A matter of trust
The paperwork supplied by the ASP deserves as much scrutinyy as the ASP itself. Read your SLA (service-level agreement) carefully. Most standard SLAs only offer prorated refunds for downtime. If constant availability is critical for your business, insist on an SLA with stiffer penalties.
Have your lawyers approve the wording of the ASP's confidentiality agreement. Your company's sensitive data would probably fetch a pretty price from competitors or miscreants, so make sure the ASP is accountable for any theft or damage caused by its staff.
If you plan to host third-party applications off-site, make sure you purchase the appropriate license from the software vendor. Similarly, if the ASP is supplying the application, make sure you're not liable if the ASP fails to license its software properly.
A surprising number of companies get stuck buying their way out of long-term contracts when they switch providers. If the ASP requires a commitment term, make sure you can walk away free if the ASP doesn't deliver on its promises.
You can't keep constant watch over your ASP, so you must choose a provider that you can trust. The last thing you need is to constantly be worried about the intentions and competence of a third-party ASP that just so happens to have access to all of your business software and confidential information.
Agreeing to the confidentiality agreement mentioned earlier is one good way for your provider to prove its good will toward your company. In addition, if your ASP is going to handle your very sensitive corporate data, look for a provider that screens its workers via criminal background checks and drug tests.
It is also important that physical access to your ASP's systems are tightly controlled and logged. During your tour of the provider's facility, look around for symptoms of poor security practices. If you see the machine room door unlocked or propped open, choose another ASP site.
Because securing data is the shared responsibility of you and your provider, get details on the ASP's intrusion prevention, detection, and tracking systems. If you're not equipped to judge the effectiveness of these systems yourself, pay a security consultant to do it for you.
In addition, to shoulder your share of the security burden, you'll need the provider's access logs and audit trails. You shouldn't have to call your provider every time you need to activate or revoke a user's security credentials. The ASP should give you an easy, secure way to manage credentials remotely.
As with any relationship, your rapport with your ASP may sour over time and it is important to keep this in mind, even during the honeymoon phase. Arrange for regular deliveries of backup tapes, removable media, or network dumps of your application's data.