SaaS: Navigating the compliance minefield

SaaS offers CIOs impressive options to reduce internal resources and expenses devoted to application maintenance, version updates and patching. These "activity-based costs" represent appealing targets for CIOs looking to reduce their overall IT spending -- once an existing application is moved to the vendor (or a vendor-sponsored host), the availability of internal staff and devices improves. The newly available internal resources are then free to be deployed toward other internal operation priorities.

Within midmarket companies -- a high-priority market segment for SaaS vendors delivering human resources (HR), payroll, accounting, e-commerce, and off-site data storage applications -- the related business activities are subject to varied legal compliance duties with which the customer must ultimately comply. Contracting with a SaaS vendor rarely, if ever, eliminates the customer's legal responsibility for the activities conducted by the vendor.

Ticking time bombs

Those making the SaaS business case often overlook the compliance-driven risks and costs associated with:

As a result, many SaaS services contracted under standard, vendor-developed contracts are ticking time bombs. They add significant compliance risks that the CIO never evaluated at the front end of the process and create new ongoing costs in oversight and incident response that can re

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management and compliance Critical infrastructure at risk to cyberattacks: What you can do Strategic risk management includes risk-based approach to compliance Scale aside, cloud computing compliance still worries IT managers Comparing how-to guides for business continuity standards Twitter security risks, popularity spark regulatory concerns Business model risk is a key part of your risk management strategy SEC commish, FINRA head: Reform financial services regulations Ex-SEC chief Pitt decries state of Sarbanes-Oxley and risk management Anatomy of a hyperproductive compliance management team Chapter excerpt: The Three Core Disciplines of IT Risk Management Managing compliance teams Chapter excerpt: Decision-making processes and IT governance Is all the PCI DSS compliance whining and complaining justified? Anatomy of a hyperproductive compliance management team Chapter excerpt: The Three Core Disciplines of IT Risk Management Why it may not be ideal for your lawyer to be your compliance officer Leveraging your business intelligence resources for compliance Kill-switch bill would add certification, licensing burdens Are you out of the loop on state data breach notification laws? Economic downturn won't kill regulatory compliance projects Data center virtualization: Four steps to compliance Compliance services Cloud computing forecast: Some risk ahead

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

duce the actual economic value of the deal.

Charting the path forward

For both existing and future SaaS services, here are some useful steps a CIO can execute to manage compliance risks:

To see an idea about how to make this type of map, click here. This sample map summarizes the content of this article.

Regulators are now reviewing SaaS service agreements in detail, to assure the deals do not diminish a company's compliance posture. Finding (and eliminating) the ticking time bombs can help a CIO better achieve his or her SaaS ROI and promote a better culture of compliance.

Next month: Master data management: Crossing the legal chasm of ignorance

Jeffrey Ritter, Esq., is CEO of Waters Edge Consulting LLC in Reston, Va. Waters Edge offers strategic consulting services to develop improved information governance. Write to him at editor@searchcio-midmarket.com.