Use of Application Service Providers (ASPs)

PURPOSE

This document describes Information Security's requirements of Application Service Providers (ASPs) that engage with Dawn Farm.

APPLICATION

This policy applies to any use of Application Service Providers by Dawn Farm, independent of where hosted.

DEFINITIONS

Application Service Provider (ASP) – ASPs combine hosted software, hardware and networking technologies to offer a service-based application, as opposed to a Dawn Farm-owned and operated application.

POLICY

All ASPs must use appropriate safeguards of confidential information, including:

• Establishment of clear Access Control policies, procedures, and technology to restrict who has authorized access to Dawn Farm information.

• Establishment of restricted and locked areas where Dawn Farm information is stored.

• Establishment of appropriate Data Backup, Disaster Recovery, and Emergency Mode Operation planning.

• Establishment of technical security mechanisms such as encryption to protect data that is transmitted via a network.

ASPs must agree to report any security breaches within one business day.

ASPs that do not meet these requirements may not be used for Dawn Farm projects.

PROCEDURES

1. ASP responses to these requirements must be concrete and specific. Examples:

   1. 1. Bad: "We have hardened our hosts against attack."

      2. Good: " Our Administrator is tasked with keeping up-to-date on current vulnerabilities that may affect our environment, and our policy is to apply new patches during our maintenance period every week. Critical updates are implemented within 24 hours"

      3. Bad: "We use encryption."

      4. Good: "All communications will be protected by 168-bit Triple DES encryption"

2. If client or donor information will be stored or transmitted by the ASP, the ASP must assure compliance with this policy in the form of a written contract or business associates agreement.

3. Use of ASPs must be approved by the President.

ENFORCEMENT

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Application Service Providers found to have violated this policy may be subject to termination of contract.

Reviewed 2014, 2017, 2024