While reading the magazine "Information Security", I came across an article about SaaS (software as a service) and it had 7 questions suggested inside:

  1. Who handles penetration testing, and how is it done?
  2. What are the sign-on, access and authentication policies?
  3. What encryption policies will protect data as it is transfered, or when it is being stored?
  4. Is there a single-tenant hosting option seperated from that of other customers?
  5. Who manages the application on the back end, and what policies are in place to thwart insider breachers?
  6. What is the backup and recovery plan?
  7. How well does the provider's security policy match my company's (if my company has one)?
I found all of the questions to be very important and valid.
comments powered by Disqus