Tip

SaaS: Navigating the compliance minefield

The Software as a Service (SaaS) business model may be a great fit for your company, but make sure the ticking time bombs of compliance risks and costs don't go off on your watch.

SaaS

    Requires Free Membership to View

offers CIOs impressive options to reduce internal resources and expenses devoted to application maintenance, version updates and patching. These "activity-based costs" represent appealing targets for CIOs looking to reduce their overall IT spending -- once an existing application is moved to the vendor (or a vendor-sponsored host), the availability of internal staff and devices improves. The newly available internal resources are then free to be deployed toward other internal operation priorities.

More on SaaS and compliance
SaaS cost savings impress CIOs

Compliance: Don't let your guard down
Within midmarket companies -- a high-priority market segment for SaaS vendors delivering human resources (HR), payroll, accounting, e-commerce, and off-site data storage applications -- the related business activities are subject to varied legal compliance duties with which the customer must ultimately comply. Contracting with a SaaS vendor rarely, if ever, eliminates the customer's legal responsibility for the activities conducted by the vendor.

Ticking time bombs

Those making the SaaS business case often overlook the compliance-driven risks and costs associated with:

  • Shifting to the vendor the creation, management and storage of information and records that are subject to compliance duties.
  • The added contract complexity -- and management costs -- for negotiating appropriate controls, and overseeing vendor compliance and reporting.
  • Corrective and preventive strategies to recover from vendor-based events that create legal compliance risks.

As a result, many SaaS services contracted under standard, vendor-developed contracts are ticking time bombs. They add significant compliance risks that the CIO never evaluated at the front end of the process and create new ongoing costs in oversight and incident response that can reduce the actual economic value of the deal.

Charting the path forward

For both existing and future SaaS services, here are some useful steps a CIO can execute to manage compliance risks:

Contracting with a SaaS vendor rarely, if ever, eliminates the customer's legal responsibility for the activities conducted by the vendor.
,

  • Create a map relating to the application or service that identifies:
    • The data each application or service creates or manages.
    • The known compliance duties that relate to the identified data. Remember, compliance duties can refer to access controls, the type of data (especially nonpublic personal information in payroll, HR, benefits and retail services), data retention and storage policies, and formal reports to management of any of the preceding.
    • The risks the company faces if the compliance duties are not performed.

  • Define the services the SaaS vendor must provide (through the application or other services) to enable the CIO's company to meet its compliance duties and avoid those risks.
  • Assure that all service agreements contain legal terms that impose responsibility for the required services on the SaaS vendor. Involve your lawyer in this step -- many CIOs avoid doing so, often creating more problems than they solve.
    • For new vendors, identify needed compliance terms in the request for proposal or request for information in order to avoid later "add-on" premium pricing to deliver required compliance services.

  • Establish in the contract vendor monitoring, and audit and reporting controls (often modeled on internal audit and security control structures) to assure compliance services are performed.

To see an idea about how to make this type of map, click here. This sample map summarizes the content of this article.

Regulators are now reviewing SaaS service agreements in detail, to assure the deals do not diminish a company's compliance posture. Finding (and eliminating) the ticking time bombs can help a CIO better achieve his or her SaaS ROI and promote a better culture of compliance.

Next month: Master data management: Crossing the legal chasm of ignorance

Jeffrey Ritter, Esq., is CEO of Waters Edge Consulting LLC in Reston, Va. Waters Edge offers strategic consulting services to develop improved information governance. Write to him at editor@searchcio-midmarket.com.


This was first published in July 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.