Government agencies are increasingly moving towards software-as-a-service (SaaS) records requests solutions for the convenience they provide both organizations and requesters.
Naturally, agencies want a solution that’s feature-rich and user-friendly. But don’t forget that this software will process documents containing sensitive information about your organization and individuals. It’s essential to investigate security features thoroughly.
In this blog, we’ll cover three areas of security that agencies need to consider when evaluating potential SaaS options.
1. Know Your Data and Governance Requirements
The first step to determining your SaaS security requirements is to analyze the types of confidential data stored in the application. When it comes to public records requests, this includes information about your:
- Organization (such as vendors’ proprietary information)
- Employees (such as compensation plans and HR files)
- Private individuals (such as social security numbers)
Ensure that you understand the governance requirements around each type of data. You’ll most likely be handling data that is subject to:
- Criminal Justice Information Services (CJIS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Other federal and state requirements
2. Know Your Vendor
Now that you know data safety requirements, you can ask SaaS vendors the right questions regarding their security measures. Good questions would include:
How do you address HIPAA and CJIS requirements?
It’s important to note that there is no certification program to qualify SaaS products as HIPAA compliant. However, The Federal Risk and Authorization Management Program (FedRAMP) requirements closely align with HIPAA standards. FedRAMP is a standardized set of baselines to evaluate a cloud offering’s security standards. Certification is recommended for cloud service products used at the federal level and is a strong indicator that your data will be secure. Other steps should be taken as well, including CJIS Security Awareness training for users who will be accessing CJIS-related records and ensuring the right access and user security controls are configured within the SaaS application.
Some states have recently adopted similar requirements for SaaS products, such as Texas’s TX-RAMP program. Keep up with relevant legislation in your state to determine your exact requirements.
Can we view your SOC-2 audit?
The SOC-2 is a cloud-vendor-focused assessment of controls. Its framework includes security, confidentiality, availability, privacy, and processing integrity.
- Azure Web Application Firewall
Automatic updates to protect against new vulnerabilities, with no configuration needed.
- Layer 7 Load Balancing
Advanced controls to manage web traffic and increased availability and performance.
- Network Security Groups
Traffic control protection allows only traffic that is explicitly defined as allowed.
- Performance Monitoring
Our monitoring and alerting systems notify us of any issues with availability or performance – 100% of the time.
- Update Management
We frequently deploy critical and security updates and other update classifications.
- Backup & Recovery
Independent and isolated backups to guard against accidental destruction of original data.
Learn more about our Best-in-Class Software Security here.
3. Know Your Role in Data Security
Secure software isn’t enough to ensure data safety. Not only does your vendor need to be compliant, but the way you handle data within the system must also be compliant. However, you can choose a SaaS product with features that make compliance easier.
Within the realm of public records requests, one key factor that rests with your organization is record retention. Ensure you know your state’s laws for how long you should hold on to data about various requests.
The answer to retention isn’t just “keep everything forever.” Keeping data longer than needed could increase storage costs and even prolong your risk of litigation.
JustFOIA provides two ways to keep up with retention:
- Manual Retention Schedules ensure you have complete control over your data. Administrators can pull up the admin menu, select manual retention, select your date range, and then bulk delete. A warning message pops up to let you know that this will permanently erase your data.
- Automatic Retention Schedules allow you to set parameters within the system to purge request data automatically. Schedules are selected based on the type of form used to generate the request. In other words, if permit requests have different retention than police record requests, you’ll need a different schedule for each.
You can view disposition reports to see what information was deleted from the system and requests excluded from the retention schedule.
End users love single sign-on (SSO) because it’s one less login and password to remember. It also increases system security. To understand why, imagine an employee leaving your organization on bad terms. Without SSO, IT would need to remove that person’s permissions from every platform individually leaving a window open for them to sabotage data potentially. With SSO, however, the person is quickly removed from one system and removed access immediately.