Application Service Providers and Outsourcing:

Protect Your Assets Theresa Rowe

Oakland UniversityCopyright Theresa Rowe 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To

disseminate otherwise or to republish requires written permission from the author.

Managing the ASP / Hosted Relationship

• Managing the relationship

• Reducing your risks

• Contract and agreement language

• Managing the contract

Take With You

• Staff skills may change

• Not a “outsource it and ignore it” environment

• Contracts, software and vendor performance need monitoring

• Push your culture and standards

• Insurance and contract language protect your university

Application Service Provider

• Webopedia:– Abbreviated as ASP, a third-party entity that manages

and distributes software-based services and solutions to customers across a wide area network from a central data center.

• Whatis.com– Hosted CRM is an arrangement in which a company

outsources some or all of its customer relationship management (CRM) functions to an application service provider (ASP).

From the Point of Purchase

• Document requirements into RFP process

• Security requirements

• Compliance regulations – FERPA, HIPAA, SOX

• IT controls

Vendor Relations

• Time and energy

• Possible issues– Product performance– Methods– Data quality– Operations– Security

Know your Culture

• Every standard enforced on your own campus must be written into the contract.

• Standards for IT controls:– Performance standards– Segregation of duties– Access controls (account activation, deletion)– Software development security– Change and risk management

Risk Management

• Denial of Service

• Unauthorized access or use

• Theft of identity or other personal information

• Sabotage and espionage

• Extortion

• Derogatory or libelous content

Risk Assessment

• References, Better Business Bureau, Dun & Bradstreet checks

• New technologies may not have university references

• What can go wrong?

Consequences

• “Bad” or corrupt data

• Interruption of critical processes

• Operational and financial losses

• Harm to reputation

Risks May Not Be Covered

• Many risk exposures are not covered by standard insurance policies – no tangible loss– Liability for theft of private or confidential information– Business interruption income loss or extra expense

due to events that disrupt operations (including intrusion by insiders and denial of service attacks)

– Loss, theft or destruction of data– Liability for attacks against third parties – Theft of passwords by non-electronic means

Impact of Outsourcing

• Outsourcing, hosted solutions and ASPs reallocate some of the liability to the vendor

• Outsourced agreements typically provide only a limited source of recovery

• Need technology errors and omissions coverage and cyber security coverage

Network Security / Cyber Liability

• Coverage for:– Intent to destroy or expose electronic data or

make it inaccessible– Computer viruses, Trojan horses, worms

and any other type of malicious or damaging code

– Dishonest, fraudulent, malicious, or criminal use of a computer system

– Denial of Service or loss of service– Unauthorized access

Sample Insurance Standards

• Network Security/Cyber Liability covers liabilities resulting from data damage / destruction / corruption / disclosure.

• Include unauthorized access or use, virus transmission, denial of service and income loss from network security failures.

• Typical limits are $5 million per occurrence and $5 million in the aggregate.

Technology Errors & Omissions Insurance

• Covers:– Systems analysis, design, consulting, development,

programming, modification, integration, and training services– Management, repair and maintenance of computer products,

networks and systems– Professional exposures relating to marketing and servicing

hardware or software– Data entry, modification, verification, maintenance, storage,

retrieval or preparation of data output.

• Limits are typically recommended at $5 million for each wrongful act or a series of wrongful acts

– Insurance endorsed to include subsidiaries and affiliates

Other Needed Insurance Coverages

• Commercial General LiabilityCommercial General Liability, including blanket contractual liability covering liability assumed under this agreement, with limits not less than $1 million per occurrence and $2 million in the aggregate; $1 million each occurrence sublimit for personal injury and advertising; $2 million for products/Completed Operations; and the policy adding the university as additional insureds.

• Worker’s Compensation• Automobile Liability• Crime/Fidelity Bond

Indemnification

• Vendor should indemnify University for all loss incurred as a result of a loss caused directly or indirectly by or resulting from a security breach of University’s system that results from its connectivity with vendor.

• Indemnification should extend to University for actions caused by third party service providers that the Vendor relies upon to provide IT services if such loss is that entity’s fault.

• Loss includes direct or consequential damages, punitive, exemplary damages, or fines and penalties assessed to University, its affiliates, subsidiaries, etc.

• University should seek indemnity from the intentional/willful misconduct of the Vendor.

Limitation of Liability

• University should seek to have no limitation on liability for any damages, but the likely outcome is that there will be a cap on consequential damages (if they will agree to that indemnification at all). Limitations for willful misconduct and intellectual property infringement should not be accepted.

