Question 1 – Where and how does the vendor store their data?
It may come as a surprise, but it actually doesn’t make a vendor’s solution more or less secure because they run in the cloud. Regardless of where the data is stored, the same security principles apply. The question to ask is how is the data stored and protected? How much control does the service provider have over the infrastructure?
Question 2 – Does the vendor have basic network security measures such as firewalls, intrusion prevention systems and anti-virus solutions implemented?
This may seem like an obvious question but don’t be afraid to drill a little deeper. Ask if the vendor’s security defence is actively managed? If their network security measures are actively monitored, this increases the likelihood that potential cyber attacks and breaches will be detected and mitigated.
Question 3 – How does the software manage the various levels of access?
Each software provider will have a model of how varying levels of user access are managed. A good question to ask is: how are different levels of user access controlled, and how is access is granted? Cloud providers tend to offer a “multitenant” application, where your data is stored alongside everyone else’s data. So, ask your cloud provider how they separate your client data so other advisers cannot see it!
Question 4 – How does the vendor encrypt your data?
You will want your data to be encrypted in at least two areas: when it is stored in the database, and when it travels to and from the database and your computer. Ask the vendor if and how the data is encrypted and if they use the latest industry standard.
Question 5 – how often do they deploy updates and how are these updates communicated to users?
Software updates, including security patches, are vital to the integrity of the system. Ask for their patch cycle especially pertaining to the underlying infrastructure such as the operating system. Ideally systems should be updated as soon as they are available. Expect no less than an update each month.
Question 6 – Does the vendor have access to your data?
Depending on the data and your requirements, you may not want your data to be accessible by anyone else at all, including the vendor. Ask how, and under what conditions, the vendor will provide access to your data to anyone and ask how the vendor is able to identify unauthorised access.
Question 7 – How often does the vendor carry out security tests?
Security testing should be carried out as part of the development life cycle. It is wise to ask how and when the vendor performs security testing, and what percentage of their staff is trained in or dedicated to software security. Also ask if a third party has performed regular penetration tests, and if so, can you get a copy of the latest results?
Question 8 – Has the vendor got plans for disaster recovery?
To trust a software provider with your data you should be reassured that data is safe in case of a disaster, such as a power loss or a hard drive failure. It’s imperative to know how often your data is backed up and where the backup is kept, and what guarantees there are to ensure a backup is always available.
Question 9 – Are they able to provide certificates on applicable compliance standards?
Having the relevant compliance certificates is a good indication that formal policies and processes have been put in place. If the software provider is storing credit card information, they will need to be compliant with PCI/DSS. ISO27001 is another popular accreditation to show that the provider has taken security into consideration.
Julian Plummer, managing director, Midwinter Financial Services
Other important questions I’d aim towards Julian… Is your software slow, buggy and crash constantly? Do your staff respond to queries? Does anyone care when things don’t really work? Do you care about accuracy? Do you listen to advisers?