Security Issues Advisors Should Ask Web-Based Application Vendors About

Thursday, January 26, 2012 16:55
edit
Security Issues Advisors Should Ask Web-Based Application Vendors About

Tags: advisor technology | cloud | security

 

With a secure system serving advisors reportedly crashing in late December and still unable to recover client data for advisors it serves, the risk of web-based apps was recently brought into sharp focus to many advisors. So here are issues questions advisors should ask web-based vendors about to minimize exposure to the nightmare scenario of losing client data.
 
Redundancy. Are data continuously written to more than one hard drive or more than one server? A redundant array of independent disks (RAID) in a web server writes the same information to multiple drives. So if one drive fails, another has essentially the same information. In addition, you would like all data uploaded to a Web application to simultaneously be written to two servers.
 
Multi-Site Redundancy. Are backups housed in one location or multiple locations? Ideally, when data are posted to the Web, it will be written to servers in different locations, and they will preferably be located on different parts of the country and be on different power grids. Posting data to servers in different parts of the country ensures that if a disaster hits one part of the country and knocks out power across the mid-Atlantic states, for example, a server in another part of the country will be unaffected. Multi-site redundancy is not offered by most vendors serving advisors, but it is a best practice and nice-to-have feature.
 
Third-Party Intrusion Detection & Protection. Many vendors serving independent advisors are small companies. While they can protect web servers from hackers, they are not security experts. Some vendors now engage third party services with apps that monitor Web servers 24/7. When abnormal activity is detected, these apps automatically stop the activity and notify the vendor. 
 
Disaster Recovery Plan. Ask to see the company’s disaster recovery plan. Is it detailed? Sensible?
 
Institutional Clients. Most broker/dealers and custodians are conducting security audits of vendors that handle sensitive client data. Ask which institutions have required the vendor to fill in their security questionnaire and integrated its systems with the vendor. Ask if the vendor has filled in a form known as BITS Standardized Information Gathering questionnaire or SIG Lite, a less comprehensive version.  
 
Encryption. Find out what's encrypted. A couple of years ago, a tech writer wrote a story saying he was very impressed by security of a Web app for sharing documents when in fact the information stored by the app was not encrypted. only its passwords were encrypted.  Make the the database is encrypted and that data are encrypted when downloaded as well as when uploaded.
 
This list is far from exahastive but should help limit an advisor's risk.
 

 

This Website Is For Financial Professionals Only


Comments (0)

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.

busy