Software security

Software security

Didn't find your answer?

Is there a way of discovering what the minimum industry standard security for cloud software is and whether a particular software provider meets those standards?  I'm looking at bookkeeping software for a charity client and want to be able to give the necessary reassurances before they commit.  We are talking about a small charity which prepares accruals accounts so are looking at the more basic end of the market in terms of suitable software.

Replies (3)

Please login or register to join the discussion.

avatar
By Rob Lambden
29th Mar 2016 14:37

Security Accreditations

There is an International Standard for Information Security that applies to IT services (including online software).  It's ISO 27001, and a reputable provider ought to be accredited.  The latest version of the standard (2013) has tightened up on a lot of areas and I understand from our assessor that about 30% of previously accredited firms are no longer accredited.  Maintaining accreditation requires ongoing audits and certification.

As the accreditation is made by different bodies to the standard there is not a central list of registered firms.  Each accredited organisation should be able to show you a certificate (or quote a certificate number) and you should be able to check that with the certifying body.

Checking that someone has the accreditation is important, but for due diligence you may want to ask what the scope of their accreditation is.  People can only control what is under their control, and so if they use hosting services from another party then the services of that party are not under their control.  One way to get around this is to ensure that any third parties are also accredited appropriately.

It's easy for providers to say something that sounds good, but actually means very little.  One of my favourites is "we use a military grade bunker so your data is utra secure."  This sounds great, in reality the rhe risk of an assault against the data center to make off with the physical servers is unlikley to be a risk that you or your client are particularly concerned about.  However flooding is much more likely to be a concern - and this particular data center is underground in Berkshire which you will have seen on the news as being prone to flooding.

Currently most people tend to assume that online services are secure, and of course un-proven assumptions are the main area of risk in any system.

The other factors to consider include the Service Level Agreement (SLA) that they offer, and whether they commit to keeping your clients data inside the UK.  It's difficult enough to take action about a security breach that happens in the UK when the attacker could be anywhere in the world.

Many software providers are not accredited (I can't think of any who are) it tends to be service providers that are accredited.  I'm at Online50 and we characterise ourselves as a service provider (mainly providing hosted accounting software) and we are accredited.  We also run our own network so the scope of our Information Security System is very broad.  (Also, not wanting to make this a sales pitch, we do offer a charity discount!)

Good luck and I hope you find something suitable for your client.

Regards
Rob Lambden
Online50
www.online50.net

Thanks (2)
Elliott Chandler Picture
By elliottchandler
30th Mar 2016 00:15

Top Marks
Rob makes an excellent post. ISO27001 is definitely relevant alongside doing your homework on the company.
Elliott

Thanks (0)
By StephenElms
30th Mar 2016 10:46

Also check...

When you check their security credentials you should also check if any data to be stored in the cloud holds any personal details - in which case you need to identify whre the server is located. For data protection purposes.

Thanks (0)