While reading the magazine "Information Security", I came across an article about SaaS (software as a service) and it had 7 questions suggested inside:
- Who handles penetration testing, and how is it done?
- What are the sign-on, access and authentication policies?
- What encryption policies will protect data as it is transfered, or when it is being stored?
- Is there a single-tenant hosting option seperated from that of other customers?
- Who manages the application on the back end, and what policies are in place to thwart insider breachers?
- What is the backup and recovery plan?
- How well does the provider's security policy match my company's (if my company has one)?
I found all of the questions to be very important and valid.