When choosing a web-based CMMS solution, data security is a vital criterion. However, given the many technical criteria that are unfamiliar to laypeople, it is difficult to make a quick evaluation of a web-based CMMS provider’s ability to protect your data.
Here are the top 5 questions to consider when evaluating a provider in terms of security.
What will happen to our data if we want to change software?
The data you create and store on your web-based maintenance software provider’s server must always remain in your possession. The provider must guarantee that, in the event of a breach of contract, your data will be copied and transmitted to you upon request.
Be sure that your data will be returned to you in a format that allows for easy migration to different software from another provider.
What SLAs (service-level agreements) do you offer?
L’accord de niveau de service (SLA) est essentiel dans les contrats de Software as a Service (Saas), car c’est lui qui garantit que le service fourni sera conforme aux engagements du fournisseur. De plus, l’accord de niveau de service est censé proposer des solutions dans le cas où le fournisseur ne serait pas en mesure de tenir ses engagements.
As a result, it is essential that you make sure your provider offers such an agreement and that you read it carefully, if applicable.
First, check with your provider for a sufficient service availability rate, and be sure you understand their definition of service availability and unavailability. The availability rate is determined by the classification of your provider’s data center(s).
Next, ask what measures are in place to deal with incidents: disaster recovery, expected timeframes for resolution, etc.
Have you ever experienced a data breach?
Ask your CMMS provider for a complete list of security breaches that have occurred within the company, then ask about the corrective measures they chose to take. This will give you valuable insight into their ability to react and the type of security they’ve implemented. For example, consistently performing security audits and penetration tests demonstrates an understanding of how important it is to strengthen the security of user data.
The physical security of your data is essential as well. Ask the web-based CMMS provider what policies they have established to prevent and/or respond to a malicious attempt at transferring data from one of their company’s computers to an external peripheral, such as a memory stick.
Will you have access to advanced identity management and access control features?
To avoid leaving sensitive data about your business vulnerable to access by bad actors, your web-based CMMS provider must guarantee:
1. Optimal password security:
Password management for a fully web-based software program must comply with three fundamental IT security rules:
Single login with limited session length
For web-based software, simultaneous connections to the same authority using the same logins represent a security vulnerability. Users often forget to log out of a session, which also puts your data confidentiality at risk, so setting a maximum session length is necessary.
Automatic password expiration
Keeping the same password for too long increases vulnerability to hacking attempts, so changing passwords regularly is vital. To avoid making manual password change requests to all software users, automate the process by setting a maximum period of validity.
For greater convenience, be sure the web-based CMMS provider allows you to set that period as you see fit.
Limited number of login attempts
One common hacking technique is to use automation software to test a large quantity of passwords in rapid succession. It seems important, then, to limit the number of login attempts. Furthermore, it is worthwhile to keep a record of these login attempts if you wish to investigate a potential hacker’s identity.
2. Option to assign profiles to users
Not all the users of your company’s web-based CMMS need access to the same data. In addition to controlling access to the software, you must control access to the data within that software.
For example, an administrative manager doesn’t need access to the features and data that a technician requires. You’ll need to have the ability to assign broader or narrower access to users based on their status.
How is your physical cloud infrastructure protected?
Of course, the physical data storage infrastructure must be secure.
Consider asking your provider the following questions: Are your data centers equipped with video surveilance? How is entry to the data centers monitored? What are the fire safety standards?
Note: ISO standard 27002 provides reliable assurance of a data center’s physical security.
Finally, verify that your data are replicated in a backup data center to provide for contingencies.