Security concerns in enterprise community software
In a world of increased complexity and uncertainty, your customers are your most important asset. Over the past few years, data privacy and protection measures have placed increased demands on CIO and CTO organizations. 2020 has brought a whole new set of challenges. It’s tempting for many organizations to look for short term solutions when it comes to exploring new SaaS platforms. But it can be reckless and risky to leave your customer data vulnerable.
When you invest in an event community management solution you have a list of hard requirements for it to be feasible in your enterprise setting. You likely care about creating a beautiful, white-labeled experience that is consistent with your brand. Marketing automation and engagement tools are critical for your team to be successful. Authentication and identity management is important and of course you need to understand the extent to which you are able to access and analyze the data for your community program.
Security and compliance should be high on your list as well. We have been fortunate to have worked with some of the world’s greatest companies over the last five years. Here are just a few of the things that we have discovered to be of foundational value, for this type of SaaS offering.
Executive investment
Security must be a top-level concern. Fundamentally a management system for information security should be in place; Security policy should be set by company leadership and regularly reviewed. Regular management reviews, considering the internal and external context of the organization should assure continuing relevance of the management framework as well as information security practices. Bevy became ISO 27001 certified in 2018 and has maintained good standing since. We are undergoing our second annual surveillance audit in 2020 and are planning on maintaining our certification indefinitely.
SOC 2 Reporting
Modern SaaS providers handling enterprise data should in most cases probably be able to deliver a SOC 2 report that is no more than twelve months old. This provides an interested party an independent assessment of a firm's technical controls as related to a set of trust services criteria. SOC 2 Type 1 reports report on a snapshot of what the auditors found at the time of their analysis. SOC 2 Type 2 reports are generally more involved, and report on what the auditors discovered over a review period of usually three to twelve months. In the end SOC 2 reports represent important documentation for vendor risk assessments. Bevy underwent SOC 2 Type 1 reporting in 2018 and SOC 2 Type 2 reporting in 2019. The most recent report is available on request to clients or prospects under NDA.
External penetration tests
Again, there is tremendous value in independent, third-party assessments. We contract at least annually with highly experienced security researchers to evaluate the security of our product offering. These evaluations are in-depth and substantial time investments. Of course, we care about security and perform evaluations internally as well – but an educated outside perspective is extremely important. We are big believers in this and have been doing this for years.
Vetting and training
Employee background checks tend to be common at large companies. At Bevy we made this a standard practice, when we had just over ten people on staff. Security awareness training is ongoing – and we regularly and frequently test our staff's awareness. This has had the effect of ingraining security thinking into routine conversations – with team members proactively posting images of suspicious emails to discuss validity, double-checking on questionable requests, posting security learnings in company chat groups, and so forth.
Secure product development practices
Raising security and privacy concerns during requirements elicitation and design discussions, thoughtful code reviews, selecting and adherence to meaningful application security review frameworks, assuring of automated, security-related tests, and much more – all this matters greatly. At Bevy we have been investing in this for years.
The above is just a glimpse of what we have implemented in our company, team and products – and I consider it critical to continuously earning our clients' trust. Of course, our efforts are always expanding and evolving, too. I am looking forward to sharing much more detail in future posts.