At PCRecruiter, we regard security and availability as our most important goals. This commitment extends beyond our internal operations. We understand the crucial role secure and reliable partners play in your organization’s success. But how can you, as a customer, effectively assess potential vendors in terms of their security and availability posture?
Here are some key considerations
Established Security Certifications
Seek SOC 2 Compliance. This widely recognized independent audit assesses a service organization’s security controls and measures to safeguard customer data. SOC stands for System and Organization Controls. It refers to a framework developed by the American Institute of Certified Public Accountants (AICPA) for assessing the effectiveness of a service organization’s controls related to information security, privacy, and other operational risks.
Consider Additional Certifications. Depending on your industry and data sensitivity, additional certifications like ISO 27001 (Information Security Management) or PCI DSS (Payment Card Industry Data Security Standard) might be important factors.
Scrutinize Security Policies and Procedures
Request access to the vendor’s security policy outlining their approach to protecting your data, who can access it and under what controls, and what their incident response plans entail. It’s important to understand what their communication protocols are in the case of a potential security incident.
Inquire about third-party testing procedures they may be employing and learn how they address vulnerabilities found by these tests. It’s one thing for a vendor to claim security of their system, but without outside auditing and testing their claims may be hollow.
Evaluate Disaster Recovery & Business Continuity Plans
Ensure documented disaster recovery plans exist. These plans should outline what the vendor’s backup systems include and how the vendor would restore critical systems and data in case of an outage. You’ll also want to inquire about redundancy measures that guarantee application uptime during unforeseen circumstances.
Your PCRecruiter account is always available to you in a warm standby (read-only) mode, operating on a completely independent and geographically separated infrastructure, and continuously backed up to our current Recovery Point Objective. We call this our ‘snapshot’ feature. In the event of a loss of access to our primary service, snapshot can quickly be switched out of read-only mode and be promoted to primary service, and then reverted to backup mode as required.
Transparency and Communication
A reputable vendor will openly discuss their security practices and be prepared to answer your questions concerning their security practices. Look for vendors who prioritize transparency and actively communicate.
Main Sequence Technology is pleased to provide PCRecruiter users and prospective customers with this information, including documentation of our SOC2 compliance. Your comfort level and ability to meet your own vendor assessment responsibilities to your customers and stakeholders are important parts of the value that working with our company provides.
Be Wary of Overpromising
Watch out for vendors who make big promises or seem overconfident. The fact is, absolute cybersecurity cannot be guaranteed by anyone for reasons such as:
- Unforeseen Threats (Zero-Day Exploits): Cybercriminals constantly develop novel attack methods (zero-day exploits) that exploit previously unknown vulnerabilities. Even with robust security measures, these new threats can pose a temporary risk until patches or solutions are developed.
- Shared Infrastructure (Internet): The internet, which forms the foundation of most communication and data exchange, inherently presents security challenges. Malicious actors can exploit vulnerabilities within this shared network, potentially impacting even well-secured systems.
- Human Error: Accidental mistakes by employees or authorized users can introduce security vulnerabilities. Social engineering tactics can also manipulate individuals into compromising security protocols.
- Determined Attackers: Highly motivated and well-resourced attackers may relentlessly target specific organizations, employing sophisticated techniques to overpower and defeat commercially realistic security measures.
- External Dependencies: Software applications often rely on libraries, frameworks, and other components developed by third parties. Vulnerabilities in these external dependencies can introduce risks beyond a single vendor’s direct control.
While achieving absolute cybersecurity is an unreachable goal, carefully monitoring the threat landscape, deploying and effectively using reasonable controls, communicating transparently, and deploying skilled and objective third-party experts are what you should expect from your vendors, and what Main Sequence will provide as part of our service. Contact us with your questions.
Please note that this blog post is intended for informational purposes and should not be considered as expert security advice. Appropriate and commercially reasonable business operations regarding cybersecurity are highly dependent on conditions affecting each organization. Each organization should obtain professional services from accredited providers pertinent to their industry and the type of information processing being conducted. This blog post is not a warranty, representation of merchantability, or statement of fitness for any particular purpose regarding the service or other offerings of the company.
Recent Comments