Posted by John Kleeman
This week marks the longest day of the year in the Northern Hemisphere, and in a few lucky places there are 24 hours of daylight.
We can imagine that in ancient days, watchers on castles could relax a bit with the longer hours of sunlight, as it was harder for marauders to sneak up without the cover of night. But in the modern-day cloud world, time of day doesn’t impact security much. Light or dark, you need to keep watch 24 hours a day, 365 days a year to be sure of your assessment security.
Here are 24 questions you might want to ask your assessment software supplier to check that your assessments and results will be safe all day and night long.
1. Do you host assessments in a professional Data Center, certified to SSAE 16 or ISO 27001?
2. Does the Data Center have 24/7/365 physical security?
3. Does the Data Center have 24/7/365 network monitoring so that if an issue arises, someone is continually monitoring to react to it?
4. Are the servers monitored by CCTV cameras?
5. Does your Data Center have multiple connections to the power grid with onsite generators with at least 24 hours fuel onsite in case of power outages?
6. Does your Data Center have multiple, fast Internet links so that if one goes down, connectivity remains?
Systems and software
7. Is every server in the system load balanced and does every component have redundancy, so that if any one system fails, another can take over?
8. there an Intrusion Detection or Protection System (IDS or IPS) to help protect against attackers?
9. Is browser access to assessments and administration protected by SSL/TLS to 128 bits or higher, so that assessment data and results cannot be intercepted on the Internet?
10. Is your anti-virus software deployed on all relevant servers and up to date?
11. Do you have separate staging areas to test on before deploying to production?
12. Does all application communication use a strong encryption algorithm? Have you retired any use of the less secure MD5 algorithm, very popular in the past?
13. Do you background check all employees before you hire them in case of a criminal history?
14. Do you have a signed confidentiality agreement on file with all your employees and do subcontractors have such agreements on file with all their personnel?
15. Do you train all personnel on data security and test them annually to check they understand?
16. When an employee leaves, do you remove all their access? Do you have a procedure to audit this to confirm it’s really happened?
17. Do you follow industry good practice in software development to reduce surface areas of attack and protect against security vulnerabilities?
18. Do you have a dedicated security team reporting in to an executive officer of the company?
Putting it all together to ensure you don’t lose the “crown jewels” of your assessment data
19. Are regular penetration tests run against the system by a third-party supplier?
20. Do you destroy faulty or end-of-life disks to ensure no-one can later access the data?
21. Do you have a disaster recovery plan? Suppose you lose your email or another key system, can you communicate internally and with customers, and have you tested this?
22. Are you transparent about your security? For instance, did you disclose what you did about the Heartbleed vulnerability that impacted much of the Internet in April 2014?
23. Can I see real-time information on the current status and uptime, and access statistics from round the world? See http://status.questionmark.com for an example of what you might look for from a provider.
24. Are results data backed up safely and off-site (over the Internet) at least hourly, so that in the event of a catastrophe, you would not normally lose more than an hour’s worth of data?
I hope this list of questions helps you think about your assessment security over midsummer and all the other days of the year. In case you’re wondering, if you use Questionmark OnDemand, the answers to all the questions are “yes”.
Click here to see for Questionmark’s security video.
Posted by John Kleeman