When deciding to outsource or host software solutions with vendors it pays to know how they intend to deliver such a service. Software vendors write software, what makes them capable of hosting that software for their clients?
When you choose to host your application with the vendor you are asking them to take on much more than their traditional responsibilities. You are effectively asking the vendor to take on the role of your in-house IT department. How do you ensure that the vendor is able to handle this new burden and maintain the availability, security and integrity of the application and more importantly, your data?
Understanding the vendor's ability in this area can be hard to do. Long winded RFP's take time to analyse and without going into second stage of Q&A sessions with the vendors IT department you still can't be sure on the level or standard of service. Even with detailed levels of analysis you are still only getting the vendors point of view and not an independent opinion on their ability to securely host your data and ensure it is available when you need it.
Having an independent opinion and assessment on your vendors hosting service is the only way you can know they are taking their responsibilities seriously and have the processes and ability to deliver on those responsibilities. This is where recognised standards should play a key role in your decision to host with a software vendor. The next question is which standard? When it comes to hosting applications and information security there are only two you need to look for. TISO27001 and SAS70.These are the big boys and anyone telling you that they have others that are more stringent or more relevant obviously do not meet the requirements of ISO27001 or SAS70.
Knowing your vendor has been independently audited and certified gives you the confidence that they have invested in putting the right processes, people and technology together for their hosted service. Not only does the vendor have to demonstrate this to the auditor, they have to continue to demonstrate the process and show a continuing cycle of improvement across the standard.
Trusting your data and application delivery to a third party requires you have a high level of confidence in that third party. Placing that trust in the software vendor makes sense, but only if they can demonstrate they have the ability to deliver on the extra responsibilities that trust will bring. A vendor with a trusted and recognised certification in information security should be your minimum requirement when switching to a hosted service.