Dun & Bradstreet Completes Acquisition of Lattice Engines. Learn More

5 Critical Security Questions to Ask Your Predictive Scoring Vendor

5 Critical Security Questions to Ask Your Predictive Scoring Vendor

Lattice knows that the confidentiality, integrity, availability and privacy of data are serious concerns for our customers, which is why we’ve implemented a state-of-the-art security architecture. Lattice is certified as compliant with ISO 27001 and the only predictive scoring solution to achieve this certification. You can learn more on our Trust page. In this blog, I will share five specific questions you can use to help test the security measures of predictive scoring vendors (or any SaaS vendor for that matter).

We’ve all seen the statistics about how marketing will soon spend more on technology than the IT department. But since marketers are newer to the task of evaluating software, they often don’t know if they’re asking all the right questions. As a result, they can run the risk of putting their critical customer and prospect data at risk. Considering that the average CRM and marketing databases are worth millions of dollars, do you really want to have to explain to your Board why it got compromised?

Is Your SaaS Vendor Vulnerable? 5 Key Questions That Could Save Your Job

It’s critical that you do your homework and you know the right questions to ask. Choosing the biggest or best

branded vendor isn’t even a guarantee (just look at Target or Snapchat). Here is a list of five direct questions to ask your marketing technology providers to ensure a good night’s sleep. Well, at least until the next QBR meeting.

Are you ISO 27001 compliant?Who are your toughest customers?

Are you TRUSTe certified?What about global privacy? Are you US/EU Safe Harbor Certified?

Do you have SSAE 16 Audited Tier One Data Centers?

Are you ISO 27001 compliant?

The Industry Standards Organization, or ISO, recently updated ISO 27001, which is the internationally recognized standard for certifying that a provider’s information security management system protects its information and its customers. It includes a broad span of requirements that ensure every aspect of the organization adheres to best practices related to security and privacy, which is no small task. As you make any decision regarding marketing technology, ensure this certification has been validated by an independent accredited organization, such as BrightLine. You can learn more about the ISO 27001 standard here.

Who are your toughest customers?

We find that smaller, fast growing companies often don’t have the resources available to perform their own security audits for every potential software vendor. After all, it’s their ability to move fast that gives them a competitive edge. But here’s a good tip – why not cheat off the big guys? Ask for a list of enterprise customers from a software provider and look for companies that you know take security very seriously. Banks and security providers are a good place to start. At Lattice, we’ve sold to three of the largest banks in the U.S. as well as companies like DocuSign and CA Technologies. I can assure you that passing their security audits is no simple “check-box” item.

Are you TRUSTe certified?

While often overlooked, privacy is also a key component of a security policy. How do you know where your company’s information is being used, what information is being gathered and for what purpose? Any reputable SaaS vendor should have a published and audited security policy outlining every one of these details. At Lattice, we partnered with TRUSTe, and get audited regularly to ensure our privacy policy is up-to-date and followed religiously. You can learn more about Truste here.

What about global privacy? Are you US/EU Safe Harbor Certified?

Even if your company doesn’t have offices outside the US, it doesn’t mean you’re off the hook for adhering to EU privacy laws. If you market or sell to companies in Europe, you’re still vulnerable. US/EU Safe Harbor Certification indicates that a vendor complies with the standard’s principles designed to prevent accidental information disclosure or loss both in the US and Europe. You can learn more about safe harbor here.

Do you have SSAE 16 Audited Tier One Data Centers?

Perhaps you’ve heard about SAS 70 compliance in the past, and maybe you still have it listed on your RFPs for service providers. Well, standards have a finite lifespan, and SAS 70 was retired several years ago to be replaced by SSAE-16. A tier-one SSAE-16 data center will include security measures such as biometric scanning for access, video surveillance, buildings engineered for disasters and fully redundant systems. In short, your SaaS provider should be able to rest easy knowing your data is safe and always available. You should ensure that your vendor’s data center can provide a SOC 1 report against SSAE 16. You should also ensure that any service provider can provide a SOC 2 report against the Security, Availability, Confidentiality and Privacy controls if they are not SafeHarbor and ISO 27001 compliant.  ISO 27001 compliance will ensure compliance with the SSAE 16 SOC 2 requirements for Security, Availability and Confidentiality, and SafeHarbor compliance ensures compliance with the SSAE 16 SOC 2 privacy controls. You can learn more about SSAE 16 here.

Software-as-a-Service (SaaS) has revolutionized how businesses consume and roll out software. By eliminating the internal technology stack, deployments can happen much more quickly. But at the same time, hosting your data outside your firewall introduces new risk. Reputable SaaS vendors take the precautions to ensure they follow the right processes, best practices and obtain the right certifications. But ultimately it is the buyer who’s on the hook if something goes wrong. If you are interested in learning more about Lattice’s approach to security, you can read more here.

   Image Credit(s):                marsmet549                    

Written by

May 5, 2014