Charter House Rules
In March of 2011, Scott Beagrie looked at legislation relating to the security of sensitive information stored in the cloud. This month, he reports on BASDA’s Cloud Vendor Charter and the first cloud supplier to sign up to it
You know something is a game-changer when codes of practice and charters start appearing around it. There is little doubt that cloud computing is already altering the way in which businesses buy and access software, as well as enabling us to transform the way we work. Towards the end of last year, the Cloud Industry Forum (CIF), the body established to promote trust, security and transparency within the cloud computing sector, introduced a new code of practice that aimed to standardise and certify businesses offering cloud services. This was soon followed by the Business Application Software Developers’ Association (BASDA) Cloud Vendor Charter.
The two are intended to complement rather than compete and propose to offer reassurance to customers on different aspects of cloud services. ‘Whereas CIF’s code looks to provide due diligence information about a vendor’s company, the BASDA Charter revolves around specific technology issues,’ a BASDA spokesperson explained. ‘The BASDA Charter is only available to current members of the association, while CIF’s code can be accessed by any company. Both look at other external certifications and accreditations achieved by the signatory vendor.’
BASDA adds that its charter is intended primarily for software developers and independent software vendors that deliver their products and services through a cloud or software-as-a-service architecture, and relates to actual practical technical practices and technology deliverables. The charter seeks to encourage a responsible approach to data management (security, reliability and availability), application availability, security and customer management throughout the life cycle of the customer engagement. ‘Moreover, the charter aims to enhance the commercial success of both customer and vendor,’ said the spokesperson. ‘Adhering to the charter should assure the customer that the vendor deals with its business in a technically professional fashion and follows best practices.’
Stages of customer engagement
BASDA has given consideration to four main stages in the lifestyle of customer engagement with the vendor: registration and on-boarding; ongoing operations; contract renewal; and vendor migration. It requires that a company is committed to having clear and published policies in the areas of privacy, complaints, acceptable usage and support policy. The charter defines general minimum conditions that affect all the areas listed above and describes some specific requirements for the sub-sections.
Liquid Accounts is the first BASDA member to comply with and sign the Cloud Vendor Charter. The company specialises in online accounting software and back in 2001, long before the concept of cloud computing emerged, it began to design bespoke online solutions for large companies and multinationals.
More recently, it has introduced an integrated payroll module in version 7 of its software. Previously, this option was only available to Liquid’s larger bespoke clients, and while it had been used internally for the past four years the company said it had experienced growing demand from its general client base for an online integrated payroll module as part of its monthly subscription.
It’s better to be safe…
Chris Eccles, commercial director at Liquid Accounts, points out that by signing up to the charter, cloud services providers are providing reassurance, safety and security for the customer. ‘It’s another tick in the box,’ he said. ‘Who knows what can happen in this economic environment?’
Traditionally, some payroll managers have been nervous about allowing their data to be stored elsewhere and accessed via the cloud, but Eccles says multinational computing can be delivered to small organisations that couldn’t otherwise afford it.
Everything in Liquid Accounts version 7 product release has been requested by its clients and it allows payroll filing online and the emailing of payslips. Liquid Accounts says it makes certain that whenever changes are made to the rules, the package is automatically updated to reflect this. Eccles says the product has a development roadmap of two-to-three years, and while some of the detail may change, payroll is firmly part of its future.
Key aspects of the BASDA Cloud Vendor Charter
All vendors must adhere to the appropriate data protection legislation as it applies to their customers. Where specific industry compliance requirements exist, vendors undertake to meet those requirements and to undergo mandated audits.
Cloud applications should be hosted at a location that meets the standards of a Tier III data centre. Tier III describes the security and layout of a data centre, together with redundant power, bandwidth and cooling.
All data should be backed up daily to an off-site location, with a minimum two-day retention. In other words, if a data storage device fails, or a data centre becomes unavailable, the customer should not lose its data, at least up to the previous day’s operations. And a customer should be able to request the restoration of its data to a point at least two days prior in the event that some processing error occurs (for example, if an operator deletes data).
The vendor should provide a mechanism, at no extra cost, for customers to take a copy of their core transaction data in a usable format, such as .csv.
Specific security requirements
Passwords: All customer passwords should be encrypted (in the database and for transmission).
Security breach notification: If a security breach occurs or is suspected, customers should be notified of that breach as soon as possible, and in any event not more than 12 hours after such a breach has been discovered. Vendors should have a formal procedure in place to deal with such notifications.
Service availability requirements
Issues often arise when the production environment changes, so vendors should have a documented release management policy that covers changes in both application and environment; for example, operating system, database and middleware.
Vendors will provide automated monitoring and alerting of critical service components. Vendors will have a documented support policy to respond to alerts. The escalation process and response times by vendor will be commensurate with the service criticality and hours of use by customers.
The full version of the BASDA Charter can be found at www.basda.org
The Cloud Industry Forum (CIF) introduced a new code of practice that aimed to standardise and certify businesses offering cloud services. This was followed by the Business Application Software Developers’ Association (BASDA) Cloud Vendor Charter
CIF’s code looks to provide due diligence information about a vendor’s company and can be accessed by any company
The BASDA Charter revolves around specific technology issues and is only available to current BASDA members
Request a Quote
Would you like us to find you a custom quote to match your specific payroll requirements?