

Ask HN: Best practices for ASPs handling Enterprise customer data? - mooneater

As an ASP-model business, some of our enterprise clients will want to audit our data security, integrity, and privacy practices.  Any pointers to best practices?<p>We do standard things like: always use SSL, hashed passwords, daily backups, proper privacy policy and TOS, software firewall, testing for SQL injection, using a reputable data-center.  We will be adding data scrubbing, hot backups, and XSS protection.  But what am I missing?  What is critical and what is optional?<p>Ideally I would like a comprehensive checklist, of the type that would satisfy a multinational client in the hi-tech industry.  The data includes names, email addresses, and physical home and work addresses.  We currently store no payment information or SSNs.<p>Btw our platform is currently Linux/PHP/Postgres, medium-term we will move from PHP to Python.  Many thanks!
======
frossie
Why don't you look into ISO 17799 and its accompanying certification (ISO/IEC
27002)? I don't know about the certification, but I did read the equivalent UK
standard (BS 27002) a while back and found it quite reasonable. It will surely
help you with client reassurance and also clarify your thinking.

