Vetting A Compliance Vendor: Why Data Security Can Make All The Difference
Looking for a differentiator? Information security will reveal more than you think
Data makes the world go round. It’s practically a new currency. And like any currency, at some point someone will try to steal it.
This is exactly what’s happening. Data thefts from companies large and small are very common and unlikely to subside anytime soon. In 2017, 179 million records were exposed: the result of 1,579 reported data breaches. In 2015, the financial services industry alone lost $28 million to data theft. A compliance vendor’s approach to data security can teach you a lot about the company as whole. It’s a perfect differentiator for the age of Big Data.
Let’s get physical
Building a data operation is like building a house. You don’t build on anything but the best foundation. In IT terms that means servers and routers but it also means physical security, like locating the data center in an unmarked structure. It means fencing, guards, x-ray machines, and biometric checks. It means false entrances and vehicle blockades. It means locked server cages and cabinets. It means climate control and fire-suppression systems, because data can be compromised for reasons other than theft.
Next up is the server hardware itself. A good vendor replaces its servers on a regular basis, rather than getting by on old equipment that’s increasingly vulnerable to failure. A good vendor also uses trusted technologies, backed by support and maintenance agreements that address the criticality of the supported service and ensure vulnerabilities can be addressed as they arise. Because they will.
On to network topology. Tier-3 is state-of-the-art. It means more redundancy. It means components can be replaced without interrupting data-center operations, and that the data center will operate at 99.98% availability. After that come failovers, so if a firewall has a failure another kicks in. Then there’s virtualization software, also known as a hypervisor. This lets a single server host multiple virtual servers and shifts workload if a physical server suddenly dies. These layers of redundancy, at the hardware level and in the software stack, significantly reduce the probability of client sites going offline.
And don’t forget about certifications. ISO 22031 addresses business continuity, certifying a company has plans in place for disruptive incidents. ISO 27001 is also critical. But remember, all these certifications mean minimum standards have been met. Press the vendor to determine if it’s gone beyond them. In other words, due your due diligence.
A differentiator for the age
Moving nearer the top we come to technical controls. Defense-in-depth means data defenses working at multiple levels in the network. It means layers and levels and the firewalls in between. Beyond these processes at work in the guts of the network are endpoint security systems. Anti-virus and anti-malware software. Security information and event management systems. Patch management solutions. DDoS protection. A vendor serious about data security will also perform vulnerability tests on its own systems.
Finally we come to administrative security. In terms of the compliance software itself, look for a single-tenancy model. Look for single sign-on and roles-based access control. Look for granular user-permissions and encryption of data in-transit and at rest. Ask about visibility walls. Data privacy is more and more seen as an integral part of data security. Determine if the software development life cycle includes static-application security testing, static-code analysis, and developer secure-code training.
Look for a vendor that understands the genuine benefits of seemingly simple things, like staff awareness and privacy training. And always keep in mind that security frameworks are continually evolving. Or rather, they should be. A good compliance vendor is continually looking for improvements across the framework. This is the general attitude and operational philosophy your prospective vendor should be getting across to you.
Compliance software vendors serve the needs of those in the financial industry. But while these specialist vendors need vast amounts of financial industry expertise to do what they do, they’re far more software development companies than anything else. When vetting a compliance vendor, there are numerous aspects of the business you could focus on as a differentiator. Information security is one whose time has come. A vendor that takes data security seriously is a company to be taken seriously at every level.
For a more in-depth look at information security, and a step-by-step guide for using it to select your compliance software vendor, download a FREE copy of our latest deep-dive StarCompliance resource: