SaaS Requirement Checklist
CIO’s should view the SaaS provider opportunity as a business decision. In other words, there are some basic requirements that a SaaS provider must meet in order to be considered. The following list includes many, but not all of the key characteristics of a potential SaaS partner. While a positive response is expected in most cases, the actual response will vary based on the client and the service/product being offered. Depending on the country and the regulatory requirements special questions may need to be added.
Environmental Stability and High Availability
- Is the provider’s service hosted on their own equipment, in their own data center?
- Is the facility scalable? To what extent?
- Is there redundant power, UPS or generators installed in the Data Center?
- Is there backup AC installed in the Data Center?
- Is there emergency lighting in the Data Center?
- Does the SaaS provider use more than one network provider?
- Is the Data Center secured using badge access and/or biometric access?
- Is the list of personnel admitted to the Data Center reviewed at least monthly?
- Are cameras used within the Data Center to monitor all activities?
- Are logs kept of all personnel that are admitted to the Data Center?
- Are intrusion detection or intrusion prevention systems used?
- Are vulnerability assessments performed every six months by a third party?
- Are the hosting facilities SAS 70 Type II Certified?
- Is the SaaS provider PCI compliant?
- Is the SaaS provider HIPPA compliant?
- Are there any other certifications that apply?
- Does the SaaS provider offer sufficient data security/segregation controls? What are they?
- Are data access audit logs maintained for all activity within the environment?
- Is access to client data limited to senior, vetted SaaS administrators?
- Is data encryption used when data is at rest?
- Is data archiving available?
- Is there a plan in place to investigate in case of breach?
Business Continuity & Disaster Recovery
- Are there provisions for business continuity?
- Are there provisions for disaster recovery?
- Is the data replicated to another location?
- Are these services part of the basic package?
- Can the data and service be restored within the enterprise’s parameters?
- Does the SaaS provider offer single sign-on (SSO)?
- Can the SaaS provider be integrated with Active Directory?
Service Desk Support
- Does the SaaS provider offer multiple modes of contact, like phone email, online?
- Is the support desk available when the enterprise needs it? (24 x 5, 24 x 7?)
- Do the response times meet the enterprise’s requirements?
- List response times for critical, important and non-critical requests?
- Is there active monitoring of the processing environment?
- Is there a dedicated account management representative?
- Is there consulting assistance available for integration, modification, etc.?
Service Interruption Notification and Formal Processes
- Is there advance notification of upgrades, patches, and maintenance?
- How is the client notified?
- Does the SaaS provider have a formal change management process?
Standards, Policies, Guidelines, Procedures
- Does the SaaS provider follow any architecture frameworks?
- Does the SaaS provider manage projects using a standard methodology?
- Are the SaaS provider’s standards, policies, guidelines and procedures documented and communicated throughout their client?
- Are there formalized change, problem, incident management processes?
- Are there standard, easy to use APIs?
- Can the client access the data directly?
Service Level Agreements
- Does the SaaS provider offer SLAs based on end-to-end performance?
- Are credits paid if the provider does not meet SLA provisions?
- Are periodic meetings with the service provider part of the SLA process?
- Is there an escalation/notification process in place?
SaaS Provider Stability
- Does the SaaS provider offer dedicated environments?
- Does the SaaS provider offer shared environments?
- How many years has the SaaS provider been in business?
- Are they making a profit?
- Are they privately held?
- Are all of their personnel employees of the company?
- Does the SaaS provider have a formalized product/service development roadmap?
- Does the SaaS provider solicit customer input for their roadmap?
- Do they allow potential customers to trial their service/software?
- Does the base price include implementation, integration, set-up, etc.?
- Is the pricing structure based on the number of users?
- Is the minimum contract period one year?
- Are volume purchase agreements available?