When you decide to implement a software solution in your organization, one of the biggest challenge that you face is ensuring your data will remain safe, secured and compliant as per company or government policies. A lot of time and energy of many people, including that of senior stakeholders, is spent on addressing those concerns and mitigating the associated risks. And the same holds true when you are planning to roll out a Sales Force Automation solution as it captures valuable information such as market penetration, beats, sales data, customer credit history, marketing campaigns, new launches etc. While an exercise to evaluate those security aspects can be a mammoth and endless task, we have tried to list down some fundamental and important parameters which you should check for a quick but full-proof evaluation of data security and confidentiality measures implemented by your shortlisted SFA vendors.
Let’s first try to categorize the concerns you may have against four major categories.
- Data Theft: How secured the data is from external hacking or any other security incident?
- Data Leakage: How does the vendor ensures that data is not leaked by its employees?
- Data back-up and recovery: How quickly the data can be restored in case of a physical disaster? How old that would be?
- Compliance: Are the security measures in compliance with company policies or with government policies such as GDPR etc.?
We understand that you can take charge of these concerns yourself had the solution been developed and hosted in-house or had you purchased an external solution and host it on your own premise. But that not only results in significant cost escalation (both initial cost and maintenance cost) at your end, you will lose out on regular feature updates and also, your SFA vendor may not agree to let the entire codebase of their solution be available with third party. So, with an assumption that you will eventually go for a cloud-based off the shelf solution, you must do a detailed evaluation on following factors:
- Data security mechanism of the cloud service provider: As the entire data is hosted on a third-party cloud service provider such as GCP, AWS etc., it will be very important to check different security mechanism implemented at their end. For example, are they having globally accepted security certifications, do they regularly conduct security audits, what are the measures for intrusion detection and necessary alerts, what kind of encryption technology is being used at the database level etc.
- Data security measures at the application end: This is where your vendor is directly responsible, and you need to do a thorough analysis whether at the application end important security measures are implemented or not. For example, what kind of authentication is done during log-in, whether the data is encrypted during transmission from mobile device to server, whether the web application is HTTPS enabled, whether the mobile database is encrypted, whether OWASP guidelines (such as preventing SQL injection, XSS, CSRF attacks etc.) are being followed in application coding etc.
- Policies to prevent intentional data leakage: You must check what kind of access controls (at the server level) are available with different stakeholders and whether that’s a full proof mechanism to find out a defaulter in case of any intentional human data security breach. There should be other measures as well such as two factor authentication mechanism for accessing cloud project. Also, you should check what is the company policy at vendor’s end if someone is found guilty of security breach and those policies can act as sufficient deterrent to prevent such incidences.
- Data back-up process: While the cloud service provider must have its own data back-up process, it needs to be checked what kind of back-up processes are in place by the vendor itself and whether they are compromising on the same in order to reduce hardware cost. It is very important to find out number of times back-up is taken, frequency of those back-ups, physical location of back-up servers and whether offline back up is taken in a disc or not.
- Disaster recovery process: One of the important reasons of having a robust data back-up process is to recover and restore the last backed-up data in case of a physical disaster where the servers are hosted. It is important for you to check how quickly the data can be recovered and whether the vendor follows regular drills to ensure quick and efficient disaster recovery with minimum data loss.
- Specific regulatory compliance: With governments getting stricter in terms of how the data is handled by data collector and processor, it is of utmost importance to check whether your SFA vendor is in compliance with those regulations. For example, if you are based in Europe, you need to validate whether all articles and clauses of GDPR are being adhered to or not. To illustrate this further in case of GDPR, you must validate whether the data is physically hosted within Europe, what measures are being taken on anonymization / pseudonymization of personal data, whether personal data is being encrypted etc.