Part 2: Availability is non-negotiable
In this second in a series of blogs on best practices for fintechs for managing IT security risks, I would like to drill down on the concept of availability, specifically making sure information and systems are available for operation and use to meet your company’s objectives.
Availability differs from questions of security and privacy because it is usually linked to the providers of outsourcing for your company. It’s critical to make sure you are able to get the support you need to stay up and running as an organization no matter what.
If you are relying on partners for business-critical operations, definitely secure an SLA, a service-level agreement, upfront. It will save companies money over the long term, considering the cost of a service disruption or security breech.
A “robust” SLA will include a definition of roles, a definition of stakeholders, a detailed description of service deliverables, Key Performance Indicators (KPIs) and change-management procedures.
Outsourcing partners should also be able to provide a fintech with compliance reports, but in my opinion, fintechs still need their own because they control the software. Any breeches as a result of poor access controls or an ill-fated change-management approach would fall back on the fintech.
Within Third Party Assurance, there are a number of reports companies can use to effectively determine the risks involved in a relationship. Service Auditor’s Reports, also known as System and Organization Controls (SOC) Reports, are designed to provide information and assurance on controls within a third-party provider and service organizations, such as fintechs, software as a service (SaaS) providers, data centers, and application service providers.
Disaster recovery plans
Another recommendation for fintechs is to have a business continuity plan and a disaster recovery plan – for your own peace of mind and that of the clients you’re trying to attract. The recent hurricanes and fires in north America remind us that extreme weather is just that – extreme. And it’s highly unpredictable.
Since black swan events are bound to happen, I tell my clients that they must have a Plan B, but actually Plan B is not enough. They also need a proper hotsite test – one in which you “practice panicking.”
I have a client that has its own data center to support its banking clients. This company has an entire redundancy site – a full dual site. The company has tested the system to ensure that it backs up and is available if one of the two sites goes down.
This is a far cry from what many companies do in order to say they’ve got their IT security risks under control: print out a checklist, ask around a bit, get someone to tick a box, and then call it done.
That simply cannot be it.