Security in SaaS: What Every Agency Should Know When Choosing a Public Records Request Platform

file transfer concept, sharing files between devices with folders on screen and transferred documents

Government agencies are increasingly moving towards software-as-a-service (SaaS) records requests solutions for the convenience they provide both organizations and requesters.

Naturally, agencies want a solution that’s feature-rich and user-friendly. But don’t forget that this software will process documents containing sensitive information about your organization and individuals. It’s essential to investigate security features thoroughly.

In this blog, we’ll cover three areas of security that agencies need to consider when evaluating potential SaaS options.

1. Know Your Data and Governance Requirements

The first step to determining your SaaS security requirements is to analyze the types of confidential data stored in the application. When it comes to public records requests, this includes information about your:

  • Organization (such as vendors’ proprietary information)
  • Employees (such as compensation plans and HR files)
  • Private individuals (such as social security numbers)

Ensure that you understand the governance requirements around each type of data. You’ll most likely be handling data that is subject to:

  • Criminal Justice Information Services (CJIS)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Other federal and state requirements

2. Know Your Vendor

Now that you know data safety requirements, you can ask SaaS vendors the right questions regarding their security measures. Good questions would include:

How do you address HIPAA and CJIS requirements?

It’s important to note that there is no certification program to qualify SaaS products as HIPAA compliant. However, The Federal Risk and Authorization Management Program (FedRAMP) requirements closely align with HIPAA standards. FedRAMP is a standardized set of baselines to evaluate a cloud offering’s security standards. Certification is recommended for cloud service products used at the federal level and is a strong indicator that your data will be secure. Other steps should be taken as well, including CJIS Security Awareness training for users who will be accessing CJIS-related records and ensuring the right access and user security controls are configured within the SaaS application.

Some states have recently adopted similar requirements for SaaS products, such as Texas’s TX-RAMP program. Keep up with relevant legislation in your state to determine your exact requirements.

JustFOIA is hosted on the Microsoft Azure Government Cloud and authorized at FedRAMP High, TX-RAMP certified as a Level 2 Cloud product, and has earned the CJIS Ready Seal.

Can we view your SOC-2 audit?

The SOC-2 is a cloud-vendor-focused assessment of controls. Its framework includes security, confidentiality, availability, privacy, and processing integrity.

JustFOIA Security:

  • Azure Web Application Firewall
    Automatic updates to protect against new vulnerabilities, with no configuration needed.
  • Layer 7 Load Balancing
    Advanced controls to manage web traffic and increased availability and performance.
  • Network Security Groups
    Traffic control protection allows only traffic that is explicitly defined as allowed.
  • Performance Monitoring
    Our monitoring and alerting systems notify us of any issues with availability or performance – 100% of the time.
  • Update Management
    We frequently deploy critical and security updates and other update classifications.
  • Backup & Recovery
    Independent and isolated backups to guard against accidental destruction of original data.

Learn more about our Best-in-Class Software Security here.

3. Know Your Role in Data Security

Secure software isn’t enough to ensure data safety. Not only does your vendor need to be compliant, but the way you handle data within the system must also be compliant. However, you can choose a SaaS product with features that make compliance easier.

Records retention

Within the realm of public records requests, one key factor that rests with your organization is record retention. Ensure you know your state’s laws for how long you should hold on to data about various requests.

The answer to retention isn’t just “keep everything forever.” Keeping data longer than needed could increase storage costs and even prolong your risk of litigation.

JustFOIA provides two ways to keep up with retention:

  • Manual Retention Schedules ensure you have complete control over your data. Administrators can pull up the admin menu, select manual retention, select your date range, and then bulk delete. A warning message pops up to let you know that this will permanently erase your data.
  • Automatic Retention Schedules allow you to set parameters within the system to purge request data automatically. Schedules are selected based on the type of form used to generate the request. In other words, if permit requests have different retention than police record requests, you’ll need a different schedule for each.

You can view disposition reports to see what information was deleted from the system and requests excluded from the retention schedule.

Single-Sign On

End users love single sign-on (SSO) because it’s one less login and password to remember. It also increases system security. To understand why, imagine an employee leaving your organization on bad terms. Without SSO, IT would need to remove that person’s permissions from every platform individually leaving a window open for them to sabotage data potentially. With SSO, however, the person is quickly removed from one system and removed access immediately.

JustFOIA allows for SSO. Contact your client success specialist for information about enabling this feature.

SaaS Security FAQs

SaaS security differs from traditional on-premises security measures in several ways, including the responsibility for security controls. With SaaS, the provider typically handles infrastructure security, while customers are responsible for securing access, user permissions, and data within the application. Additionally, SaaS often requires trust in the provider's security practices, whereas on-premises solutions offer more direct control over security measures.

Users play a crucial role in maintaining the security of a SaaS application by following best practices such as using strong, unique passwords, enabling multi-factor authentication (MFA), keeping software and devices up to date with security patches, and being cautious about phishing attempts and suspicious links.

Mitigating insider threats in a SaaS environment involves implementing measures such as role-based access controls (RBAC), regular monitoring of user activities and access logs, conducting security awareness training for employees, implementing data loss prevention (DLP) controls, and having clear policies and procedures for handling sensitive data.

security guard with lock and shield
Are you looking for an innovative and comprehensive solution for Public Records Requests?
Our team is happy to answer any questions or demonstrate how our software can help streamline and simplify your PRR process while keeping sensitive information safe.