3 security questions to ask when vetting a vendor that needs company data
In my role as senior vice president of engineering, I frequently work closely with the CIOs of large, industrial companies implementing prescriptive sales solutions. As these solutions require the use of company data, ensuring the data remains secure through each and every touch point is critical. Each company that becomes a customer is unique, but data security needs are universal. Below are some of the imperative questions that a CIO should address before implementing any technology from a vendor that requires access to secure company data.
1. Security in the data center: understanding how the data flows into and out of the data center.
Is the data center regarded as a premier service provider? Are the controls at the premium level? What technologies are in place to prevent a data breach? Leveraging fingerprinting technology for data loss prevention is key. Ask how your data will be handled and encrypted when at rest and in transmission. Best practices dictate that SaaS application providers should have controls in place for when data is moving in and out of the data center.
2. Physical security: is the vendor’s office space secure?
Are the laptops of the vendor’s employees secured and encrypted in a way that prevents data from being pulled to a thumb drive? Does the vendor have a data security policy for employees who have access to the data? Consider how your company’s data will be used by vendor employees and ask what protocols are in place to protect your company’s data outside of the data centers as well. Best practices for physical security usually involve audits that ensure protocols are in place in the case of a physical data breach.
3: Mobile security
Access to email and documents on mobile devices is extremely pervasive in today’s business environment. Ask what protocols and controls are in place to secure your data when accessed via mobile devices. Just starting the conversation could reveal some insight in how well the vendor does (or doesn’t) handle data security on mobile devices.
Once you’ve asked these questions, dive into the type of data that’s required. Is personal data required, or can the vendor generate prescriptive guidance using transactional data? Circumventing the need for personal credit card data means you won’t need to be concerned with PCI (Payment Card Industry) requirements.
Vendor protocols should also request annual audits for standards such as SSAE 16 to vet the effectiveness of the vendor’s data security program across all three areas. While I wouldn’t consider this an exhaustive list of imperatives, it’s an excellent starting place to ensure that your vendor is handling company data as securely as possible. Closely scrutinizing how potential vendors keep that data secure is crucial to vendor selection. Company data should be handled with respect, ensuring that the most complete protection possible is in place.
Beth Weeks is responsible for developing innovative, scalable and world-class software products at Zilliant. She brings 30 years of experience building and leading highly productive software development organizations, with more than 18 years success in developing collaborative and effective global teams leveraging offshore partners. Beth graduated magna cum laude from the University of Kentucky with degrees in both computer science and mathematics.