Application Service Providers (ASP) Policy
Created by or for the SANS Institute. Feel free to modify or use for your organization. If you have a policy to contribute, please send e-mail to email@example.com 1.0 Purpose This document describes Information Security's requirements of Application Service Providers (ASPs) that engage with . 2.0 Scope This policy applies to any use of Application Service Providers by , independent of where hosted. 3.0 Policy 3.1 Requirements of Project Sponsoring Organization The ASP Sponsoring Organization must first establish that its project is an appropriate one for the ASP model, prior to engaging any additional infrastructure teams within or ASPs external to the company. The person/team wanting to use the ASP service must confirm that the ASP chosen to host the application or project complies with this policy. The Business Function to be outsourced must be evaluated against the following: 1. 2. 3. 4. The requester must go through the ASP engagement process with the ASP Tiger Team to ensure affected parties are properly engaged. In the event that data or applications are to be manipulated by, or hosted at, an ASP's service, the ASP sponsoring organization must have written, explicit permission from the data/application owners. A copy of this permission must be provided to InfoSec. The information to be hosted by an ASP must fall under the "Minimal" or "More Sensitive" categories. Information that falls under the "Most Sensitive" category may not be outsourced to an ASP. Refer to the Information Sensitivity Policy for additional details. If the ASP provides confidential information to , the ASP sponsoring organization is responsible for ensuring that any obligations of confidentiality are satisfied. This includes information contained in the ASP's application. 's legal services department should be contacted for further guidance if questions about...
Please join StudyMode to read the full document