Sunday, April 15, 2012

Application Service Provider Checklist Examples

       The purpose of "Application Service Provider Checklist" is to obtain background information for those external vendors (3rd parties) that are currently providing or plan to provide external application hosting services for your business.
Items Service Provider Response
A1 Provide the name of the Application Service Provider (Outsourcer) and business address.
A2 Provide the name of the application to be hosted at the provider’s location.
A3 How long have you performed as or provided Application Service Provider (ASP) hosting services?
A4 How many applications do you provide hosting services for?
A5 How many customers do you currently support?
How many customers do you support for the application your company is interested in (if you host more than one application)?
A6 Do you provide both shared and dedicated infrastructure (application, database, O/S) hosting options?
a. How many customers utilize your shared infrastructure?
b. How many customers utilize your dedicated infrastructure?
c. Do you have separate database instances for your customers or do they share the same database?
d. Is the application, web, and database on separate servers?
e. How many application servers are used to host the application?
f. How many database servers are used to host the database?
g. For web-based environments, is the web server installed on the same server as the application? If no, how many web servers are used to support the application?
A7 What IT governance or security framework do you use for your control environment (COBIT, ISO17799, ISO 27002 internal policies and standards, etc.)?
A8 Do you have an internal and/or external audit function?
A9 Have you contracted with a 3rd party to provide an attestation of your control environment (i.e. SAS70 certified, BITS)?
a. Please indicate the name and how often performed
b. Note: for SAS70 please indicate - Type I, II
A10 Has or will a major acquisition (merger) occur in the next 6-12 months?
A11 What is your core business (expertise)?
Items Network Response
B1 Describe all end to end encryption methods currently supported (i.e.  SSL, HTTPS, VPN, IPSEC, SFTP) to securely transport data between you and your customers – include strength of cipher (i.e. 128 bit)?
B2 Describe all email encryption methods you currently support (i.e. TLS, PGP, etc.).
B3 Are strong authentication measures (i.e. two-factor authentication using RSA tokens or smartcards) used for remote access to your network or for remote administration of network devices (i.e. firewalls, routers, switches, IDS, etc)
Note: userid/password is single factor
B4 Is redundancy and/or failover employed for critical devices such as firewalls, servers, load balancers, etc.?  Please provide detail.
B5 Are intrusion detection or intrusion prevention systems used?
a. Network Based – where deployed
b. Host Based – where deployed
c. Application based – where deployed
B6 Please provide information about vulnerabilities assessments performed for your environment:
a. List the type of assessments performed (penetration tests, network vulnerability scanning, etc.)
b. Describe the scope of the assessments ( network perimeter, application assessment, etc.)
c. How often are they performed?
d. Are they performed by internal staff or external parties?
Items Operations   Response
C1 Where is the primary processing facility (data center) located?
C2 Are any functions outsourced to a 3rd party (i.e. application development, system or network admin, data center)?  Please describe.
C3 Is access to the datacenter where the IT infrastructure resides controlled by you or by a 3rd party?
C4 Describe your process for keeping abreast of security threats for network devices, database, and operating system components?
C5 Do you have procedures in place for incident response, escalation and investigation?
C6 Is a formal change control process used to manage and track customer change requests and changes to the application, database, network and operating system components?
C7 Are security threats (events) for the application, database and operating system logged and reviewed regularly?  How often?
C8 Do you have separate development, test and production environments?
C9 Does the application reside in the same domain as the applications used to support your business?
Does the application and its components reside on a separate VLAN from other applications?
C10 Is user access to the application controlled by the customer or the Application Service Provider (i.e. add/remove users, password management, assign roles, etc.)?
Items Disaster Recovery Response
D1 Do you have a documented Business Continuity and Disaster Recovery Plan to address short term and long term disruptions of service?
D2 Are the plans reviewed and tested at least annually?
D3 Describe customer involvement in the annual testing.
D4 Where is your alternate processing facility located?
D5 Is the alternate processing facility a hot-site or cold-site?  If other please explain.
D6 What type natural disasters are common in the region where the primary data center is located?

0 comments:

Post a Comment