Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Service Providers and Outsourcing: Protect Your Assets Theresa Rowe Oakland University Copyright Theresa Rowe 2007. This work is the intellectual.

Similar presentations

Presentation on theme: "Application Service Providers and Outsourcing: Protect Your Assets Theresa Rowe Oakland University Copyright Theresa Rowe 2007. This work is the intellectual."— Presentation transcript:

1 Application Service Providers and Outsourcing: Protect Your Assets Theresa Rowe Oakland University Copyright Theresa Rowe This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Managing the ASP / Hosted Relationship Managing the relationship Reducing your risks Contract and agreement language Managing the contract

3 Take With You Staff skills may change Not a outsource it and ignore it environment Contracts, software and vendor performance need monitoring Push your culture and standards Insurance and contract language protect your university

4 Application Service Provider Webopedia: –Abbreviated as ASP, a third-party entity that manages and distributes software-based services and solutions to customers across a wide area network from a central data center. –Hosted CRM is an arrangement in which a company outsources some or all of its customer relationship management (CRM) functions to an application service provider (ASP).

5 From the Point of Purchase Document requirements into RFP process Security requirements Compliance regulations – FERPA, HIPAA, SOX IT controls

6 Vendor Relations Time and energy Possible issues –Product performance –Methods –Data quality –Operations –Security

7 Know your Culture Every standard enforced on your own campus must be written into the contract. Standards for IT controls: –Performance standards –Segregation of duties –Access controls (account activation, deletion) –Software development security –Change and risk management

8 Risk Management Denial of Service Unauthorized access or use Theft of identity or other personal information Sabotage and espionage Extortion Derogatory or libelous content

9 Risk Assessment References, Better Business Bureau, Dun & Bradstreet checks New technologies may not have university references What can go wrong?

10 Consequences Bad or corrupt data Interruption of critical processes Operational and financial losses Harm to reputation

11 Risks May Not Be Covered Many risk exposures are not covered by standard insurance policies – no tangible loss –Liability for theft of private or confidential information –Business interruption income loss or extra expense due to events that disrupt operations (including intrusion by insiders and denial of service attacks) –Loss, theft or destruction of data –Liability for attacks against third parties –Theft of passwords by non-electronic means

12 Impact of Outsourcing Outsourcing, hosted solutions and ASPs reallocate some of the liability to the vendor Outsourced agreements typically provide only a limited source of recovery Need technology errors and omissions coverage and cyber security coverage

13 Network Security / Cyber Liability Coverage for: –Intent to destroy or expose electronic data or make it inaccessible –Computer viruses, Trojan horses, worms and any other type of malicious or damaging code –Dishonest, fraudulent, malicious, or criminal use of a computer system –Denial of Service or loss of service –Unauthorized access

14 Sample Insurance Standards Network Security/Cyber Liability covers liabilities resulting from data damage / destruction / corruption / disclosure. Include unauthorized access or use, virus transmission, denial of service and income loss from network security failures. Typical limits are $5 million per occurrence and $5 million in the aggregate.

15 Technology Errors & Omissions Insurance Covers: –Systems analysis, design, consulting, development, programming, modification, integration, and training services –Management, repair and maintenance of computer products, networks and systems –Professional exposures relating to marketing and servicing hardware or software –Data entry, modification, verification, maintenance, storage, retrieval or preparation of data output. Limits are typically recommended at $5 million for each wrongful act or a series of wrongful acts –Insurance endorsed to include subsidiaries and affiliates

16 Other Needed Insurance Coverages Commercial General Liability Commercial General Liability, including blanket contractual liability covering liability assumed under this agreement, with limits not less than $1 million per occurrence and $2 million in the aggregate; $1 million each occurrence sublimit for personal injury and advertising; $2 million for products/Completed Operations; and the policy adding the university as additional insureds. Workers Compensation Automobile Liability Crime/Fidelity Bond

17 Indemnification Vendor should indemnify University for all loss incurred as a result of a loss caused directly or indirectly by or resulting from a security breach of Universitys system that results from its connectivity with vendor. Indemnification should extend to University for actions caused by third party service providers that the Vendor relies upon to provide IT services if such loss is that entitys fault. Loss includes direct or consequential damages, punitive, exemplary damages, or fines and penalties assessed to University, its affiliates, subsidiaries, etc. University should seek indemnity from the intentional/willful misconduct of the Vendor.

