SaaS  CLOUD  SUPPLIER  CHECKLIST  CONTENTS  

The  Intent  of  This  Document  ........................................................................................................................................................................  1  

How  To  Use  this  Document  ..........................................................................................................................................................................  2  

Supplier  Information:  ...................................................................................................................................................................................  2  

Checklist:  General  Questions  ........................................................................................................................................................................  3  

Checklist:  Infrastructure  ...............................................................................................................................................................................  3  

Checklist:  Security/Risk  Management:  .........................................................................................................................................................  4  

Checklist:  Training:  .......................................................................................................................................................................................  6  

Checklist:  Support  and  SLA  ...........................................................................................................................................................................  6  

Checklist:  Data  management:  .......................................................................................................................................................................  6  

Checklist:  Disaster  Recovery:  ........................................................................................................................................................................  7  

Document  Requests:  ....................................................................................................................................................................................  8  

 

 

THE  INTENT  OF  THIS  DOCUMENT  

 The  intent  of  this  document  is  to  enable  our  organization  to  develop,  purchase,  and/or  maintain  SaaS/Cloud  applications  that  can  be  trusted  by  approaching  application  security  as  a  people,  process,  and  technology  opportunity.        This  document  guides  the  “what,  why,  when,  where,  and  how”  of  validating  Software  as  a  Service  providers  by  listing  assessment  items  that  should  be  considered.      It  is  designed  to  help  us  understand  what  comprises  sound  Service  provider  processes  and  help  us  identify  the  steps  that  we  need  to  undertake  to  evaluate  Service  providers.      

 

 

 

HOW  TO  USE  THIS  DOCUMENT  

To  Suppliers  completing  this  document  –  Answer  all  applicable  questions  with  a  ‘Yes’  or  ‘No’  response  in  the  ‘Supplier  Response  Column’  along  with  supporting  information.    If  a  question  is  not  applicable,  place  an  N/A  in  the  Supplier  Response  column.    An  approved  Supplier  representative  should  acknowledge  completion  by  signing  this  document  in  the  Supplier  Information  Section.    Once  signed,  the  document  should  be  returned  to  

 

Insert  your  company  name  and  method  to  return  the  document.  

 

 

SUPPLIER  INFORMATION:    

 

Submitted  To:              ____________________                      Location:    ___________________________________  

 

Completed  by:      ____________________________________                ___________________________________    

                                     (Name)             (Title)  

 

   

 

 

 

 

 CHECKLIST:  GENERAL  QUESTIONS  

Item General Questions

Supplier Response

1. What is your definition of a standard Pilot Period?

2. Define your company’s problem escalation clause.

3. Does your company follow a Project Management Methodology? Describe your management process.

4. Will your company have sufficient resources available for this project and ongoing administration?

5. Describe your software’s Web Analytics capabilities.

6. Describe the types of documentation provided for business processes and users?

7. We define users of service as business partners, consumers, employees, etc. Define ‘users of service’ in your terms.

8. How are payment disputes handled?

9. Are contracts restricted to product name or can a generic description of function/service be used without additional fee?

10. If extensive software customization is required and we are able to develop the customization, describe how the software could be licensed to allow that.

11. Identify your change control processes.

12. Describe expectations we should have regarding internal help desk impact.

13. Describe expectations we should have regarding internal application support impact.

14. Do you have a Research and Development (R&D) department?

15. Does a user group exist?

 

CHECKLIST:  INFRASTRUCTURE  

16 What is your platform and architecture?

17. Identify any existing cascading service providers and their role.

 

 

 

 

CHECKLIST:  SECURITY/RISK  MANAGEMENT:  

Item General Questions

Supplier Response

18. Do you comply with the General Data Privacy Regulations regarding privacy of names addresses (European data privacy directive)? Describe the process.

19. Describe your Privacy Processes and how Alerts would be generated in case of a security breach.

20. Define Price-caps for renewal of agreement.

21.

