From the Series: Questions to Ask Software or Cloud Vendors
Part 2 - Ten Tough Questions to Better Select, Compare & Evaluate Any Software or Cloud Vendors
How can you more quickly select, compare and evaluate any software or cloud vendors?
Ask these questions early in your qualification process. Use these questions to poke and prod at your short list of vendors and then listen very carefully. Make sure to ask for commitments in writing!
- What is your history of application uptime?
- Do you measure and monitor application responsiveness on an ongoing basis? Your service may not be down, but how do I know if it will be responsive and usable? Do you provide a Service Level Agreement for application responsiveness? If so, what is it?
- Is your product architected as a Web-native application? Is it really a client/server application retrofitted with a Web interface?
Do you host your product at a commercial data center, or do you host on your own servers? If at a data center, is it SSAE-16 SCO 2 Type II (formally SAS-70), PCI certified and HIPAA compliant? Is your data encrypted at rest and are back-ups encrypted? Does the data center provide a managed service, or does your company rent colocation space with power and network access, but your company maintains the server infrastructure? Does your data center use a third-party security assessment firm to determine whether the data center meets Payment Card Industry Data Security Standard (PCI) and security requirements related to the protection of private and confidential data? Does your data center use a third-party security assessment firm for intrusion penetration testing and monitoring?
With respect to your data center:
- How often do they perform back-ups? Is there a daily incremental back-up? Is there a full back-up at end of the week?
- Is the back-up automated to assure that it happens without fail?
- Is the back-up to tape or disk?
- Are back-ups encrypted?
- How long of a back-up history is maintained? Are back-ups stored on site or off-site at secured locations? Can the database be restored to a specific day and time?
- Is transportation to off-site locations secured?
- What is the data center disaster recovery plan?
- What happens if the data center power is knocked out? How many days can it stay powered on generator failover without refueling?
- Is the data center physically guarded 24 x 7 x 365?
- How is physical access to the data center protected?
- How is virtual access to the data center protected?
- Is there a hardware-based firewall that protects your data from the Internet?
- Are there Microsoft and Cisco Certified Network Engineers on site 24 x 7 x 365?
- How long would it take to recover from a complete server failure?
- Are there ample spare parts on-site?
- What level of data center redundancy is built in?
- What level of Internet access redundancy is built in?
- Does your data center have strategic partnerships with Microsoft, Oracle and Cisco to be among the first to receive important security information and updates? How fast are security patches applied?
- Is there virus protection on the servers?
- As my company grows or experiences spikes in business, can additional licenses and disk storage space be quickly provided on-demand as necessary for peak times such as the holiday season, special promotions or major IT infrastructure upgrades at my company?
- Can I get a copy of my company's data file at any time in an industry standard format, so it can be imported into another application? Is there a charge? Is it explicit in your contract that my company's data is owned by my company? How will our data be protected from a privacy and disaster recovery perspective?
- Are there maintenance windows of downtime for routine server administration? When are they? Will the service always be unavailable during these windows or just some times? Will I get notifications when the service will be down during a maintenance window? How much advance notice?
- What contract lengths do you offer, and what are the discounts that apply? Is there any flexibility in payment terms?
- Is a source code escrow service available? (This requires that the vendor place their source code in escrow, so that it is available if they are no longer in business.) Is there a fee for this?
- Does the vendor ask you about your pain points? Are they interested in understanding your requirements, and will they prepare a demonstration of their capabilities based on these requirements at no cost or obligation?