Today, it seems like we don't go a week without hearing about a high-profile hack or breach of customer data. As customers, we spread our information across a huge variety of applications, and we trust that no ill will come of it. The truth is, however, that we’re more vulnerable than ever, and the risk of a hack is made clearer to us everyday. We rationalize the situation, thinking, “Well, they must have people safeguarding my information, right?”
Right — for the most part.
Product companies go to great lengths to secure consumer data. As many companies store sensitive user data in production, this is mainly where the security measures are focused. But many of them overlook the importance of protecting data in non-production areas. These include test, development, and quality assurance environments — areas where production data is commonly exported. (Click to tweet!) A user with privileged access, or a hacker, can enter these environments and quickly wreak havoc.
When you start software testing outsourcing with a new QA partner, you introduce risk. Because this external partner will have access to all of your environments, you need to ensure that they’re trustworthy, backed by plenty of experience and a strong track record, and able to demonstrate their full suite of security measures.
Here are five steps that any qualified QA partner will take to keep your application and data safe.
1. Enact strict physical and logical protection
Your partner should actively work to minimize risk wherever possible. From paper record storage to even the simplest digital transmission, your partner needs to have an industry-standard solution for everything. Common best practices include:
- Store all confidential documents in lockable filing cabinets, stored in rooms only accessible by approved team members on a need-to-know basis.
- Protect all electronic records with firewalls, encryption, and strong passwords.
- Train employees to lock their computers whenever they leave their workstations, refrain from discussing sensitive information in common areas, and avoid email for transferring anything that could be considered confidential.
- Acquire highly sensitive user information (social security number, bank account number, driver’s license number) only if necessary for the business transaction.
- Wipe all data clean from any hard drive before destroying or recycling it.
2. Identify data categories and prioritize accordingly
A great QA partner recognizes that not all user data is equal, and that highly sensitive information such as bank account numbers, social security numbers, credit card details, and personal identification numbers need to be locked down vigilantly. All of these areas are considered finite and structured, as there are only a few systems which can modify or update them. Learn the essentials of financial domain testing here.
After these areas are secured, unstructured information such as contracts, financial releases, and customer correspondence can be handled.
3. Learn the business, industry, and competition
When you’re shopping around for a QA provider, a strong track record, high client retention rate, and years of experience are all good indicators of their quality. But your provider must also be willing to go out on a limb and invest the time and energy required to learn your product, business, and market.
They should be ready to learn and document how confidential user information flows throughout the organization -- from marketing and sales through to product and support. Additionally, they should familiarize themselves with best practices used within the market and competitors’ approach.
4. Adhere to all industry regulations
Building an application for the healthcare or financial industry? You should ensure that your partner performs the following best practices for these domains, including:
- Meet industry compliance standards such as the Gramm-Leach-Billey Act (GLBA) and PCI.
- Properly encrypt data at rest and in-transit, with a full-scale backup at hand.
- Implement the 3-2-1 Rule -- make three copies of the data on two different types of media, with one of them stored offsite.
- Give a data controller the power to control data, allowing access only on a proven need-to-know basis.
- Equip all employees with a unique identifier — such as a password, passphrase, smart card, or other token — that they, and only they, can use to access sensitive data.
5. Implement data safeguards at all access points
The goal is to keep your data safe, no matter where within your system it is being stored. Enacting the following safeguards will help reduce your vulnerability at every access point.
- Restrict downloads and external data transfer. Use a secure file sharing platform such as Virtual StrongBox to share data instead of flash drives, Bluetooth connections, or other consumer-oriented cloud sharing services.
- Protect devices, and train employees to keep them safe. Install and regularly update strong antivirus software, internet firewalls, and security suites. Limit the number of employees who have access to certain areas where data is stored.
- Enforce a strong password policy and restrict auto-logins. Your QA partner should train their engineers to create strong passwords and reset them regularly — no duplicates allowed! Auto-login functionality on websites should also be disabled, with limited exceptions.
Stakes are high for product companies working in the financial and healthcare sectors. One small slip-up can result in compromised data, unhappy customers, a PR nightmare, and a huge blow to your reputation. For all of these reasons, it pays to work with a QA partner who has plenty of experience in your specific industry and a robust security infrastructure.
Looking for an affordable approach to security testing?
Request a free, personal quote below!