How To Answer Every Workplace Software Security Question With Confidence

Enterprise security has always been a high priority, but the pandemic revealed just how vulnerable many organizations are to data breaches. And considering the fact that nearly 60% of organizations have experienced a breach from a third-party provider, your IT team will be vetting every tech solution more carefully — including your workplace software vendor.

If the provider you’re considering doesn’t check their boxes, your company won’t move forward with the purchase, setting your implementation timeline back several months.

By better understanding what your IT team needs to know as you research workplace software vendors, you’ll be in a better position to separate the leading contenders from those that won’t make the cut.

As a workplace software company that supports global enterprises with the most stringent requirements, we’ve worked hard to maintain best-in-class security measures for our integrated workplace management system (IWMS).

Here are 25 questions your IT department will likely ask and how a good vendor should answer them.

25 IT questions for your workplace software vendor

1. Do you have a documented process for performing system, application, and data backups?

You need to be sure your workplace software vendor backs up your data regularly and securely so you can recover it if needed. iOFFICE performs 35 days of daily and point-in-time incremental backups. These are securely transferred and stored using the same level of encryption as the primary database. This allows for point-in-time recovery, with updates as often as every five minutes.

2. How do you verify your backup process is working properly?

Your vendor should routinely test their backup and recovery process. iOFFICE tests our entire process, including restoring entire systems from backup.

3. How do you protect backup data?

Your software vendor should have a process in place to protect backups from unauthorized access and render the information unreadable at the end of its useful life. iOFFICE securely transfers and stores backup data in the geo-redundant, paired Azure data center. This means it is distributed across multiple areas so if one server fails, your company won’t experience downtime.

4. Do you store backups offsite? If so, where?

The key here is to make sure you understand any third-party providers who may be involved in storing data and what protections they have in place. For instance, do they prohibit removable media at those locations?

5. How many outages or failures have you experienced in the past 12 months?

Any workplace software vendor should be able to demonstrate a proven track record of reliability. They should be transparent about any outages for failures and share the fastest and slowest times to recovery in each instance so you are aware of the worst-case scenario.

6. How is your environment architected with respect to fault tolerance and high availability?

This is another enterprise security question that comes down to reliability. Fault tolerance involves having a system in place to detect a hardware issue and switching over to another component to avoid downtime. High availability uses both software and hardware to restore a system that is down. iOFFICE has redundant systems to allow for high availability and has had nearly 100% uptime in the past six months.

7. Describe your data retention policy.

The National Institute of Standards and Technology establishes recommendations for data retention, so your workplace software vendor should be familiar with it. We destroy backup data after 35 days according to NIST.

8. Describe your disaster recovery program. How often is it tested?

If a natural disaster affects one of your data storage sites, you want to make sure you’ll be able to retrieve that data and transfer it to a backup facility if necessary. For iOFFICE, the expected recovery time is 72 hours. The recovery point objective, or the amount of data that can be lost within a critical period of time, is 24 hours. We test our recovery program annually.

9. Does your company have a dedicated security team?

Enterprise security requires constant vigilance, so your IT team will want to know more about the team that works for your workplace software vendor. Is it just one person, or do they have a larger group? What are their roles and responsibilities? Their experience? iOFFICE has an experienced team of 10 security professionals.

 10. Do you have a comprehensive security policy?

A detailed security policy should cover all essential areas, including:

• Information classification
• Data privacy
• Data handling (including use, storage, and destruction)
• Email use and retention
• Encryption
• Security configuration for network, operating systems, applications, and desktops
• Change control
• Network and user system access
• Security incident management
• Physical access
• External communication
• Asset management

 Your IT team may want to know more about specific areas, so keep this in mind as you talk with your prospective workplace technology provider. Don’t hesitate to ask for documentation.

11. How do you audit your security controls?

Any reputable workplace software vendor should follow established standards for storing and protecting data. iOFFICE maintains ISO 27001 certifications for data storage locations and can provide an attestation of controls for processing locations. We have undergone multiple customer audits in the past 12 months.

12.  Are your systems subjected to penetration testing? When was the last test, and what were the results?

Penetration testing is an important way to identify enterprise security vulnerabilities that could result in a data breach. iOFFICE performs penetration testing annually, and we have never experienced a data breach.

13. Are your policies communicated in a way that requires employees to certify their understanding and compliance at least annually?

