Home > Compliance Management Tips > Compliance Tips > SaaS: Navigating the compliance minefield
Compliance Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

COMPLIANCE TIPS

SaaS: Navigating the compliance minefield


Jeffrey Ritter
07.03.2008
Rating: --- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


The Software as a Service (SaaS) business model may be a great fit for your company, but make sure the ticking time bombs of compliance risks and costs don't go off on your watch.

SaaS offers CIOs impressive options to reduce internal resources and expenses devoted to application maintenance, version updates and patching. These "activity-based costs" represent appealing targets for CIOs looking to reduce their overall IT spending -- once an existing application is moved to the vendor (or a vendor-sponsored host), the availability of internal staff and devices improves. The newly available internal resources are then free to be deployed toward other internal operation priorities.

Within midmarket companies -- a high-priority market segment for SaaS vendors delivering human resources (HR), payroll, accounting, e-commerce, and off-site data storage applications -- the related business activities are subject to varied legal compliance duties with which the customer must ultimately comply. Contracting with a SaaS vendor rarely, if ever, eliminates the customer's legal responsibility for the activities conducted by the vendor.

Ticking time bombs

Those making the SaaS business case often overlook the compliance-driven risks and costs associated with:

As a result, many SaaS services contracted under standard, vendor-developed contracts are ticking time bombs. They add significant compliance risks that the CIO never evaluated at the front end of the process and create new ongoing costs in oversight and incident response that can re


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Risk management and compliance
Critical infrastructure at risk to cyberattacks: What you can do
Strategic risk management includes risk-based approach to compliance
Scale aside, cloud computing compliance still worries IT managers
Comparing how-to guides for business continuity standards
Twitter security risks, popularity spark regulatory concerns
Business model risk is a key part of your risk management strategy
SEC commish, FINRA head: Reform financial services regulations
Ex-SEC chief Pitt decries state of Sarbanes-Oxley and risk management
Anatomy of a hyperproductive compliance management team
Chapter excerpt: The Three Core Disciplines of IT Risk Management

Managing compliance teams
Chapter excerpt: Decision-making processes and IT governance
Is all the PCI DSS compliance whining and complaining justified?
Anatomy of a hyperproductive compliance management team
Chapter excerpt: The Three Core Disciplines of IT Risk Management
Why it may not be ideal for your lawyer to be your compliance officer
Leveraging your business intelligence resources for compliance
Kill-switch bill would add certification, licensing burdens
Are you out of the loop on state data breach notification laws?
Economic downturn won't kill regulatory compliance projects
Data center virtualization: Four steps to compliance

Compliance services
Cloud computing forecast: Some risk ahead

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


duce the actual economic value of the deal.

Charting the path forward

For both existing and future SaaS services, here are some useful steps a CIO can execute to manage compliance risks:

  • Define the services the SaaS vendor must provide (through the application or other services) to enable the CIO's company to meet its compliance duties and avoid those risks.
  • Assure that all service agreements contain legal terms that impose responsibility for the required services on the SaaS vendor. Involve your lawyer in this step -- many CIOs avoid doing so, often creating more problems than they solve.
  • Establish in the contract vendor monitoring, and audit and reporting controls (often modeled on internal audit and security control structures) to assure compliance services are performed.
  • To see an idea about how to make this type of map, click here. This sample map summarizes the content of this article.

    Regulators are now reviewing SaaS service agreements in detail, to assure the deals do not diminish a company's compliance posture. Finding (and eliminating) the ticking time bombs can help a CIO better achieve his or her SaaS ROI and promote a better culture of compliance.

    Next month: Master data management: Crossing the legal chasm of ignorance

    Jeffrey Ritter, Esq., is CEO of Waters Edge Consulting LLC in Reston, Va. Waters Edge offers strategic consulting services to develop improved information governance. Write to him at editor@searchcio-midmarket.com.


    Rate this Tip
    To rate tips, you must be a member of SearchCompliance.com.
    Register now to start rating these tips. Log in if you are already a member.




    DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    HomeNewsTopicsITKnowledge ExchangeTipsBlogsMultimediaWhite PapersProducts
    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2009, TechTarget | Read our Privacy Policy
      TechTarget - The IT Media ROI Experts