Strong data security practices are essential to financial institutions’ business operations and reputations. Cybercrime is growing rapidly, averaging a reported cost to financial services companies globally of $18.3 million per firm in 2017, with information theft as the most expensive consequence., according to an Accenture and Ponemon Institute report
Organizations worldwide are dedicating more and more resources to protecting their customers’ data. But part of the security picture is out of their hands: external vendors’ practices. When there’s a clear business case for partnering with a vendor for technology needs—whether they involve marketing automation, data storage and backup, data collections, customer experience management, payments processing, or anything else—it is paramount to ensure that the technology provider adheres to the same or higher standards for data security.
Since information security is an ever-changing landscape, we’ve compiled this framework of security risks and related questions that can guide organizations’ conversations with prospective technology vendors.
Risk Area 1: Technology Vulnerabilities
You can learn a great deal about an organization’s commitment to data security by asking about their product and how it is tested and deployed. This category of questions involves topics like good software development practices, encryption, data transmission and storage, firewalls, and disaster recovery.
- What is your technology stack? Do you use an application firewall?
- Are data transmissions to/from the application encrypted? Do you encrypt our data? Which data are encrypted?
- Are your data centers physically secure?
- Do you use IPS/IDS? Do you monitor failed logins? Do you use two-factor Authentication?
- How can you prove you have no back doors hidden in your code? How do we know your code is safe? Do you test your web applications for the OWASP Top 10?
- How do you keep viruses out of our data? How will you ensure my CHD & PII are safe? In the event of a breach, how soon will I be informed?
- What is the backup and recovery plan? Do you have a backup and recovery SLA? Are your backups encrypted and securely stored/transmitted?
Risk Area 2: User Vulnerabilities
With malware, phishing, and social engineering at the heart of many of the biggest recent breaches, it’s important to know who will have access to your data, both in your own organization, at the vendor, and at any third parties they work with.
- How do you ensure your staff are trustworthy?
- Are the user actions in the application tracked?
- Do you outsource any of your information security responsibilities? How do you ensure your third party vendors are secure?
- How are user accounts managed in the software?
- Who has access to my data? Who manages the application on the back end?
Risk Area 3: Organizational Priorities
Is the technology provider determined to keep up with information security best practices? Do they conduct regular tests, prioritize cybersecurity in their IT budget and organizational structure, and continually adapt to new threats?
- Are you PCI compliant? Do you have a SOC report?
- Do you have an incident response plan?
- Do you perform routine vulnerability assessments? Has the software been pen tested? How frequently are you audited by external auditors?
- Does your company have a dedicated security team? Is your management committed to info sec?
- Have you ever had a security breach?
- How do you ensure you keep up with constantly changing information security best practices?
Risk Area 4: Ease of Use
One reason why there are still password breaches is because strong passwords are a pain to create and remember. Security practices are only strong if they are fully adopted. Ensure that your interface with the SaaS vendor makes good data security automatic, not an extra hassle that your team might not fully embrace.
- Can we integrate our account and identity management system with the software?
- How do we transfer data to and from the system?
- Do you offer API access? How is access controlled?
- Is the platform highly available, even under peak demand conditions? Will my data be available if a disaster impacts one of your data centers?
- What does my IT department need to do? What level of support do you provide?
- Who is responsible for the protection of my data? Which aspects of security are the responsibility of the provider, and what remains the responsibility of the customer?
Risk Area 5: Data Ownership
Who owns your sensitive data and metadata, where is it located, and is it fully deleted and destroyed upon request? What happens if the vendor goes out of business, or if your business model changes and you decide to cease working with them?
- Where will my data physically reside? Do you control the physical infrastructure or is the data hosted by a third-party cloud provider? Can I specify the geographical location where the data are to be stored?
- Who owns the data? Who owns metadata generated in the course of using the software?
- Which jurisdiction(s) govern the service and our agreement, and how do you comply with regulations in those jurisdictions?
- What is the process of terminating our contract?
- What happens to my data when it’s no longer needed? Are your data and equipment destruction processes secure?
These questions may be helpful for use if you’re issuing an RFP or RFI, or for a discussion with prospective vendors (on either side). We hope you find them useful. For more information on Katabat’s commitment to data security, please drop us a note at firstname.lastname@example.org