As enterprises become ever more reliant on SaaS vendors, it has never been more important to ask the right questions concerning infosec compliance.
Deciding to outsource any mission-critical operation to an external vendor is a tough decision. There are budgets to meet, different stakeholders to please, and risks to manage to name a few of the challenges involved. However, infosec compliance is one area that no business can afford to compromise on at a time when the cost of a data breach is constantly rising.
Info-sec compliance is all about meeting the rules and industry standards governing information security and the regulatory regimes built around them. Every business, regardless of industry, has certain legal requirements they must adhere to. These must also be considered whenever you engage a new potential SaaS vendor.
With that in mind, here are five key infosec compliance questions you should be asking:
#1. Which recognized data protection standards do you adhere to?
The regulatory landscape has become highly complex, especially for enterprises carrying out operations in different jurisdictions. Not only must their own internal processes and systems be fully compliant with all relevant regulations; so too must their vendors. For example, anyone who collects, stores, or processes personal information pertaining to citizens of the EU must be fully compliant with GDPR. In addition, there are numerous data protection standards and frameworks which, while not necessarily legally compulsory, can help clients determine the security maturity of a potential vendor.
#2. How do you assess your employees’ understanding of security?
Contrary to popular belief, the vast majority of data breaches contain a human element, such as an employee falling victim to a targeted social engineering scam. As such, no matter how sophisticated an organization’s security tooling, it counts for little if their employees are poorly trained in basic security hygiene. Since working with any SaaS vendor will involve putting your sensitive company data in the hands of their employees, it is important that they can provide demonstrable evidence of the infosec compliance competence of their teams.
#3. How do you separate client data from that belonging to other clients?
These days, vast troves of sensitive data belonging to thousands of businesses all around the world sit in huge data centers. When choosing an SaaS vendor, it is essential that you know precisely where your data physically resides, which controls are in place to protect it, and how it is separated from data belonging to other clients. In the case of public cloud architectures, data should be logically separated and encrypted in its own virtual machine. However, vendors that use the private cloud provide physically separate infrastructure too for added security.
#4. How do you provide end user and application security?
SaaS vendors operate under a shared responsibility model, since the responsibility to protect things like login information reasonably falls to the client. After all, there is not much a vendor can do if a client makes a mistake like sharing their login details. That being said, any vendor should provide the means for end users to protect their credentials and their access to cloud applications. At the very least, vendors should facilitate multifactor authentication and full end-to-end encryption.
#5. How effective and up to date are your disaster recovery plans?
When you rely on an external vendor to handle any mission-critical workload, you need to be sure that they will live up to the commitments stated in their service level agreements (SLAs). However, disaster can still strike even the best prepared, and that includes any vendors you work with. For this reason, it is perfectly reasonable to ask about the plans they have in place to remediate after an incident like a data breach or anything else that could potentially leave your corporate data exposed.
Scrut Automation is an innovative and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, and CCPA. Schedule your demo today to see how it works.