Data is the lifeblood of your organization and a significant responsibility to manage and protect. As the steward of this sensitive information, you work diligently to instill policies and take precautions to maintain data security.
But what happens if your company’s legal team calls to inform you that confidential data has been compromised? You discover the source of the breach is an unsecured data collection tool someone in your company started using without your knowledge or approval.
Suddenly, you’re grappling with a serious data leak that may result in loss of customer trust, legal battles, and fines. So, how can you prevent breaches from happening in the future?
It starts with making a data security, privacy, and compliance assessment part of your procurement process, not a box to check after a team has already selected a software. This is even more important to address when vetting a form building and data collection solution for your organization.
The Need for Data Security in a Data Collection Platform
Selecting vendors with strict data security policies and practices may seem obvious to you as a security leader. But for other teams within your organization, the selection process is more focused on functionality, ease of use, or budget. Security is often an afterthought, or may not be a consideration at all.
SaaS software is instrumental in keeping business processes efficient and helping your organization scale. But selecting vendors that don’t prioritize data security, privacy, and compliance — even if they provide other benefits — is a risk you simply cannot take.
When selecting a solution for collecting data, this data collection platform becomes your partner in gathering, managing, and ultimately securing sensitive information. Data captured through their platform is only as safe as their internal data security policy and practices.
As the one primarily responsible for protecting your organization’s data, it’s critical that you make this a required step in the process. Here are three simple steps you can take as you begin the procurement process for a new form building and data collection platform.
Step #1: Assess Internal Resources
Any vendor that prioritizes data security, privacy, and compliance will have a team dedicated to ensuring these policies and practices are maintained within their organization. You don’t want to partner with a data collection platform that has no clear, documented security stance, specialized personnel, or certifications proving compliance.
“The data collection platform should have dedicated personnel in key areas such as data security, compliance, and privacy. These people should be actively maintaining certificates to stay current and knowledgeable in their areas of expertise. Look first for ISC2-CISSP, ISACA-CISA/CISM, and GIAC-GISF/GISP certifications.”
David Scovetta, Director of Security and Compliance at FormAssembly
Questions to ask:
- How big is the security team?
- Are team members 100% focused on security or do they have other responsibilities?
- What are their credentials?
Step #2: Assess the Security of Technology
Once you have a clear understanding of who is responsible for managing the data security policy in your potential data collection platform, you should assess the security of their technology. This platform is likely using third-party vendors as part of their own business operations. Be sure to assess if their systems and processes are properly documented, monitored, and audited for security threats.
“Certifications such as SOC-2 demonstrate the data collection platform’s commitment to security best practices and transparency. Independent third-party testing and auditing demonstrates accountability. A business continuity and disaster recovery plan shows that the data collection platform has determined the optimal way to handle any issues that may arise.”
David Scovetta, Director of Security and Compliance at FormAssembly
Questions to ask:
- What certifications do they hold?
- How do they document processes and systems?
- Do they regularly monitor, test, and audit?
- What is their business continuity and disaster recovery plan?
Step #3: Assess Business Security
It’s one thing for a data collection platform to have a security framework in place. But it is equally important that they demonstrate accountability in following and managing these policies.
“A company that holds itself to strict standards in its daily practices has documentation in place that outlines those standards. Review the data collection platform’s privacy, security and compliance policies and look for language that speaks to the business’s proactiveness in identifying and responding to threats, and how they will respond to issues that impact customer data.”
David Scovetta, Director of Security and Compliance at FormAssembly
Questions to ask:
- What measures do they take to secure their internal systems and technology?
- Do they have systems, programs, and processes in place for threat detection, identification and authentication, cybersecurity and privacy governance?
- How comprehensive is the security training for their employees and how often is it conducted?
Keep Your Data Safe
Procuring a form builder and data collection platform doesn’t have to be a challenge. Download our Data Collection Security Checklist for a curated list of questions to ask a potential vendor and what to look for in their response before you trust them with your organization’s data.
