Why It’s Critical to Know the Information Security Standards of Your Suppliers

Standards seek to turn security from a subjective topic into an objective one. They put firm guidelines in place to set a minimum level of security, ensuring that anyone inside or outside of an organisation understands the level of protection on offer.

In an age of unprecedented connectedness, where any system is only as strong as its weakest point, understanding the security standards of your software suppliers has never been more important.

What are software security standards?

There’s no single software security standard, but rather a wealth of different standards that cover the full spectrum of technology. Therefore, knowing which to look for requires a good level of technical knowledge. As an example, at ELMO we seek suppliers with the following security credentials:

• ISO 27001:2013
• PCI DSS
• SOC 1, 2 and 3

What these certifications signify is the achievement of a known security baseline. It’s a minimum that suppliers then build upon, sculpting security measures to their specific solution.

But at ELMO it’s not a case of ‘no certification, no deal’. Where suppliers do not have these credentials they may still be considered if they can implement the right security controls. These security controls are defined jointly and agreed prior to purchase.

What are a company’s risks and responsibilities?

The risks of not conducting due diligence on supplier security are significant. Companies that fail to vet a supplier’s security credentials may inherit or incur additional security risks that could lead to data breaches or other security events. Using an unproven library could open up a backdoor into the system, for example.

But it’s also important to understand that supplier security only forms part of an organisation’s broader security efforts.

Most data breaches can be traced back to human error, so it is vital that organisations have appropriate training and security controls for their employees. If an employee leaves an organisation and still retains access to vital systems this could result in a data breach, therefore HR onboarding and offboarding processes must always cover access to systems. They must also be regularly audited to ensure completeness.

ELMO’s approach to data security

As a supplier, ELMO holds ISO 27001:2013 certification, and undergoes surveillance audits every six months. This acts as a baseline, both for our ongoing operations security and our ability to manage risk. We have a dedicated security team whose focus is on ensuring security practices remain top of mind for employees at every level and in every role. Security is ingrained into the very fabric of the business.

When it comes to the security practices of our own suppliers, we assess each new supplier to ensure their security credentials are valid, and identify any additional security controls required to meet our own security posture. We actively monitor all suppliers on an ongoing basis to ensure the security controls are in place and working as expected.

This assessment and monitoring represents a significant investment of time and resources. But as an organisation that operates on both sides of the security coin, we understand the dangers of not performing this due diligence, and know that the cost of prevention is so much less than cure.

At ELMO we take security seriously, no matter whether we’re talking about our own protocols or those of our suppliers, as we know that both are inextricably linked. The result? Total confidence in the integrity of our cloud-based HR solutions.