Detail an Exit Plan including operational and organizational components. (Define exit justification and timing (Note: Recommend 120 days for mission critical data) Define method of data transfers, data file format and responsibility for delivery of data at the end of the contract (Recommend Service provider’s responsibility)

22. If the Software vendor exits, would we retain the right to procure software and bring it in house (Part of escrow agreement)?

23. What type of test environment is made available? What additional fees are levied for a testing environment?

24. Describe your global Service/support agreement.

25. Describe support of the Secure Sockets Layer (SSL) or other industry-standard transport with 128-bit or stronger encryption and two-factor authentication for connecting to the security application?

26. Describe how you provide redundancy and load balancing for firewalls, intrusion prevention and other critical security elements.

27. Describe how external penetration tests are performed. And timing of last test.

28. Describe external audits and when last performed. e.g. SSAE-16 (or successor type)

29. Describe how you protect your network from intrusion into your network.

30. Describe how you contract for, or provide protection against, malicious web attacks.

31. Please provide a documented policy for "hardening" the operating system under the web and other servers.

32.

Please provide validated procedures for configuration management, patch installation, and malware prevention for all servers and PCs involved in SaaS delivery.

33. Is this a multi-tenant or single tenant environment?

 

 

34. If multi-tenant, describe the controls used to ensure the separation of data and security information between customer applications.

35. How do you review the security of applications (and any supporting code, such as Ajax, ActiveX controls and Java applets) that it develops and uses?

36. Describe any content monitoring and filtering or data leak prevention processes/controls used to detect inappropriate data flows.

37. Have you experienced a breach? If so, please describe.

38. Describe documented procedures for configuration management, including installing security patches, for all applications.

39.

If the application involves data that is covered by regulations — such as the Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry (PCI) do you meet the regulatory requirements for data protection? For example, PCI requires certain types of data to be encrypted whenever stored. Describe which sections of the Telcordia standards you subscribe to.

40. Are background checks performed on personnel with administrative access to servers, applications and customer data? Describe procedure.

41. Provide the documented process for evaluating security alerts from operating systems and application Service providers, shielding systems from attack until patched, and installing security patches and service packs.

42. Do you use write-once technology for storing audit trails and security logs? If not, describe methodology used.

43. Please provide documented procedures for vulnerability management, intrusion prevention, incident response, and incident escalation and investigation?

44. Describe procedures used for business continuity and disaster recovery that would include your applications and all data, as well as evidence that you have tested those procedures during the past 12 months.

45. What is your security staff’s average length of experience in information and network security?

46.

What percentage of your security staff have security industry certification, such as from the Certified Information Systems Security Professional (CISSP) certification program (www.isc2.org ) or Global Information Assurance Certification (GIAC; www.giac.org/ ) (recommend 75%)?

47. Provide documented identity management and help-desk procedures for authenticating callers and resetting access controls, as well as establishing and deleting account.

48. Describe user access audits.

 

 

 CHECKLIST:  TRAINING:    

Item General Questions

Supplier Response

49. Describe any training fees.

50. Describe the training model for business, administrative and technical processes.

 CHECKLIST:  SUPPORT  AND  SLA  

Item General Questions

Supplier Response

51. Describe incentives and penalties for service level violations. (Note: Gartner recommends 10-20% of service cost for month. If SLAs not met two months in a row refund prepaid fees.)

