance Testing
• Define acceptance test
• Include testing of maintenance and support, training, documentation
• Define cure period for test failure
• Use shall not constitute acceptance!
Service Level Agreements
• System uptime
• Analysis period – month?
• Statistical format
System Availability
• Scheduled maintenance – Time zone
• Outages at the source
• Unavailability over the network
• Slowness and latency
Copyright
• Sharing logos
• Branding
• Recognizing the authority
Data Quality
• Data quality standards documented well enough to contractually control quality
• Data contextual issues
Data Privacy
• Published privacy statement
• Permission to share
• Mutual non-disclosure
• Handling of a data breach
Process Integrity
• Processes defined well enough to write into the contract
Security
• University data off-campus need the same protections as data on-campus.– Secure FTP– SSL– VPN– Security audits
Termination
• Failed tests
• Customer complaints
• Failure to cure
• Merger and acquisition
• Specify transition assistance
• Specify equitable relief
Disaster Recovery and Continuity
• Equal priority for return with all other customers
Managing the Relationship
• Who on your staff– Negotiates further with vendor– Accepts vendor excuses, apologies or
adjustments– Interprets IT for Legal or Risk Management
areas– Tracks performance to contract– Is contacted in the future for new products,
new modules, etc.
Skills
– Negotiation– Software license metrics management– Cost/benefit analysis– Understanding of contract and insurance
language– System & network performance metrics– Proofreading
Operational Review
• Weekly meeting to review– Performance measures tracked against the
contract– Operational methods– Any issues– Documented conversation
What We Do – Part 1 - Project
• Project Checklist– Security review questions– Are you transferring data currently residing on
an OU computer to a computer not owned by OU?
– Are confidential or payment card data involved?
– Will data be collected and sent to OU?
Part 2 System Review
• Product review
• Vendor discussions
• General security review
• Exploration of applicable standards
Part 3 Contract Review
• Data access controls• Data quality standards• Notification procedures• Data storage review• Network security review• Disaster and continuity plans• Privacy and compliance review• Termination
Last Step – Contract Addendum
• Defines minimum security and operational criteria
• Vendor written response required
• General security standards
• Terminations points
Key Points
• Annual security audit with shared results
• Documented architecture
• Compliance with state & federal privacy and security legislation within 60 days of enactment
• Evidence of insurance, PCI compliance
Key Points
• Physical security description
• 24-hour surveillance video of evidentiary quality
• Hiring background checks
• Firewall documentation
• File transfer security documentation
Key Points
• List of all software with release number and patch level
• Plan for applying releases, upgrades and patches
• Password management plan
• Account maintenance plan
• Cryptography standards
Web Security
• Development standards
• SSL implementation
• Quality control procedures
Key Points
• System performance
• Disaster recovery plans
• Uptime standards
• Acceptable response times for standard applications
Data Controls
• University owns data quality standard
• Prohibit sharing with third-party or sub-contractor without approval
• Process for accidental data exposure
• Non-disclosure language
• Protections for confidential data
Evaluation & Approval
• Engagement is approved by– University Technology Services– Office of Purchasing and Risk Management– And if needed, General Counsel
References
• Educause www.educause.edu
• Caucus– Association of Technology Procurement
Professionals www.caucusnet.com
• SANS www.sans.org• www.sans.org/resources/policies/Application_Service_Pr
oviders.pdf
• www.sans.org/resources/policies/asp_standards.pdf
Insurance Risk Information
• You may also contact Thomas Srail of Willis:Thomas Srail, Vice President
Willis Executive Risks
E&O and E-Risk Team
246-357-5997
Technology Procurement
Association of Caucus Technology Procurement Professionals
http://www.caucusnet.com
Open ITAM – Open Information Technology Asset Management