Cybersecurity is one of the leading concerns for executives in 2023. The global cost of cybercrime is estimated to exceed $6 trillion per year. Data breaches affect even the largest and most secure companies. But when so many platforms are outsourced, how can you be sure your data is safe?
While your technology vendors should be able to show you exactly how they can keep your data and research safe, John Nord, chief information officer at Cayuse, shares his insights to help you better understand which certifications and regional expertise you should be looking for when adding a new technology product.
Security certifications your tech vendor must have
According to Nord, a research institution should seek several different security and compliance certifications when vetting new technology providers: the ISO 27001 and SOC 2 certifications, both Type 1 and Type 2.
ISO 27001
The ISO/IEC 27001 is the world’s best-known standard for information security management systems and their requirements. It helps organizations manage assets, including financial data, intellectual property, employee data, and data entrusted to third parties.
“The ISO 27001 really just shows that the organization you’re doing business with has an overall security program in place — they have policies, they have procedures, all those things that we look for in our technology providers,” Nord says.
SOC 2 Type 1
SOC 2 defines criteria for managing customer data. It was developed by the American Institute of Certified Public Accountants (AICPA) and is based on five “trust service principles”:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
The reports are unique to each organization. Type 1 reports relate to your vendor’s systems and design. In other words, they assess whether the platform is structured to meet the trust principles and your standards.
SOC 2 Type 2
SOC 2 Type 2 outlines operational effectiveness over time by observing operations for six months.
“Both SOC 2 certifications — or audit paperwork — are standards I definitely recommend that any provider should be able to give you before you do business with them,” Nord adds.
Security certifications based on industry or location
Other certifications may be based on your industry or location, including the following standards and requirements:
State-based RAMP standards
In the Risk and Authorization Management Program (RAMP), different states have different requirements for certification, so be sure your vendor is prepared to meet your organization’s standards. For example, TX-RAMP is required in Texas, while FedRAMP is needed for U.S. federal government customers.
GDPR and CCPA compliance
If you have data privacy requirements like most research organizations, your vendors should be able to show they have General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) compliance and can prove it with their privacy policies and practices.
HIPAA and protected health information
In healthcare-specific industries, the Health Insurance Portability and Accountability Act (HIPAA) and protected health information (PHI) are two major non-negotiable categories.
“One thing to look for is that the potential vendor meets those requirements around HIPPA, but also that they use a high-trust framework like ISO 27001 to manage their security programs,” Nord notes. “That covers a lot of areas.”
Other factors to consider
While being compliant is great, being secure is even better. As you evaluate potential vendors, ensure they are willing to work with you. They should answer your questions and meet your specific needs.
“One of the most important things we ask is whether the vendors we work with are willing to work with us,” Nord discloses. “We don’t want a vendor to say, ‘Hey, just go to this website and download what you need.’ If we have questions or concerns, we want to make sure our vendors are able to meet those needs and are willing to discuss and see how we can meet compliance needs going forward.”
Among the questions to ask a potential vendor include:
- Can you manage regional specifications? For example, the United States, United Kingdom, European Union, and Australia all have slightly different regulations.
- What about Controlled Unclassified Information (CUI)? In the United States, if companies work with the U.S. government on research programs, they must determine if their vendors know how to handle CUI and how they manage it.