Don’t let an ASP bite you

In the aftermath of Sept. 11, many companies are rethinking the security of their data. Many companies that were headquartered in the World Trade Center are no longer in business because they lost crucial information and communications. Some were application service providers (ASPs) that lost not only their own records but also invaluable data belonging to their customers.

By hosting important information systems through Internet interfaces, ASP business models offer advantages, such as quick time-to-market solutions and lower start-up costs. Before you entrust an ASP with the data that runs your company, however, you need to research the ASP’s operation thoroughly, says Adam Galbreath, manager of vendor relations at Roadway Express.

The IT department at Roadway Express uses a formal evaluation process before adopting an ASP solution, says Galbreath, who led a presentation on the topic at the Technology and Maintenance Council’s annual meeting in March. Key areas you should address are financial strength, system security, backup contingencies and the ASP’s ability to meet the changing needs of its customers.

Roadway Express currently uses ASP services for just two purposes – a warehouse management system for one of its divisions and a human resources function to “try and predict how a potential employee will prevail with us,” Galbreath says. But you can only imagine how many ASPs have tried to solicit business from one of the nation’s largest carriers.

Galbreath suggests beginning an evaluation process by requesting a copy of the vendor’s financial documents, even if they are privately held. If necessary, offer to sign a confidentiality agreement.

Assuming the ASP appears financially stable, then address your technical needs. Define your security expectations and rank the ASP accordingly. Examples of your expectations might include firewalls, virtual private networks, intrusion detection systems, access controls, etc. In addition to the security from outside hackers, Galbreath recommends evaluating the ASP’s recovery plan in the event of a major system crash, including where you rank in priority among customers seeking restored access and functionality.

“The bottom line is to audit, audit, audit,” Galbreath says.

Before signing a contract, Galbreath suggests defining the responsibilities and liabilities for the ASP in three areas: performance warranties for response time and availability; support services for problem resolution; and customization if you want to have changes made. Agree upon a grace period to cancel the agreement if services do not meet your expectations. Also, agree upon early termination fees, and decide in advance what will happen in the event the ASP changes its business model.

“If they want your business, make them do it,” he says.

An important agreement that Roadway Express gets from its ASPs before finalizing the deal is to “escrow the source code.” For about $700, you can use an escrow agent to set up a legal agreement that, in the event the ASP goes out of business, the source code for its software belongs to you. You can negotiate with your vendor as to who will pay.

“Vendors don’t like to do it and they don’t speak about it, but it’s a good insurance policy,” he says. “It’s still your company’s reputation at stake. You may have outsourced, but your customer doesn’t care.”