5 Data Security Questions to Ask Your Software Vendor
July 14, 2021
Searching for a software vendor for any aspect of your business can be very time-consuming, whether it’s a product that you know a lot about or an entirely new solution your organization is exploring. You may ask yourself, “What is our number one priority here?” For credit unions, one of the most important considerations should be members’ security.
In today’s world, data is arguably the most valuable currency. In fact, selling personal data is a multi-billion-dollar industry. If you leave your wallet or purse at the store, you can just turn around and go back. Those items are physical. However, entering your personal data or documents into a technology vendor’s servers is entirely different, and there’s generally no way to get that data back.
Now that businesses are able to sign and notarize documents digitally, ensuring data remains secure is of the utmost importance. Documents that need to be signed or notarized hold some of the most personal and sensitive pieces of information. It’s critical credit unions know where these documents are being stored and for how long.
So, how can you get this information from a potential vendor? Strategic Link partner SIGNiX says it’s surprisingly simple — just ask! The industry-leading digital signature provider asserts that every software vendor worth their salt should be able to answer these key security questions:
- Will you share your information security practices and policies with me?
Ideal answer: “Yes. We will happily send that documentation for you to review.” (If you get anything other than a “yes” here, avoid working with this vendor.)
- Do you have protocols and tools in place to prevent access to client data?
Ideal answer: “Yes. Routine access to client data is logged. Static security scans are performed on the source code. Automated and manual dynamic security scans are performed on the running system. An intrusion detection system monitors the network and performs network security scans.”
- Do you outsource any of your information security responsibilities? If so, how do you manage their compliance?
Ideal answer: “All vendor relationships must be supported by a written contract that has been approved by senior management and, for more significant contracts, legal counsel. The relationship manager should review contract terms for all third-party arrangements in sufficient detail as required by the service performed and the level of risk.”
- Do third parties conduct security assessments on your products?
Ideal answer: “Yes. We have multiple third-party companies that conduct regular assessments.”
- Is the data being passed back and forth encrypted at all times?
Ideal answer: “Yes. Documents are encrypted in transit and at rest with 256-bit encryption and are only visible to the sender as well as the party receiving it in that particular session or transaction.”
The best vendors are the ones that relish the opportunity to answer these questions and concerns, because they understand how important your members’ data is. If a vendor avoids these questions, it might be a sign that you should take your business elsewhere.