Sample Non-Disclosure Language

• Each Receiving Party agrees to hold any information furnished to it by a Disclosing Party in the same manner that it holds its own confidential and proprietary information, to keep the information secret and treat it confidentially…

Sample Disclosure Language

• Vendor shall immediately notify university in writing of any use or disclosure of data other than as allowed by this contract, and, the extent practicable, shall mitigate any harmful effect of such use/or disclosure.– Report to the university any attempted or successful

unauthorized access, use, disclosure, modification, or destruction of electronic data, or interference with system operations in an Information System, of which it becomes aware.

The Contract

• Finalize in the contract– Clearly stated purpose and expectations– Insurance and disclosure statements– Performance measures– Methods– Avoid URLs in the agreement– Complete definitions

Specific Deliverables

• Specified milestones

• Measurable results

• Transition period

• Assign the contract for internal management

Acceptance Testing

• Define acceptance test

• Include testing of maintenance and support, training, documentation

• Define cure period for test failure

• Use shall not constitute acceptance!

Service Level Agreements

• System uptime

• Analysis period – month?

• Statistical format

System Availability

• Scheduled maintenance – Time zone

• Outages at the source

• Unavailability over the network

• Slowness and latency

Copyright

• Sharing logos

• Branding

• Recognizing the authority

Data Quality

• Data quality standards documented well enough to contractually control quality

• Data contextual issues

Data Privacy

• Published privacy statement

• Permission to share

• Mutual non-disclosure

• Handling of a data breach

Process Integrity

• Processes defined well enough to write into the contract

Security

• University data off-campus need the same protections as data on-campus.– Secure FTP– SSL– VPN– Security audits

Termination

• Failed tests

• Customer complaints

• Failure to cure

• Merger and acquisition

• Specify transition assistance

• Specify equitable relief

Disaster Recovery and Continuity

• Equal priority for return with all other customers

Managing the Relationship

• Who on your staff– Negotiates further with vendor– Accepts vendor excuses, apologies or

adjustments– Interprets IT for Legal or Risk Management

areas– Tracks performance to contract– Is contacted in the future for new products,

new modules, etc.

Skills

– Negotiation– Software license metrics management– Cost/benefit analysis– Understanding of contract and insurance

language– System & network performance metrics– Proofreading

Operational Review

• Weekly meeting to review– Performance measures tracked against the

contract– Operational methods– Any issues– Documented conversation

What We Do – Part 1 - Project

• Project Checklist– Security review questions– Are you transferring data currently residing on

an OU computer to a computer not owned by OU?

– Are confidential or payment card data involved?

– Will data be collected and sent to OU?

Part 2 System Review

• Product review

• Vendor discussions

• General security review

• Exploration of applicable standards

Part 3 Contract Review

• Data access controls• Data quality standards• Notification procedures• Data storage review• Network security review• Disaster and continuity plans• Privacy and compliance review• Termination

Last Step – Contract Addendum

• Defines minimum security and operational criteria

• Vendor written response required

• General security standards

• Terminations points

Key Points

• Annual security audit with shared results

• Documented architecture

• Compliance with state & federal privacy and security legislation within 60 days of enactment

• Evidence of insurance, PCI compliance

Key Points

• Physical security description

• 24-hour surveillance video of evidentiary quality

• Hiring background checks

• Firewall documentation

• File transfer security documentation

Key Points

• List of all software with release number and patch level

• Plan for applying releases, upgrades and patches

• Password management plan

• Account maintenance plan

• Cryptography standards

Web Security

• Development standards

• SSL implementation

• Quality control procedures

Key Points

• System performance

• Disaster recovery plans

• Uptime standards

• Acceptable response times for standard applications

Data Controls

• University owns data quality standard

• Prohibit sharing with third-party or sub-contractor without approval

• Process for accidental data exposure

• Non-disclosure language

• Protections for confidential data

Evaluation & Approval

• Engagement is approved by– University Technology Services– Office of Purchasing and Risk Management– And if needed, General Counsel

References

• Educause www.educause.edu

• Caucus– Association of Technology Procurement

Professionals www.caucusnet.com

• SANS www.sans.org• www.sans.org/resources/policies/Application_Service_Pr

oviders.pdf

• www.sans.org/resources/policies/asp_standards.pdf

Insurance Risk Information

• You may also contact Thomas Srail of Willis:Thomas Srail, Vice President

Willis Executive Risks

E&O and E-Risk Team

246-357-5997

tom.srail@willis.com

Technology Procurement

Association of Caucus Technology Procurement Professionals

http://www.caucusnet.com

Open ITAM – Open Information Technology Asset Management

Questions?

• Thank you!– Theresa Rowe rowe@oakland.edu

Happy Trails to You!