You can’t open a computer trade publication today and not see a reference to “ASPs”, or Application Service Providers. An ASP is a company that provides its customer organizations with managed service for core applications on a monthly rental basis. In addition to the software, the ASP provides all related hardware and support needed to deploy and manage the software. Typically, all that is required to access the solution is a web browser.Don’t be Blinded by the Benefits
One of the key benefits of using an ASP is that the service provider is responsible for the availability of your service, data and application support. If you have a problem, there is no need to call your software developers or Information Technology (IT) department...you just call your ASP who serves as your single point of contact and provides a full range of service for you.
An ASP also allows you to dramatically reduce hardware costs. There is no need to continually buy expensive PCs and servers to run the “latest and greatest” applications. All that is needed to run an ASP application is a properly installed browser that serves as the window to your application. As a result, many managers may look at these benefits and think, “Why do I need an IT department now?”
The reason is that your institution’s IT department plays just as critical role in the world of ASPs as ever. Many institutions have regretfully made the mistake of thinking that deploying an ASP does not need the involvement of the IT department.
Though its role has changed, IT’s involvement continues to be crucial to deployment. For ASPs, instead of focusing on deployment, your IT team will be focusing on performance and monitoring. And the earlier they are involved in the purchasing decision, the better. No department likes to be kept in the dark on any mission critical software initiatives, particularly those in the IT department.
Encourage IT-Driven Due Diligence
There are many issues that IT will need to consider as you look to outsource your technology for various business processes. Due diligence is important – checking that the vendor of choice has taken the correct measures to ensure that the bank is covered in a number of key areas. Traditional methods of software deployment, such as those incurred by client-server applications across a network are minimized. The IT group’s role after acquisition then becomes focused on ensuring that the infrastructure is in place to run the Internet-based solution.
IT will need to carefully evaluate:
- Hardware and software requirements
-- If the solution is browser-based, does it utilize Internet Explorer or Netscape or both? What versions are supported? Any network-wide upgrades to browsers will now need to be tested for compatibility purposes with the ASP solution.
-- Are there any resolution requirements or restrictions for the application? - How prepared is your network for the inevitable increase in web traffic that is forthcoming once the solution is deployed? If your employees are already complaining about the slow speed of your web server, imagine how slow it will be as you deploy a mission-critical web-based solution to the masses. If the time waiting for screens to load is unbearable, your employees will have a fit and likely will not use the product – not necessarily a good use of your investment. Plan on making the necessary improvements well in advance of deployment. Don’t hesitate to ask your vendor how performance has been for other clients in similarly networked environments.
- Does the solution require a product like Microsoft Access(R) or another application to manipulate the data for reporting purposes? The generation of reports and/or the download of data may require ongoing IT support – support which IT needs to properly evaluate.
Ask for Security Documentation
Only an IT professional, well versed in web-based architectures and protocols, is going to know the right questions to ask when evaluating an ASP provider. Rely on your in-house experts to ask the tough technical questions that protect your organization from any surprises that may occur down the road.
Typical questions of your vendor should include:
- Has the vendor under consideration taken steps to ensure that security and operational control processes are up to industry standards? As a best practice, you should ask to review the results of any third-party security audits (like a SAS70) of any ASP you are evaluating. Most vendors are more than happy to share these audits with prospects and clients because they provide reassurance that the appropriate security and controls are in place. Be sure to review these audits before signing a contract, and include your IT team in this analysis.
- What user controls need to be considered? Typically the SAS70 examination will include a section on user controls. This section describes additional controls that should be in operation at user organizations to complement the controls in place by the ASP. Your IT team should review each of these controls for relevance and determine whether your institution has addressed, or plans to address, all controls.
- Can the vendor provide technical references from those who have been using the solution for more than a year?
Is your vendor willing to have your IT staff have conversations with the vendor’s IT staff in order to get questions answered to achieve a necessary comfort level? Be cautious of any vendors that are not willing to have conversations on topics outside of what is documented.
Will your vendor allow an onsite visit of their web-hosting facility? Vendors are generally comfortable demonstrating that their hosting location provides appropriate physical security measures. Your relationship manager should be able to coordinate a site visit if necessary. Any reluctance to accommodate visit requests should serve as a red flag.
Other due diligence – such as financial strength of the vendor and the matching of functionality and requirements – typically fall to the business area of the bank. However, some IT departments are actively included in this functionality and requirements review.
Define Security Now Rather Than Later
Effective security is essential to any business model that allows users from a public network – such as the Internet – to access mission-critical information or conduct sensitive transactions. So it is no surprise that security is the single greatest concern associated with the ASP delivery model.
While much of the security in any ASP environment depends on the safeguards employed by the ASP, IT departments can also take steps to enhance the security of their applications and systems. Your organization should analyze your business needs as they relate to your security requirements. Once you have defined your specific security needs, you will be in a better position to ensure that these needs are met when you sign a contract with an ASP.
For a copy of Baker Hill’s SAS70 examination, please contact Ginny Burns at 800-821-8664 ext. 6262 or gburns@bakerhill.com.
