InformationWeek

"We knew we needed an Internet solution for automating employee benefits, notifying human-resources departments, transmitting salary and paycheck data, and efficiently administering employee benefits," says Brad Orr, the San Diego company's president and CEO. Burnham not only uses an ASP package to administer its own employees' benefits but also resells it to clients of Burnham's consulting services.

Burnham sent out a 99-point questionnaire to the ASPs it was considering; about 20% of the questions dealt with security. While Burnham officials wouldn't identify which ASPs responded, Burnham selected Simpata Inc. based on the clarity of the company's responses and positive customer referrals from GE Capital Corp. and the U.S. Postal Service. "Security had to be a given, and we found few people who could meet our requirements," says Kandace McCrae, client services manager for Burnham. "Simpata made it clear early on in the process that they're very focused on it."

The ASP route is proving very cost-effective: Simpata charges $500 to $600 a month; to buy an application package with similar functionality would cost about $100,000 plus $25,000 in maintenance annually, Orr says.

Burnham's security survey could prove a useful boilerplate for other enterprises entertaining the thought of working with an ASP. Questions included:

• How many levels of security are there? Is access assigned by individual, by category, or both? How easy would it be for an unauthorized person to enter the system? Simpata's answer: There is an infinite number of security levels; access can be categorized as view, add, or change rights. A valid corporate ID and password admits users to the Simpata system, but they can expect to run into 128-bit encryption should they try to start hacking into areas for which they don't have authorization.
• If the system has modem capabilities, how do you prevent unauthorized access? Does the security system record failed attempts to access? Does it lock out a modem after a predetermined number of failed attempts? Simpata says its system can be accessed only through the Internet. Reports on failed attempts are generated and reviewed daily; IDs aren't locked out after repeated failed attempts.
• How are policy, customer, and transaction notes stored, and what is the historical access? Can you attach notes to files? How does the system indicate a note exists? Simpata says employer users can enter comments about an employee; notes are available only on employee files.

Return to main story, "ASPs Answer The Security Question."