It seems there is a fresh news story about a high-profile hacking or customer data breach every week. No organization wants to be the subject of the next reputation-ruining headline, but many business leaders still skip over the topic of security when it comes to interviewing, hiring, and onboarding a new outsourced QA partner. The focus instead often tends to be on cost and speed, all the while assuming that security is covered.
However, when searching for the right QA testing company, you need to define which requirements are non-negotiable. Strong cybersecurity standards and protocols should be high on your list.
As you start taking discovery calls with potential providers, be sure to ask these eight questions. Your provider’s answers will help you determine whether they’re the right one for your organization.
1. How do you secure the perimeter?
Start with the basics. This question should give you a clear perspective on the provider’s various security mechanisms for protecting the product at all levels. Remember: for cyberattackers, every vulnerability in your product is an opportunity. It is your job — and by extension, your QA provider’s job — to ensure that the expected mechanisms (web application firewalls, intrusion detection, prevention systems, etc.) are in place. Learn more about why security testing is vital to the health and success of your product.
2. Have you achieved any data protection standards?
Your QA provider should wear these certifications like badges of honor. The certifications are objective, measurable proof that the provider’s security standards are up to par with industry levels, and that an authoritative body recognizes this. Some of the most common certifications include ISO 27001, SSAE16, Safe Harbor, and SOC 2. You should know which of these apply to your industry, and ensure that your potential provider has them.
A certified provider can also help you win new business, and serve as a resource for educating new staff on data protection best practices.
3. How do you safeguard your customer data?
Is your provider giving you detailed feedback about data encryption and transmission? Great! Now, look for that same level of detail when it comes to their explanation of how they segment and store customer data. This data should live somewhere separate from your vendor’s web server, ideally on a separate database server located behind a firewall. Though this makes for a more complicated setup process, the security benefits are well worth the effort.
4. How do we monitor internal and outside traffic to and from our network?
Even the best attempts at attack deflection can fail, if the hacker is determined enough. As a backup security measure, your potential QA testing company should have a strong system in place for detecting nefarious traffic on the network. They should be able to identify suspect activity, effectively connect the alerts to actual human activity, and be able to take swift action against those events.
5. What is your incident response mechanism?
Suffering a data breach hurts. But it’s especially painful when you have no plan of action afterward. Your QA provider should have a comprehensive response plan that outlines key actions (and who is responsible for taking them) after an attack. A well-written plan will shorten the time it takes from initial breach to first response, and set in motion a coordinated response effort by the team.
6. Have you established an organization-wide awareness campaign to educate all employees on cybersecurity?
Just like your physical and logical security safeguards, the humans who staff your QA provider’s teams (and those on your own team) can be hacked: tricked, deceived, or manipulated into taking an action that allows hackers access to the network. These “client-side” attacks can include spear phishing, browser-based attacks, and other forms of social engineering.
In the case of these attacks, human decision-making is the most effective line of defense. Your QA provider should be training their engineers on how to identify, take action against, document, and report client-side attacks.
7. How do you assess employees’ security understanding?
This is a question that gets to the core of how seriously your potential provider takes cybersecurity. If they give a detailed answer that involves a best-of-breed security awareness program and regular review or testing, you’re working with the right partner. If their answer is in anyway unclear, you may want to continue the search for your future provider. Remember: Human error accounts for nearly all major security breaches.
8. What best practices do you follow for cybersecurity?
Your QA provider should take a layered approach to security. When you ask this question, listen for most of the following bullet points:
- Formal information security governance
- Data backup policy
- Insider threat detection and management
- Vendor, contractor, and employee monitoring to prevent data loss
- Security education and training
- Regularly updated software and systems
- Thorough incident response playbook
- Maintained compliance certification
See how other organizations are using QA partners to add value and increase efficiency.
Learn more in the whitepaper below!