52. What is your SLA - uptime and availability? Best in class 99.8 should range 99.3-99.8 Timing for updated should be late on Friday and Saturday evenings (9-11 pm)

53. What is your guaranteed performance response time (NMHG 1-5 min)

54. What browsers are supported?

55. Using a scenario description, please describe the end user support model.

56. How often are Service Level Agreement (SLA) audits conducted? (Recommend 3 times a year).

 

 CHECKLIST:  DATA  MANAGEMENT:  

57. How can data be extracted, in what format and how often? (i.e. daily, monthly, quarterly, etc.).

58. Define what constitutes 'our data’. (i.e. transitional data, administration data, etc.)

59. What types of extraneous data storage fees exist?

60. What are your Integration development fees?

61. What are your Real-time data transfer fees?

62. How do you provide for Software Ownership - Escrow to protect data?

63. What is your process for implementing software updates, new elements or changes?

64. Software Release Process – could we remain on an older version if not ready to upgrade? Describe your update policy.

65. Define software staging and testing process related to upgrading to newer release.

66. Please provide your release schedule for next 2-3 years.

 

 

 

 CHECKLIST:  DISASTER  RECOVERY:  

67. How are subscriber recovery requirements defined and addressed in the service contract?

68. Would individual customers have pre-emptive recovery rights over others? If yes, then please describe the circumstances that would allow this to happen.

69. If pre-emptive recovery rights are allowed, then describe the supported procedures (and related contractual terms) that enable a customer to have these rights

70.

Have you ever failed to meet your application and data recovery commitments to a customer at the time of a disaster? If so, then describe the circumstances that caused this to occur, and how this management deficiency was remediated to prevent future occurrences.

71. Describe the extent to which your business insurance covers service management liabilities.

72. Which specific events (such as flooding, fire or earthquakes) do you qualify as disasters that would trigger the beginning of recovery operations?

73. Describe your disaster alert and declaration policies and procedures, as well as how often these procedures are tested each year.

74. Describe your disaster declaration and customer identification procedures, and their associated time frames.

75. Can a declaration be made for a subset of systems in the data center? If so, then under what conditions?

76. What support services are contractually guaranteed at the time of a disaster?

77. What, if any, incremental support fees are charged to the subscriber to cover the costs of post disaster recovery activities?

78. What, if any, Recovery Time Objective (RTO) and Recovery Point Objective (RPO) service levels do you manage for your customers?

79. Do recovery service levels vary by customer? If so, what are those variations?

80. How are RTO- and RPO-based SLAs contractually committed?

81. Is recovery from logical database errors (for example, loss of data integrity due to misapplied changes or media corruption) supported by your RTO and RPO service-level management procedures?

82. What is a customer's recourse if you fail to meet contracted recovery service levels following a disaster?

83. Provide a list of your recovery facility locations.

 

 

84. Describe your physical security systems and staff at the proposed facility.

85. Describe your fire detection and suppression systems at the proposed recovery facility and at alternative recovery facilities.

86. Describe the water detection and containment systems at the proposed recovery facility and at alternative recovery facilities.

87. Describe the temperature and humidity support systems and their backups at the proposed recovery facility and at alternative recovery facilities.

88. Describe the electrical and cooling support systems and their backups at the proposed recovery facility and at alternative recovery facilities.

89. List the facilities, telecom and support providers (if relevant) that you subcontract for service delivery.

90. What process is in place to ensure that your organization keeps current customer configurations on file to expedite service restoration after the occurrence of a disaster?

91. By what method are customer configuration changes (excluding hardware) communicated, reviewed, approved and implemented?

92. Provide a summary of your disaster recovery plan, its associated testing methodology and test exercise frequency.

93. What were the actual results of your last recovery test?

94. What is your policy for coordinating customer disaster recovery testing with your own internal disaster recovery testing?

95. What is your policy for remediating management deficiencies found during disaster recovery testing?

96. Does the service provider require the use of two-factor authentication for the administrative control of servers, routers, switches and firewalls?

 DOCUMENT  REQUESTS:  

Item General Questions

Supplier Response

97. Please provide a Disaster Recovery Statement

98. Please provide a Statement of Work

99. Please provide a Contract Sample

100. Please provide a Definition of the Administrative services provided by the service provider included in the monthly service fee

101. Please provide a Definition of the Consultative services provided by the service provider included in the monthly service fee.

102. Provide the external audit reports for you and, if applicable for outsourced data centers.