Security concerns continue to be in the news around the world with the White House issuing an executive order earlier this summer about cybersecurity and the European Union proposing a Joint Cyber Unit to respond to the rising number of security incidents. And the hacking story that won't go away with the "SolarWinds" hackers launching a new global cyberattack at the end of May.
Now, this doesn’t mean that you shouldn’t necessarily trust cloud providers. In fact, there are many security benefits in working with the right cloud providers and SaaS companies that can leverage the economies of scale around security far easier and sometimes faster than most companies themselves. After all, providing SaaS solutions is what they specialize in and have the expertise to ensure their systems are secure.
There is also the driving factor of trust. Any erosion of their customers' trust would have far reaching effects on their core business. Every vendor's approach to security is an important part of their Information Security Strategy, and to ensure that your service management software system is protected, here are some questions you should ask to make sure your software vendor will keep your company and your customer's data safe.
1. Does the vendor adhere to security best practices?
Are they ISO27001 certified? This is an international standard that provides a management framework for implementing an Information Security Management System (ISMS) to ensure the confidentiality, integrity and availability of all corporate data. If the vendor is not ISO27001 certified, how can you be certain that their data center partners are?
2. Do they align their Information Security Management System (ISMS) to good standards and best practices, such as:
ISO27001 or other standards based on the National Institute of Standards and Technology (NIST)
The Payment Card Industry Data Security Standard (PCI-DSS)
The Information Assurance for Small and Medium-sized Enterprises (IASME)
The UK National Cyber Security Centre's Cyber Essentials Plus or Cloud Controls Matrix (CCM)
Each of these organizations offer best practices and standards to assist companies looking to increase their security protocols.
3. Do the vendors follow the security concerns outlined by the CIA Triad of Confidentiality, Integrity and Availability?
We're not talking about the Central Intelligence Agency. This CIA has to do with data. How is it stored, how accurate it is and how it is accessible.
Confidentiality: The data needs to be private and remain private. Vendors should ensure only the people who are authorized to view the data have access to it. There are different levels at which this applies. Vendors need to protect their SaaS platform, each of their customer's systems, controls within each customer's system, vendor controls to the SaaS system and the vendors own controls over the information they store to run their business.
Integrity: The data itself needs to be consistent, accurate and trustworthy. The data must be trusted and nonrepudiation must exist.
Availability: The data must be available. Having data that is secure, yet inaccessible, is useless. Users need to be able to access data when they need it, so vendors need to be sure that they are resilient, they have built in redundancies and can ensure business continuity.
4. Do the vendors practice what they preach?
This one is pretty simple.
Do they run their own business on the principles listed above?
Do they use the platforms and tools that they expect their customers to rely on to run their business?
Do they align with your own security policies and procedures?
It's important to find cloud vendors who answer the previous questions in the affirmative. Not only is it the right thing to do, but it's the best way to protect against potential harm from a security breach. Vendors need to build up trust with their customers and prevent them from potential reputation damage.
Ultimately, the vendors need to protect customers from any potential vulnerabilities along the IT supply chain that may expose data or other security risks. They must also address legal or regulatory concerns pertaining to their customers such as GDPR, HIPAA, CPRA and other data protection laws.
Be an informed consumer and do your due diligence while selecting a software vendor. Ask questions to make sure your organization is protected from potential cybersecurity threats.
Download our whitepaper to learn more about how Vivantio values security and what measures it takes to keep your customer service data protected.