Re: Terms and Conditions for external hosting

["Williams, Marn PENC:EX" <Marn.Williams () pensionsbc ca>]

Chris

We have had similar considerations in our Canadian business, and I can add a couple of recommendations for you. You are 
correct in considering vetting supplier and host employees, ISO27001, segregation of data, and encryption in transit 
and at rest.

Perhaps this is implied by your ISO27001 requirement, but ensure that the host's backend is secure - backups, disaster 
recovery plan, data centre security, AV and IPS, media sanitation policy, specific responsibilities in the event of 
data loss or corruption, service level agreements on data availability, who has access to the encryption keys, their 
security incident handling process, data ownership and a plan to regain your data if the hosting company fails.

Ensure that you know who actually owns the company hosting the solution. Several US companies have set up their 
services here in Canada and their prime selling point is that the servers reside in Canada, too. Safe, right? However, 
the U.S. Patriot Act stipulates that U.S. owned or subsidiaries of U.S. owned companies are subject to the Act. If 
desired, data can be requested from these companies by the Patriot Act, and they are under no obligation to inform you 
that they have complied. Data Protection Act notwithstanding. Keep it in mind if that concerns you.

Many providers of externally hosted solutions provide a web based front end. This is very convenient, but adds risk. If 
one of your employees decides to maintain the Health Information on a wireless connection with a laptop in a coffee 
shop (for example)- or even at home - then the data may be at risk even if they use an SSL connection. Wireless 
exploits are fairly trivial and it is not difficult to acquire a username and password in a situation like that. You 
may wish to address this with policy or require that all access into the hosted solution uses, for instance, VPN.

Finally, I recommend your business creates a security policy for using hosted solutions, so you have all your external 
hosting guidelines in place for any future considerations - avoid that slippery slope.

Regards
Marn Williams 

 

-----Original Message-----
From: pauldotcom-bounces () pdc-mail pauldotcom com [mailto:pauldotcom-bounces () pdc-mail pauldotcom com] On Behalf Of 
Hembrow, Chris
Sent: August 3, 2011 1:52 AM
To: pauldotcom () mail pauldotcom com
Subject: [Pauldotcom] Terms and Conditions for external hosting

Hi folks.  

I'm looking at Occupational Health systems for our business, which will hold potentially sensitive medical information 
on our employees.  We are potentially looking at externally hosted solutions, and I'm trying to get an idea of what 
sort of things I should look to ensure are included in any contract.  

So far, all I can think of specifically is around ensuring an appropriate employee vetting process for the suppliers 
employees and the hosts employees, ISO27001 for the hosts, and segregation of data from their other customers.  I'll 
also push for encryption of data at rest.

We're in the UK, and I'm not aware of any regulations which apply apart from the Data Protection Act.

Thanks,

Chris


"This email and any file attachments do not form a contract unless expressly stated. They may contain privileged, 
confidential and/or copyright information. If you are not the intended recipient or the service provider responsible 
for delivering this please delete the material from any computer and return to the sender at once; do not use, disclose 
or reproduce its contents. We do not accept liability for any error or omission in the message arising from corruption 
of, delay in or interference with, its transmission. We reserve the right to monitor email communications through 
normal internal and external networks. We believe but do not warrant that the email and the file attachments are virus 
free." 

Interservefm Ltd.  Registered in England, Number : 2820560.
Registered Office: Capital Tower, 91 Waterloo Road, London SE1 8RT.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com