SustaiNet has recently done an annual review of its StakeTracker application security practices, and as a result of this process we thought it was a good idea to write a quick blog on data protection.
To ensure the highest level of data protection when using a software-as-a-service (SaaS) application to manage stakeholder information, consideration must be paid to three components of security: the user, the network, and the application.
The user must adhere to established protocols, the data centre must meet high security standards and perform high-level testing and security audits, and the application must be built in such a way as to guarantee encrypted data transfer and make it easy for the users to adhere to best-practices.
The following is an overview of the three components, and best practices for each.
How secure are the people using the system?
- Do the end users understand the system and the security concerns regarding the information they collect and enter?
- Does the company have an information security protocol or standard operating procedure in place for collecting, handling, inputting and saving private information?
- Who has access to the system? How do they save their login information?
- If a laptop gets lost or stolen, will the thief be able to access the system?
- What happens in the event that someone who has access to the system leaves the company?
When considering SaaS, it’s important to understand that these security concerns are possible to overcome with the implementation of a system of permission settings and protocols regarding device usage.
Just like physical on-site security requires keys be given to specific people by someone assigned to keep track of them, online security also requires a similar system whereby designated administrative personnel manage permissions and access levels.
Protocols will ensure that user security is dealt with in an systematic and standardized way from within the organization. It is highly recommended that the company or department create, document and implement a series of protocols or standard operating procedures.
What might seem like rather mundane information about stakeholders to those collecting it, may be quite sensitive and private and it is very important for the company collecting and managing this information to not only be able to offer a privacy guarantee to stakeholders, but to be able to follow through on it with integrity.
How secure is the network and hosting server?
- Where is your information stored? In what country? In what kind of facility?
- What are the physical security practices?
- What are the ‘virtual’ security practices?
- Are they certified as a secure provider?
When a company considers SaaS, the intention is usually to manage significant amounts of information in an environment that requires privacy and robust security. Therefore, it is imperative that the service provider they select has exceptional integrity when it comes to the data servers hosting their information.
In many cases, SaaS development companies work closely with a hosting provider – a company that specializes in data storage and handling, disaster recover, backups, and more. It is important to note that security is likely strengthened by working with a dedicated hosting company. An organization that specializes in data centre operations and is committed to managing the possible security risks associated with physical and virtual data centre infrastructures.
How secure is the software?
- What kind of security practices does the software developer adhere to?
- Does the software provider regularly perform vulnerability scanning?
- Does the software provider regularly perform penetration testing?
- Does the software use encryption technology for data transfer over the internet?
Application-level security assessments consist of two levels of testing, both of which should be performed regularly by the software developer:
A vulnerability assessment is a high-level scan that does not attempt to ‘break into’ the system but rather spot potential areas for security breaches. It is the process of identifying, quantifying, and prioritizing (or ranking) weaknesses and delivering prioritized recommendations for remediation. This is an important tool for software providers and worth asking any SaaS provider for details about.
This is a much more in-depth test, ideally performed by a 3rd party testing company on a regularly scheduled basis. It is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization’s systems) and malicious insiders (who have some level of authorized access). The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures.
SaaS and stakeholder engagement
While the SaaS model might not be the optimal solution in every situation, it does seem to be the best fit for most proponents performing stakeholder engagement and consultation activities.
The universal access and unified database fits well with the day-to-day activities of practitioners and those needing to pull customized reports by filtering specific criteria.
Be sure to focus on finding a provider that meets your company’s needs and meshes with your security requirements. Most vendors are more than willing to go into more depth about the security offered by their software, so ask lots of questions and discuss the benefits and potential issues. And regardless of which system you use, establish strong protocols early and ensure users adhere to them.
All of these factors combined will help you make the right decision and ultimately assist with better stakeholder engagement
Want to learn more? Download our e-book SaaS Security for Stakeholder Engagement Part 2.