Questions to ask your SaaS application provider

Key questions you should ask your Software-as-a-Service (SaaS) business system providers about how to protect your sensitive information.

Many organisations use Software-as-a-Service (SaaS) application providers to manage business processes such as client management, stakeholder management, finance, payroll, HR and incident and risk management, so on. These systems store and manage your organisation’s information related to those business processes, so these providers share responsibility for protecting your organisation and the information it holds from cyber security threats.

If your organisation is considering using (or already uses) SaaS application providers, it’s important to understand how they meet that responsibility.

Many providers will publish their approach to cyber security on their website (often via a link labelled “Security” at the foot of their home page) or on request provide a document describing their approach. It may provide detailed information and answer many of the questions you should ask, so is a great place to start.

Here are key questions to ask, to engage on and help clarify their approach to cyber security.

In what jurisdiction do you store our data?
What are your responsibilities for keeping our data secure?
Are you securely administering your systems and services
Are you regularly assessing your systems and services?
How do you monitor emerging threats and update your servers and services to protect from these?
Are you implementing better practice cyber security? For example, compliance with the Essential Eight standards, OWASP Top 10, etc.
Are you accredited to any relevant security standards (e.g. SSAE16 SOC1/2/3, ISO27001, ASD ISM, PCI DSS)?
Do you have a skilled, supported and well-resourced security team or technical staff with knowledge of security practices?
Do you undertake penetration testing (or similar technical security testing), and can you provide copies of results / findings?
Do you have a backup and recovery plan? Can you recover our data if it is corrupted or lost?
Do you have a business continuity plan? Do you test it regularly?
Are you prepared for, and able to respond to, cyber security incidents? Do you have an incident response plan? Do you test it regularly?
Have you had previous security incidents (data breaches, system compromises etc.)? Do you disclose these, have you remedied the underlying causes? (A web search may uncover public disclosures. Transparency, timely disclosure and timely remediation are positive indications of a proactive response to security incidents.)
Should we end using your service in future, what provisions do you make to return our data to us, and in what form?
If we stop using your service in future, how do you dispose of copies of our data you hold, once you have returned it to us? How long do you retain it, for example in backups?

Ask these questions to each provider and keep track of their approaches to cyber security as you continue to use these solutions. If their answers do not meet your cyber security policies, consider moving to an alternative solution.