Globally, companies experienced a 20% increase in security breaches due to employees working remotely during the COVID-19 pandemic, according to a report by Malwarebytes. About a fourth of those companies had to pay unexpected costs to address those breaches.

That’s why it’s critical for employees to understand what is expected of them when it comes to enterprise security policies, whether they are working in the office or remotely.

The workplace software provider should have established policies for employees and communicate those policies to them clearly. Those policies should also apply to any freelance employees, consultants, or contract workers.  

All iOFFICE employees receive quarterly security awareness reminders, phishing awareness emails, and annual acknowledgments of our security policies.

14. Does your company conduct background checks on all employees and contractors?

All employees should undergo criminal background checks, especially those with access to sensitive information. That includes janitorial staff and other third-party contractors.

15. Do you have a formal procedure for reporting a suspected security violation?

Every organization should have a way for employees or others to report suspected security incidents. That includes any ransomware or denial-of-service attacks, unauthorized access to systems, software, or data, any equipment that is lost or stolen.

16. Does your organization scan and test for vulnerabilities in your service or application?

Before agreeing to work with any software company, your IT department will want to know more about their processes for identifying security vulnerabilities. iOFFICE performs daily server upkeep. Our firewalls are configured with deny-by-default rules and all unused ports are closed. Our network is segmented into network security groups for further isolation and security. Additionally, we scan our web application daily against OWASP vulnerabilities and address any findings as we discover them.

17. How do you review your software code for security vulnerabilities?

Just as your workplace software vendor tests their network, they should also test their code to ensure it follows OWASP guidelines and identify any vulnerabilities. iOFFICE performs robust quality assurance throughout the software development lifecycle. That includes tracking all changes using a ticketing system and testing the performance and functionality of all software internally and with a third-party testing provider.

18. How do you secure access to your data facilities where you store customer data?

Look for a workplace software vendor that follows industry standards (such as ISO 27001) and includes physical security controls. That includes using employee badges to manage access control, surveillance cameras, security guards, and other safeguards. iOFFICE’s physical controls are consistent with Tier 4 data center requirements and reviewed in annual SOC2 compliance reports.

19. Do you support SAML 2.0 for user authentication?

Single sign-on integration (SAML) 2.0  is an industry standard for authenticating access. iOFFICE supports it, and so should any workplace software vendor you choose. They should be able to provide documentation that explains the process for enabling SAML within your application.

20. How often do you perform software updates, and how do these impact availability?

Some workplace software vendors perform updates that result in extensive downtime, which is frustrating for everyone. The iOFFICE team makes updates frequently and automatically, with little to no disruption to users.

21. How often do you perform scheduled maintenance?

Scheduled maintenance is sometimes necessary, but it should not cause an inconvenience to users. Most system maintenance iOFFICE performs does not result in any downtime. If it does, it is typically no more than two hours during non-peak times, and we announce it two weeks in advance.

22. Can you verify that all API unit calls are authenticated and encrypted?

All API unit calls should be authenticated and encrypted by 128-bit or greater encryption.

23. What happens to our data if we discontinue this service?

Your software provider should make it easy for you to transfer your data even if you’re moving to a new solution. iOFFICE customers can transfer data using our open REST API or a flat file integration. At the end of a contract, we comply with requests to delete data within 10 days and remove it completely from backups within 35 days. We also delete the customer database and remove any remaining information from backups.

24. What types of workplace software integrations do you have available?

Before investing in a new solution, you want to make sure it integrates well with your existing technology. Be prepared to discuss the systems you currently use and ask your software provider how they will integrate with them.  

iOFFICE integrates with any third-party applications using REST API and secure SFTP file transfer. For a detailed guide on all our integrations and how to set them up, IT leaders can refer to this resource.

25. Can you provide your most recent Service Organization Control (SOC) 1 report related to financial reporting controls and SOC 2 report related to operational controls?

Both SOC1 and SOC2 compliance demonstrate a company’s commitment to standardization and enterprise security in different ways. iOFFICE has completed a SOC2 report for our data centers and is working to complete one for our applications.

Ease security concerns and implement workplace software faster

Gaining approval from your IT department might seem like a frustrating final hurdle, but they’re just doing their job to protect your organization from data breaches. By taking the time to understand their concerns and proactively addressing them, you’ll be on your way to a faster workplace software implementation.

It may feel intimidating, but our team is here to help you through it. If you’re ready to bring your IT department into the conversation, schedule a consultation with us.