Everyone in your organization has a role to play in keeping sensitive data safe and secure. You train your staff on the basics like not giving out information to unknown people over the phone, to destroy anything with a Social Security number on it, to guard against any personally identifiable information (PII) getting out of your control and into the hands of the wrong people.
When it comes to our software and computer systems, we have to often rely on technical experts who may not know what are best practices for controlling access to data on an ongoing and ever-changing basis. This makes the prospect of using a third party to
Most vendors do their very best to control access to your data, both in their data centers and through the software interface. However, not all vendors know what it takes to protect your data, and by extension, your clients. Vendors must do more than just have a secure datacenter with limited physical access to computers and network equipment. Here are some questions you should ask your vendor before you hand your data over to them.
- How do you track and audit employee access to data on internal server and databases?
- What is the level of encryption used to transmit and store data?
- How are backups stored? Where are backups stored? Are backups encrypted?
- How do you track and revoke employee encryption keys for backups and database servers?
- How often do you rotate keys and passwords?
It would be very difficult to know whether the answers they give you are accurate unless you do costly and time-consuming audits. We recommend you have a data expert with you for initial consultations or when considering software of this kind.
Roles & Permissions
Very often, in off-the-shelf packages, the security features are set at the time of the initial software design. If security isn’t the first concern of the original designers, adding more security later can be very costly and prone to errors. This increases the risk that a bug or feature update will leak information to the wrong person at the wrong time.
Even if security is a primary concern of the designer, roles and their assigned permissions are often structured and unchanging which may require you to give too much or too little access to your staff and volunteers. Any permission given that isn’t needed is a security risk. All too often, vendors ask you to choose the closest fit for your staff roles. As time goes on, administrators forget who has actual access to what. This can compromise program effectiveness and open your organization up to serious legal and ethical risk.
We built Seeladora to be secure and flexible from day one. You can create any role you want, assign and unassign permissions and even revoke entire roles – any time you need to. In addition, we give you further transactional control over case files by letting you define a closed list of people that can access certain cases regardless of their role or permissions. You can quickly see which users have what role and know exactly what is at risk and whether you need to make changes. Exiting staff or intermittent volunteers can be removed from their roles with one click. No more heartache, no more worry.
Automated Audit Trails
Don’t rely on people to report when they access a case file. Even the most conscientious staff member will forget that they looked at a file and fail to record it in the case notes or audit log. If you have to go to court to prove that your organization didn’t leak sensitive information, could you be confident that you’ve interviewed everyone who accessed the case file to determine who might have intentionally or unintentionally leaked data? Less drastically, if your client is upset and arguing over promises made by staff or volunteers, could you confidently identify who that person might have been so you could get clarification and resolve the client’s anxiety?
It’s not enough that you have automated audit trails. If nobody knows when someone accesses a file or makes a potential change to case files, the problem may languish for months or years and then only be found out when the damage has already been done. Seeladora automatically tracks every access and logs every change to a case file. Case managers and administrators get notifications on their dashboard of changes made to their cases so that any potential breach is immediately known and can be mitigated as soon as possible to reduce risk and increase confidence in the security of your case files.
Though the risk of your data is quite high, the options you have for controlling access and mitigating risk are plenty. Be sure to ask your vendor how they protect your client data, how flexible their security features are to make sure you only give access to those who need it and what they do to inform you of potential risks before the damage is done.
Be mindful of the value of your data. Think about who you want to give access to your data. Review your roles and their permissions often. Have an established security policy. Stick to it and make sure your vendor helps you reduce risk.