A rigorous enterprise software evaluation should always start with your IT department's security and data privacy requirements. Before investing time in demos and feature comparisons, organizations need to confirm that any cloud-based solution meets the technical due diligence standards of their own IT team. Here are 16 critical questions your IT department should address when evaluating enterprise-level inspection and compliance software.
Summary: Before evaluating enterprise-level inspection or compliance software, organizations should ensure the solution meets their IT department's security, data privacy, and hosting requirements. This article outlines 16 critical questions covering topics like vulnerability assessments, data jurisdiction, GDPR compliance, disaster recovery, and service level agreements. Addressing these factors first prevents wasted effort on solutions that would fail IT due diligence.
________________________________
All enterprise-wide software projects are led, managed or at the very least approved (or denied) by your company’s IT department. So, don’t waste time evaluating a solution the IT department would never approve. First make sure the solution will meet the data access, privacy, and security needs of your business and your business’s IT gatekeepers and guardians!
If your company is considering deploying cloud-based software – SaaS or otherwise – there are a number of items that should be considered by your IT team as the first step to evaluation.
Enterprise Level Inspection Software and the top 16 factors you’ll want your IT department to consider:
- Will the software vendor be able to meet the technical due diligence requirements of your own IT department? Each IT department’s requirements will differ, but departmental standards should always be upheld.
- Does your company have an IT security risk assessment questionnaire, and will the solution meet those requirements (e.g. vulnerability, recoverability, data protection, virus & malware protection, intrusion detection, etc.)
- Different industries have different regulations. Do their hosting and data security practices meet the data security requirements of your own business and IT department?
- Does the solution provider conduct (and can they provide evidence of) regular vulnerability and penetration assessments on their own software and server environments (i.e. both web interface and network infrastructure)?
- Is accessibility protected against distributed denial-of-service (DDoS) attacks? Make sure you’re protecting your business from downtime and potential lost revenue.
- Does the hosting environment have redundant firewalls to protect against malware and intrusion?
- Do their backups (and schedules), redundancy and disaster recovery practices meet the standards required by your own business’s IT department?
- Do you know where (and in what legal jurisdiction) your data is stored and does that meet the data storage requirements of your business? In some industries – for example, governmental organizations – this is extremely important.
- Is the solution hosted by a third party and if so, are they reputable and do they meet the needs of your IT department and business?
- Do you know who has access to your data? Is it only the service provider or is it also employees and third parties?
- Are service provider employees that have access to your data vetted and are they bound by a Code of Ethics and non-disclosure agreements?
- Is your company’s data stored completely separately from that of other clients’ data and if not, what protections are in place to ensure data privacy?
- Is the solution (and provider) compliant with the latest international data privacy regulations such as the EU’s General Data Protection Regulations or Canada’s PIPEDA? This is important to ask if you want to avoid huge fines and remain compliant.
- Will the service level (uptime) meet the needs of your business and does the provider have a software service level agreement (SLA) for review by your legal team?
- Has the database been designed for scalability? Make sure your software can grow with your business.
- Does the provider have – and can they readily provide copies of – their own data security policies and procedures including:
- Antivirus Policy Code of Ethics
- Cross Border Personal Data Transfer Procedure
- Data Protection Policy;
- Data Protection and Audit Polity
- Data Subject Access Request Procedure
- Employee Code of Conduct
- IT Disaster Recovery and Service Continuity Plan Security Incident Response Procedures
- Media Sanitation & Destruction Policy
Only after these questions have been addressed can your organization move on to the next step of enterprise software deployment: evaluation your data collection requirements.
In the next article of our series on Evaluating Enterprise Software, we’ll look at just that.
Ps. if you want access to the full whitepaper today, you can download it here.
Starting your enterprise software evaluation with IT security due diligence ensures that any solution you consider meets your organization's data protection, hosting, and compliance requirements from day one.
A thorough enterprise software evaluation also examines the vendor's disaster recovery practices, service level agreements, and data jurisdiction — all factors that directly affect business continuity.
Frequently Asked Questions (FAQs)
What should IT evaluate first in enterprise software?
IT departments should first assess whether the software vendor can meet their technical due diligence requirements, including security risk assessments, data protection policies, and hosting environment standards. This prevents wasted effort on solutions that would be rejected on security grounds.
Why is data jurisdiction important when evaluating SaaS software?
Data jurisdiction determines the legal framework governing your stored data. Some industries and government organizations require data to be stored in specific countries or regions to comply with regulations like GDPR, PIPEDA, or industry-specific mandates.
What security certifications should enterprise software vendors have?
Look for vendors that conduct regular vulnerability and penetration testing, have DDoS protection, use redundant firewalls, and comply with international data privacy regulations. They should also be able to provide copies of their data security policies, disaster recovery plans, and employee codes of conduct.
How does enterprise software evaluation differ for cloud-based solutions?
Cloud-based solutions require additional scrutiny around hosting providers, data residency, multi-tenancy data separation, and service level agreements (SLAs). Unlike on-premise software, the vendor controls the infrastructure, so IT must verify that their security practices meet organizational standards.
