According to Charles Chewning of Solutions Inc., a Richmond, Va., based consultant who evaluates accounting software products, failure of an accounting system happens pretty often. “I just talked to someone who got [a major vendor's product], spent $80,000, and got rid of the system because they didn’t like it,” says Chewning. “The cost of a failure is quite substantial — much more than the cost of just the software.”
What this means to me is that vendors have an obligation to users to become increasingly generous in providing as much information online about their products, including extensive online demo capabilities, in order to give users the opportunity to “live with” the system before making a full commitment to it.
Gartner Group’s Security Test
The Gartner Group has provided a test that your technical staff should apply to any ASP that you’re thinking of using. A “no” answer to any of these questions represents a serious vulnerability that will put applications and data at risk.
- With regard to the ASP’s network layer, does the ASP require the use of two-factor authentication for administrative control of all routers and firewalls?
Support 128-bit encryption and two-factor authentication for the connection from the customer’s local area network to the ASP production backbone?
Provide redundancy and load-balancing services for firewalls and other security-critical elements?
Perform (or have an experienced consulting company perform) external penetration tests on at least a quarterly basis and internal network security audits at least annually?
Show documented requirements for customer network security (with audit functions) to ensure that other ASP customers will not compromise the ASP backbone?
- With regard to the ASP’s operating system (OS) platform (usually Windows NT or Unix), can the ASP provide a documented policy for hardening the OS on its Web and other servers? (Hardening an OS entails: eliminating any unnecessary OS services (e.g., Telnet or FTP), disabling all communications paths that are not needed (e.g., TCP/IP ports), installing all required security patches and minimizing system administration accounts and access to system logging/auditing.)
- If the ASP co-locates customer applications on physical servers, does it have a documented set of controls that it uses to ensure separation of data and security information between customer applications?
- With regard to the actual accounting application software, does the ASP review the security of scripts and integration code that are added to the commercial applications it provides? How is it done?
Provide application or transaction-based intrusion-detection services?
Document the security standards and processes used for creating interfaces to other systems on the ASPs systems?
- With regard to operations, does the ASP perform background checks on personnel who will have administrative access to servers and applications?
Show a documented process for evaluating OS and application vendor security alerts and installing security patches and service packs?
Use write-once technology for storing audit trails and security logs?
Show documented procedures for intrusion detection, incident response and incident escalation/investigation?
Have membership in the Forum for Incident Response and Security Teams (FIRST) (www.first.org/about/first-description.html). or use a security service provider that is?
Use “hot site” failover services that have the same security operations and procedures?
Provide authentication services for system users?
Have documented processes for adding, removing and validating security keys for all users?
- When using outsourced authentication services, does the outsource agent have a documented process for managing and validating member security keys?
- With regard to end user services, does the ASP security staff average more than three years of experience in information/network security?
- Do more than 75 percent of the ASP’s security staff have CISSP (see www.isc2.org/isc2faq.html) or other security industry certification?
- Can the ASP show documented help desk procedures for authenticating callers and resetting access controls?
(Send John Xenakis your questions and comments for Xenakis on Technology (XOT) to firstname.lastname@example.org.)