For a mission-driven organisation, investing in board software security that will help your board be even more effective is a key decision. Every penny counts, the reputation of your organisation matters, and when it comes to ensuring the effectiveness of your board, the role of board software security cannot be overstated.
Obviously, we are biased and think you should be choosing BoardEffect but, regardless of that, over the years of onboarding new customers, we have been asked many questions. We can share some of those key questions you should ask about security, when choosing a board software partner for your mission-driven organisation.
A breach due to poor security can result in reputational damage, significant additional costs, staff time spent trying to recover and rebuild data and reports, potential regulatory fines, never mind days, and potentially weeks, of downtime.
The right board software can greatly enhance the security, accuracy and transparency of processes, enabling organisations to meet their regulatory obligations and keeping sensitive board information secure.
Board software security considerations before buying
In this article, we will explore the essential security considerations that organizations with volunteer boards should bear in mind when selecting board management software. These questions go beyond the basic functionality and features of the software, focusing specifically on the robustness of its security measures.
By asking these questions and ensuring the software meets stringent security standards, organisations can minimise the risk of data breaches, unauthorised access, and other cybersecurity vulnerabilities.
When purchasing board software, it is crucial to assess vendors that not just meet your functional requirements, but also prioritise security to protect your sensitive data and ensure regulatory compliance as well as align with your own policies and risk appetite.
Here are key questions for security considerations to keep in mind during the buying process:
Data security
1. Can we submit our security questionnaire to you?
2. What data encryption does your software offer for at rest data?
3. Can you confirm the level of encryption you provide for data in transit?
A thorough assessment of vendor security starts with a security questionnaire. This step allows you to better understand potential risks linked with your vendor’s software and network.
Ensure that the software offers robust data encryption both at rest and in transit. This includes encryption of data stored in databases, backups and during communication between the user’s devices and the software’s servers. Strong encryption algorithms, such as AES-256, should be implemented to safeguard sensitive information.
Access controls
4. What access control mechanisms are provided by the software?
5. How is authentication and sign-on handled?
6. How is remote access handled?
7. How does your technology handle role-based access controls (RBAC)?
Evaluate the access control mechanisms provided by the software. Look for features like multi-factor authentication (MFA) that require users to provide multiple forms of identification to access the system, as well as Single-sign-on (SSO) or SAML based support. Role-based access controls (RBAC) are also important, allowing administrators to assign different levels of access to users based on their roles and responsibilities.
Compliance and certifications
8. What certifications and industry standards do you comply with that would be relevant to our organisation and location?
9. Is your software HIPAA and/or HITECH compliant?
10. Is your software NIST compliant?
Check if the software complies with industry standards and regulations relevant to your organisation. Examples include ISO 27001 (information security management), GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), HITECH (Health Information Technology for Economic and Clinical Health Act) and SOC 2 (Service Organisation Control). Third-party audits and certifications can provide assurance regarding the software security controls and practices.
NIST is one of the most robust security frameworks followed across the globe while The Federal Risk and Authorisation Management Program (FedRAMP) is a U.S. government program that provides a standardised approach to security assessment, authorisation and continuous monitoring for cloud products and services.
Data privacy & residency
11. How does your technology handle privacy policy and data handling?
12. Are data residency requirements met for hosting of data for specific regions?
13. How are you adhering to data protection regulations?
14. How is user data collected, stored, processed and shared?
15. Can you confirm you do not sell or misuse user data?
Review the software provider’s privacy policy and data handling practices, and if data in specific region cannot leave that region, then make sure residency requirements are being met. Ensure that they adhere to data protection regulations and clearly define how user data is collected, stored, processed and shared. Verify that the software vendor does not sell or misuse user data.
Vulnerability management for board software security
16. What is your approach to vulnerability management?
17. What are your processes for identifying, assessing and patching security vulnerabilities in your software?
Regular security updates and timely patches are essential to mitigate emerging threats. Inquire about the vendor’s approach to vulnerability management. Ask about their processes for identifying, assessing and patching security vulnerabilities in their software.
Data backup and recovery
18. How often are data backups done?
19. Where is the backup data stored?
20. What Recovery Time Objectives and Recovery Point Objectives can you guarantee?
21. What else do you have in place for disaster recovery?
Adequate backup and recovery mechanisms protect against data loss due to unforeseen events or system failures. Understand the software’s data backup and disaster recovery capabilities. Ask about the frequency of backups, the storage location of backup data, and the recovery time objectives (RTOs) and recovery point objectives (RPOs) they can guarantee.
Incident response and monitoring
22. How does your incident response and monitoring work?
23. What processes do you have for detecting and monitoring security incidents?
Proactive monitoring, intrusion detection systems (IDS), and security incident and event management (SIEM) solutions are valuable components for early threat detection and effective incident response. Inquire about the software provider’s incident response and monitoring capabilities. Ask about their processes for detecting and responding to security incidents.
Vendor viability, security practices, third-party risk
25. What are your internal security policies?
26. How do you train employees on security and risk?
27. What background checks do you carry out?
28. Do you use any other infrastructure providers or sub-processors?
A vendor with robust security measures in place is more likely to prioritise the security of their software. Further, do the same to assess third-party risk – which infrastructure providers or sub-processors do they use in processing or storing your data and make sure that supply chain is as equally strong as the vendor itself.
In assessing various vendors – you may be looking at start-ups vs established providers – your evaluation process should consider the track record of the vendor in business, are they local vs. global, can they support your organisation’s needs. Further, evaluate the software vendor’s own security practices. Inquire about their internal security policies, employee training and background checks, some of these will come through various security compliance certifications but not necessarily all of them.
Data ownership and portability for board software security
29. What happens to our data if we do decide to stop using your software?
30. Can you confirm you won’t retain or use our data if we do terminate?
If you decide to stop using the technology you need to understand what happens and what the costs of unravelling the relationship are. It should be easy to export all your data in a format that is easy to use and save.
Clarify ownership and portability rights of your data. Ensure that you can easily export or connect to your data from the software if you decide to switch vendors or discontinue using the service. Verify that the vendor will not retain or use your data after termination of the service.
Service level agreements (SLAs)
31. What are the support level agreements?
32. Are there any clauses in your SLAs relating to security that we should know about?
Review the SLAs provided by the software vendor. Pay attention to clauses related to security, availability and incident response time frames. Clear SLAs help establish expectations and ensure the vendor’s accountability for maintaining a secure and reliable service.
Independent security assessment for board software security
33. Do you use a third party to evaluate your software security controls and practices?
This can provide an unbiased evaluation of the software’s security posture and help deliver extra comfort around security.