What to Ask an ASP About Security

April 13, 2001
Evaluating a potential ASP's security takes time and expertise. The details of authentication, packet filtering, encryption, and other technologies call for investigation by specialists, either in-house IT analysts or outside security consultants. But here are some of the broad questions that management should be asking:

  • How does the ASP control physical access to its site?
  • Does the ASP have a disaster-control program that includes restoring data in the event of power loss or other emergency?
  • How are access rights controlled to ensure that only authorized personnel are dealing with the client's data?
  • Does the ASP perform background checks on employees?
  • Are corporate-training programs in place to keep employees aware of the need for constant security monitoring?
  • How are passwords protected, and what kind of corporate policy governs their use?
  • Are authentication procedures -- digital certificates, tokens, and biometric methods such as iris scanners or fingerprint identifiers -- used to back up password control?
  • Who has the right to make changes to the servers used in handling the client's data?
  • Does the ASP use encryption to protect data moving between the client and its site?
  • Is the ASP's internal network protected by firewalls?
  • Are change procedures in place to lock down any access points that may have been opened up through new equipment or software, or changes to the existing firewalls?
  • What procedures ensure that the latest software patches are always installed to seal off vulnerabilities?
  • What measures are being taken to prevent virus and other malicious code from damaging the ASP's systems?
  • Do the company's audit logs demonstrate that the ASP is using its procedures in a correct and consistent way?