Data security is a hot topic when considering software for various use cases within your business. Software providers often promote that information is hosted by a data centre that maintains ISO Certification. That’s all very well, but what about the design, development, implementation, support and maintenance of the software? Effective risk management of data storage is only addressing 50% of the risk. And potentially much less, given all the action that occurs through the day to day use of the software.
I heard a great analogy the other day. Imagine you're in the market for a new family car. The car must have a proven track record in safety, something that has been externally validated with a 5 star ANCAP safety rating. Now imagine jumping behind the wheel without a drivers licence with zero experience and risk management in place to control and navigate the car. Does that add up to a safe experience? Despite the car being safe, the operator must also be qualified to pilot the vehicle. In this example, the car is the data centre and the driver is the software provider. It becomes very obvious that both aspects are important.
ISO 27001:2013 is the internationally recognised standard for data security. The intent of the standard is to control risk in regards to the availability, confidentiality and integrity of data. These considerations must be built into software applications and not just applied to the storage of data.
In the context of HSEQ software this is serious business. Given the integrated nature of HSEQ software into critical businesses processes you need confidence that your information will be available when you need it the most. In recent times with the work from home movement, the software industry as a whole has undergone a significant stress test with users gaining access through new devices and uncontrolled networks. Only the strong will survive and withstand potential cyber threats. You also need assurance that the latest software update won’t crash the system and see your operations grind to a halt.
Let's also consider the confidential nature of information entered into HSEQ software, particularly around human resources, the capture of incidents and return to work data. Users must be scoped in advance so that only those with the appropriate levels of permission should be able to view such records and information. Whether a breach of privacy is the result of internal negligence or external threat the end result is the same. A compulsory notification must be made to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breach Scheme. This is one call no business ever wants to make and can have a devastating effect on brand and reputation. Recent statistics indicate 32% of reported breaches are from human error. The ability to scope users and permissions mitigates this risk.
Similarly, what if everyone could create a new document, form or update a process? It would be a return to chaos, where everyone had a unique version of the document saved on their desktop. Data integrity is one of the primary reasons businesses implement HSEQ software. Only those with approved administrative access should be able to update system documentation and workflows. Maintaining the integrity of your data supports a consistent approach and organisational compliance.
HSEQ software providers must have strict processes in place to ensure your internal permissions are set up and maintained correctly. Much of these considerations come down to the implementation phase of your journey. It's also important to know who is responsible for the implementation of your instance of the software. If the software company happens to be ISO 27001:2013 Certified, does the implementation occur by an internal team that falls under the scope of the program? Or is the implementation delivered by an external partner to the software company with little to no security credentials?
To learn more about how Lucidity manages information and data security please see the following link.