18 Limitation of Liability University should seek to have no limitation on liability for any damages, but the likely outcome is that there will be a cap on consequential damages (if they will agree to that indemnification at all). Limitations for willful misconduct and intellectual property infringement should not be accepted.

19 Sample Non-Disclosure Language Each Receiving Party agrees to hold any information furnished to it by a Disclosing Party in the same manner that it holds its own confidential and proprietary information, to keep the information secret and treat it confidentially…

20 Sample Disclosure Language Vendor shall immediately notify university in writing of any use or disclosure of data other than as allowed by this contract, and, the extent practicable, shall mitigate any harmful effect of such use/or disclosure. –Report to the university any attempted or successful unauthorized access, use, disclosure, modification, or destruction of electronic data, or interference with system operations in an Information System, of which it becomes aware.

21 The Contract Finalize in the contract –Clearly stated purpose and expectations –Insurance and disclosure statements –Performance measures –Methods –Avoid URLs in the agreement –Complete definitions

22 Specific Deliverables Specified milestones Measurable results Transition period Assign the contract for internal management

23 Acceptance Testing Define acceptance test Include testing of maintenance and support, training, documentation Define cure period for test failure Use shall not constitute acceptance!

24 Service Level Agreements System uptime Analysis period – month? Statistical format

25 System Availability Scheduled maintenance –Time zone Outages at the source Unavailability over the network Slowness and latency

26 Copyright Sharing logos Branding Recognizing the authority

27 Data Quality Data quality standards documented well enough to contractually control quality Data contextual issues

28 Data Privacy Published privacy statement Permission to share Mutual non-disclosure Handling of a data breach

29 Process Integrity Processes defined well enough to write into the contract

30 Security University data off-campus need the same protections as data on-campus. –Secure FTP –SSL –VPN –Security audits

31 Termination Failed tests Customer complaints Failure to cure Merger and acquisition Specify transition assistance Specify equitable relief

32 Disaster Recovery and Continuity Equal priority for return with all other customers

33 Managing the Relationship Who on your staff –Negotiates further with vendor –Accepts vendor excuses, apologies or adjustments –Interprets IT for Legal or Risk Management areas –Tracks performance to contract –Is contacted in the future for new products, new modules, etc.

34 Skills –Negotiation –Software license metrics management –Cost/benefit analysis –Understanding of contract and insurance language –System & network performance metrics –Proofreading

35 Operational Review Weekly meeting to review –Performance measures tracked against the contract –Operational methods –Any issues –Documented conversation

36 What We Do – Part 1 - Project Project Checklist –Security review questions –Are you transferring data currently residing on an OU computer to a computer not owned by OU? –Are confidential or payment card data involved? –Will data be collected and sent to OU?

37 Part 2 System Review Product review Vendor discussions General security review Exploration of applicable standards

38 Part 3 Contract Review Data access controls Data quality standards Notification procedures Data storage review Network security review Disaster and continuity plans Privacy and compliance review Termination

39 Last Step – Contract Addendum Defines minimum security and operational criteria Vendor written response required General security standards Terminations points

40 Key Points Annual security audit with shared results Documented architecture Compliance with state & federal privacy and security legislation within 60 days of enactment Evidence of insurance, PCI compliance

41 Key Points Physical security description 24-hour surveillance video of evidentiary quality Hiring background checks Firewall documentation File transfer security documentation

42 Key Points List of all software with release number and patch level Plan for applying releases, upgrades and patches Password management plan Account maintenance plan Cryptography standards

43 Web Security Development standards SSL implementation Quality control procedures

44 Key Points System performance Disaster recovery plans Uptime standards Acceptable response times for standard applications

45 Data Controls University owns data quality standard Prohibit sharing with third-party or sub- contractor without approval Process for accidental data exposure Non-disclosure language Protections for confidential data

46 Evaluation & Approval Engagement is approved by –University Technology Services –Office of Purchasing and Risk Management –And if needed, General Counsel

47 References Educause Caucus –Association of Technology Procurement Professionals SANS oviders.pdf

48 Insurance Risk Information You may also contact Thomas Srail of Willis: Thomas Srail, Vice President Willis Executive Risks E&O and E-Risk Team

49 Technology Procurement Association of Caucus Technology Procurement Professionals Open ITAM – Open Information Technology Asset Management

50 Questions? Thank you! –Theresa Rowe Happy Trails to You!

Download ppt "Application Service Providers and Outsourcing: Protect Your Assets Theresa Rowe Oakland University Copyright Theresa Rowe 2007. This work is the intellectual."

Similar presentations

Ads by Google