|What does it do?||A pithy description of the company, the elevator pitch: |
They do action with data so we can do something awesome .
|Why this service?||This is the justification for the service - the compelling rewards that will outweigh the inevitable risks.|
What will be true once the service is online?
Good reasons are ones that a fifth grader would understand.
|Data it WILL collect||Describe the classes or types of data the service will access / store and why that’s necessary for the service to operate.|
|Data it WON'T collect.||If there are specific types of sensitive data the service won’t collect (e.g. passwords, Personally Identifiable Information, Patient Health Information) explicitly call them out.|
|How will the data be accessed?||Describe the process for getting data to the service.|
Do you have to run their code on your servers, on your customer’s computers?
|Costs of NOT doing it?||What are the financial risks / liabilities of not going with this service. What's the worst and average case impact of not bringing it on? |
Have you had costly problems in the past that could have been avoided if you were using this service?
|Costs of Doing it||Include the cost for the service and, if possible, the amount of person-time it's going to take to operate the service. |
Ideally less than the cost of not doing it.
|Our Risk - how mad will important people be...|
|If the service is compromised?||What would happen if hackers or attention-seeking security companies publicly released the data you sent the service?|
|When the service goes down?||When this service goes down (and it will go down), will it be a minor inconvenience or will it take out your primary application and infuriate your most valuable customers?|
|SSO & 2FA Support?||It’s 2019, if a service doesn’t support SSO or 2FA, it’s safe to assume that they don’t prioritize security.|
Also a good idea to investigate SSO support up front since some vendors charge extra for the privilege (which is a shame).
|Fine-grained admin / user permissions?||This is another key indicator of the service’s maturity level since it takes time and effort to build in. It’s also something else they might make you pay extra for.|
|Do they have any security certifications?||These aren’t guarantees of quality, but it does indicate that the company’s put in some effort to shore up their security.|
Check their website for general security compliance merit badges such as SOC2, ISO27001 or industry-specific things like PCI or HIPAA.
|Is there a public security & privacy page?||If there is, it means that they’re willing to publicly state that they do something about security. The more specific and detailed, the better.|
|Vendor’s security history?||Have there been any spectacular breaches that demonstrated a callous disregard for security, gross incompetence, or both?|
|BONUS Questions||Want to really poke and prod the internal security of your vendor? Ask if they can answer the following questions:|
1) How many known vulnerabilities (CVEs) exist on your production infrastructure right now?
2) At what time (exactly) was the last successful backup of all your customer data completed?
3) What were the last three secrets accessed in the production environment?
|Is it worth it?||Look back through the previous sections and ask whether it makes sense to:|
* Use the 3rd party service
* Build it yourself
* Not do it at all.
Would a thoughtful person agree with you?