Time to know: how compliant and secure is your board portal?

Why is a board portal important?

According to Russell Reynolds studies¹, 88% of the highly digital boards are located in the United States. In Europe boards are lagging far behind on becoming digital savvy. Implementing digital board portals has proven to be more than just a practical solution for better and more effective meetings. It is also a crucial measure to ensure that the integrity and reliability of critical board information is kept secure.

How can you choose a board portal that is both compliant and secure?

By following these 5 criteria, you will be able to opt for a safe and compliant provider:

1. Ensure compliance with applicable legislations 

While compliance is usually not the first topic that comes to mind when talking about security, it is most certainly a very important aspect of security. Outsourcing a business segment does not eliminate the associated regulatory requirements. In most cases it even adds additional responsibilities. Thus, during the process of choosing a board portal provider, compliance with applicable laws should not only be considered in the context of your company, but also in the context of the evaluated provider. 

Depending of the situation (e.g. location, industry) of you and your provider, compliance can become a challenge. Here is an example of two regulations which - in certain situations - can impose a big risk on affected companies:

The GDPR (General Data Protection Regulation) is a European law that consists of a set of regulations governing the privacy and security of personal data. This legislation intends to increase the level of protection over personal data for EU citizens.

The CLOUD Act, however, is a US regulation that allows US authorities to have access to data of US based cloud providers, including the data stored abroad by their subsidiaries.

If your provider and you are subject to both laws, you can end up in the situation where you have to choose between violating the GDPR or the US CLOUD Act. This imposes a great risk because of massive fines.

Therefore, it is important to take the providers nationality and the location of the hosting into consideration when choosing a board portal provider, because this effects applicable regulations.
 

2. Evaluate the datacenter security

It is important to understand that the security of your valuable data is not only affected by measures in the cyberspace, but also by the physical environment of where data is hosted. Therefore, the choice of the datacenter is essential when requiring a high level of security. The three main criteria should be:

Business continuity capability:

• Are environmental threats addressed (flood, earthquake, etc.)?
• Are redundancies for critical components in place (electricity, ISPs, whole sites)?

Physical access control:

• Is physical access limited according to the “Need-to-Know” principle?
• Is physical access controlled and monitored?
• Is authentication and authorization implemented through formal processes?

Information Security Assurance:

• Is the datacenter certified according to best-practice standards (ISO, ISAE, SOC)?

3. Assess cyber-resilience

Cyber-Resilience is often the main focus of every security evaluation. This due to a simple reason: performing a cyber attack does not require you to have physical access to a system, thus the number of potential threat actors is significantly higher. A cyber-resilience assessment should include at least:

Encryption:

• Is data at rest encrypted at all times?
• Is data in transfer encrypted at all times?
• Are strong encryption methods used?

Network Security:

• Are state-of-the-art intrusion prevention solutions employed?
• Are state-of-the-art intrusion detection solution employed?
• Are the systems configured securely (hardened)?
• Is there a formal patch-management-process?

Logging and monitoring:

• Is there a documented audit-trail?
• Are logs being analyzed and monitored?
• Is the risk of administrators manipulating logs addressed?
• Are critical components appropriately monitored?

 
4. Analyze Authentication Processes

Authentication is a very central concept of security. When working with sensitive information nowadays, a solution should provide strong authentication methods. The strength/security of authentication methods can be rated through the following criteria:

• Are minimum requirements for passwords enforced (length, complexity)?
• Are passwords stored or transmitted in plaintext (not encrypted)?
• Can multi-factor authentication be enabled or enforced?

Side note: As the SMS technology is becoming outdated, SMS as a second authentication factor is now being considered as insecure. This is why especially the financial industry, as well as, their providers should start avoid it. While in the context of sensitive information a multifactor authentication with SMS as a second factor is still better than only using a password, more secure alternatives, as for example the SoundProof solution, should be considered.

5. Check the certifications

PwC Partner in Digital Trust and Risk Assurance, Ryan Ettridge, explains that "Certification is a solid way of showing that you have invested and continue to invest to maintain appropriate levels of security based on acknowledged risks."²  

A provider, who claims to offer a secure solution, should support his assertion with independent assurance. If a company wants to audit the quality of its security framework, there are many good and bad options. Here are two best-practice assurances which represent excellent management of information security and are widespread:

• ISO 27001 demonstrates that a company is following the highest security standards, and provides an independent, expert verification that information security is managed in line with international best practices. The ISO 27001 certification should go beyond the data centers, and also include the development, maintenance and operation of the provider’s platform.
• ISAE 3000 is an assurance standard for compliance, sustainability and outsourcing audits. Service organisations report on how they deal with security, privacy or fraud with an ISAE 3000 report containing information on the internal processes and controls. The ISAE 3000 report is audited by professional audit firms to provide assurance that the controls included are actually in place and operate effectively.

A provider of a secure board portal should also conduct regular penetration tests. A penetration test is a technical security audit where security specialists are trying to find vulnerabilities in the software itself. These audits should be conducted minimum once a year and the providers (of the penetration tests) should be rotated regularly. For the sake of transparency it’s best-practice to disclose the results of the pentests to customers or prospects.

If you find these criteria of great importance, and wish to verify how compliant and secure your board portal is, then we invite you to share the checklist internally with your peers. We are glad to provide you with more information.

¹ Russell Reynolds, Digital Economy, Analog Boards: The 2013 Study of Digital Directors, 2014.

² PwC, ISO 27001 – Why is it important?, Auditor Training Blog.

Mathias Brenner

About the author

Mathias holds an EMBA in Digital Transformation and has an academic background in Applied Science in Management and IT Services.