Every week,
cyber-attacks are making the headlines, ruining company reputations and costing
millions of dollars. Yet business leaders fail to ask important questions when
hiring, onboarding, and interviewing a new outsourced QA partner. They focus on
speed and cost while assuming that security is covered. However, when searching
for a cyber security testing company, you need to define which requirements can’t be
compromised on. Strong cyber security standards and protocols should be your
main priority.
Following are some of the questions you should ask your
potential QA service provider to determine whether they’re the right fit for
your organization.
How do you secure the perimeter?
Start with the basics. This question should give you an idea
about the provider’s various security mechanisms for protecting the product at
all levels. Cyber attackers look for any vulnerability they can exploit,
therefore, it’s your job and simultaneously, your QA provider’s job to ensure
that the expected mechanisms (prevention systems, intrusion detection, web
application firewalls, etc.) are in place.
Have you achieved any data protection standards?
QA service providers use certificates as a testimony that
they’re complying with the industry standards set by an authoritative body.
Some of the most common certifications include SSAE 16, ISO 27001, SOC 2, and
Safe Harbor. You should know which one of these apply to your industry and
ensure that your potential provider has them.
How do you safeguard your customer data?
Ensure that the cyber security testing
company you’re planning to hire provides a detailed explanation regarding
data segmentation and storage as well as data encryption and transmission.
Customer data should ideally be stored on a separate database server located
behind a firewall. Though this makes for a more complicated setup process, the
security benefits are well worth the effort.
How do we monitor internal and outside traffic to and from our network?
Your potential cyber security testing company should have a
strong system in place for detecting nefarious traffic on the network. They
should be able to identify suspicious activity, connect the alerts to actual
human activity, and be able to take swift action against those events.
What is your incident response mechanism?
Suffering a data breach hurts but it’s more painful if you have
no idea how to deal with it. Your QA provider should have a comprehensive
response plan outlining key actions and assigning roles to deal with the
aftermath of the attack. A well-written plan shortens the time taken from the
initial breach to the first response and set in a coordinated response effort
in motion by the team.
How do you access employees’ security understanding?
Your potential provider should have a security awareness program
and regular review or testing on their agenda. Errors on employees’ part
account for nearly all major security breaches. Therefore, make sure that the
company you’re considering pays special attention to employee training.
What best practices do you follow for cyber security?
Your QA provider should have a layered approach to security.
When asking this question, listen for most of the following points:
- Data
backup policy
- Insider
threat management and detection
- Employee,
contractor, vendor monitoring to prevent data loss
- Security
training and education
- Regularly
updated systems and software
- Thorough
incident response playbook
- Maintained compliance certification
No comments:
Post a Comment