Are you entrusting a software provider with confidential data? How secure is their SaaS system? What insights do you have into the confidentiality, processing integrity and availability of the managed application? In 2016, approximately 80% of US companies experienced cyber-attacks. Numerous data breaches have occurred exposing millions of personal identities. Considering these attacks will continue to hinder software systems in the future, you should select a provider that is committed to maintaining the highest standards and strictest security possible. What should you look for with respect to selecting the right provider?
When selecting a provider I recommend:
- Your SaaS provider conducts regular internal and third-party assessments of the application and the infrastructure.
- Their employees should be bound by non-disclosure agreements to deter the employee from exposing confidential information.
- Providers should meet with their employees at least annually and remind them of legal and ethical responsibilities when they are exposed to sensitive data.
- The provider offers Service Organization Control and compliance reports (i.e. SOC 1, SOC 2, PCI DSS)
Using the reports mentioned above, make sure that the provider’s controls satisfy your audit department’s requirements. These reports will give insight into the provider’s:
- Policy and procedures
- Security standards for the networks, servers, and desktops
- Encryption standards that define the level of encryption of your data both at-rest and in-transit
- Encryption key management to understand their process around protecting encryption keys.
- Software development life cycle (SDLC) to understand the process of adding feature function to the system including design, secure coding standards, QA, and deployment.
- Security patching to see how quickly newly discovered vulnerabilities are applied to the systems
- SSL certificate management
Software as a Service, if used properly, can help your business save money, time and human resources, and eliminate problems like software maintenance and incompatibility. However, it is important to thoroughly research the security around the individual provider and their services before implementing their solutions.