Industry View

Eyeballing the Security of Application Service Providers

Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, gives advice on vetting Application Service Providers to ensure security for your business

By Jeremiah Grossman

Page 4

*You may be required to sign a non-disclosure agreement

4) Contractual Liability and Customer Rights

In ASP service level agreements, contractual liability relating to security is normally placed squarely on the vendor for aspects they control. ASPs may also contractually assume liability to win your business and also because they are insured against loss. But this is not the end of your security due diligence process. As with many regulated industries, including Part 748 of the federal National Credit Union Administration rules and regulations, you need to treat a vendors security practices as you would your own. Itâ¬"s not possible to contractually sign away your legal responsibilities.

More information can be found in part 748 of the federal National Credit Union Administration.

Questions and Good Answers

Do you carry contractual liability in a case of downtime due to unforeseen circumstances (DoS, power outage, etc)?
While we take every precaution to ensure 100% uptime, but unforeseen circumstances do occur. We will credit customer accounts for any interruptions in service. In the unlikely event of a serious incident we carry comprehensive business insurance policies ensuring stable business continuity.

*It's possible, though unlikely, that an ASP will take on an unlimited amount of liability due to an error in their service.

May we perform security tests on our website?
We understand that customers may feel more comfortable performing or contracting security assessments on their own websites. On a case-by-case basis we may authorize this activity. But, we ask to be notified well in advance of any testing to determine appropriate scope of the project. Certain considerations for our operations staff and intrusion detection systems need to be set in place.

*You'll likely receive a certain level of administrative pushback, but in the end if you get it, itâ¬"s well worth the effort.

Will we be promptly notified in the event of unauthorized security breaches?
While we take security very seriously, our company and our customers understand that no security system is completely impenetrable. Unfortunate incidents do occur. In the unlikely event of a security breach, per corporate policy, we will quickly ascertain the scope of the incident and take immediate action to prevent further damage. If the incident affects one of more of our customers we will inform them of the details. Moving forward we will analyze the cause of the breach and implement permanent preventative measures.

*What you are looking for is a responsible vendor looking out for your wellbeing. This is important because there is no customer benefit for a vendor to keep the issue away from you. You should be able to take measures to protect yourself as well.