Board portal security checklist

Board information security has become a top board governance priority as cybersecurity risk grows. With the recent COVID-19 outbreak, boards are now looking for solutions that will allow them to share and collaborate on board materials, all from one secure and centralized location.

Many boards use board portal software to protect their information from cyberattacks and provide tools for board directors to have discussions and participate in in-person and virtual board meetings. However, even boards with board meeting software in place are advised to re-assess the security of their board portal every few years. 

As you evaluate your board information management system, make sure to ask your provider the following questions from our board portal security checklist to see how it measures up.

1. How do you host your data? 

Questions to ask about data hosting:

• Is your solution hosted in a dedicated, secure cloud server? Is it shared with other tenants?
• What is your Service Level Agreement (SLA) uptime guarantee?
• Are servers monitored 24/7 by security personnel?
• What tier are your data centers?

Answers to listen for:

• “We’re on our own dedicated virtual server, so we are not prone to hardware issues. Our server is not shared with other tenants. We exclusively manage the data security and encryption of our software and systems.”
• “Our server infrastructure has a 99.99% uptime guarantee, can scale on demand, and has low recovery time and recovery point objectives. It’s monitored 24/7 by security personnel.”
• “We know the location of each of our data centres and all are managed with the industry’s highest level of security protection. All data centres are at least Tier 4.”

Answers you don’t want to hear:

• “Our software is on a shared server with other highly security-conscious tenants.”
• “A third-party manages our data security, but they are very good.”
• “We have uptime guarantees below 99% and there’s no need to have our servers constantly monitored, because their location is secure enough.”

2. How will we be able to control access & permissions to our board portal?

Questions to ask:

• Does the board portal software have role-based or granular access permission capabilities?
• Can you assign which devices can be used to access the portal?
• Can you remotely erase board data from a lost or stolen device? Do you have the ability to lock out an account if a device is lost or stolen, or if a director leaves the board?
• Do you have two-factor authentication capabilities?
• Do you have single sign-on capabilities (i.e. can one user ID grant access to all committees and boards a director belongs to)?
• Do you provide the ability to monitor user activity?

Answers to listen for:

• “Server security alone is not enough to safeguard data. Controls for how people access and use information will ensure that your data stays within our virtual walls.”
• “We have role-based and granular access permission capabilities.”
• “Our pages are not cached, and we give you the ability to assign which devices can be used to access the portal.”
• “We provide you with the ability to immediately erase data from a lost or stolen device. You can also lock out accounts.”
• “We have two-factor authentication and single sign-on capabilities.”
• “You will have the ability to monitor board member activity with usage reports.”

3. How do you encrypt data?

Questions to ask:

• What kind of encryption is used for data in transit and at rest?
• How are passwords protected?

Answers to listen for:

• “We protect data in transit and at rest with certifications such as: 
  • RSA 4096-bit encryption
  • AES 256-bit encryption in transit and at rest.”
• “We use cryptographic hash functions such as SHA-256 to protect passwords.”

4. How are your security controls rated?

Questions to ask:

• Do you have any ISO certifications?
• Do you possess any other security certifications?
• Do you meet the requirements for compliance for HIPAA, FISMA, etc.?

Answers to listen for:

• “We possess security certifications and comply with various agreements, including:
  • ISO 27001/27002 certification
  • Compliance with AT 101 SOC 2 Type 2, SOC 3, GLBA, FERPA, HIPAA, FISMA, and SSAE 16/ ISAE 3402
  • Certifications under trusted Microsoft Azure cloud services
  • GeoTrust certification
  • Intrusion detection and Distributed Denial of Services (DDoS) protection.”

5. How does your system perform? 

Questions to ask:

• How quickly does the software complete an action, deliver a response to a query, and upload data?

Answers to listen for:

• The answers here will vary, but listen for SSD capabilities.

6. How reliable is your solution? 

Questions to ask:

• What are your backup and redundancy policies?

Answers to listen for:

• Listen for clear and detailed responses about the protections in place should some part of the system get compromised, such as daily backups, redundancy, and disaster recovery capabilities.  

7. What’s the system’s capacity & scalability?

Questions to ask:

• How will your solution scale as data managed or customers managed expands?

Answers to listen for:

• Listen for capability to expand using virtual infrastructure, with no downtime or granting of access to third-party partners.

8. What’s your security track record & what are your crisis communication protocols?

Questions to ask:

• Have you ever had a data breach?
• What are the communication protocols in place if there is an issue? 
• How quickly would we hear about a potential problem and through what channels?

Answers to listen for:

• Board portals with the highest security standards have no prior data breaches, but have comprehensive communication protocols in place to deal with one in the event that it should occur. Ask for as many details as possible.

9. Where is my data stored? 

Questions to ask:

• Do I get a choice of where my data will be stored? Can it be in Canada, the United States, or at an international location of my choice?

Answers to listen for:

• Listen for the option that aligns with your data governance policy.

Answers you don’t want to hear:

• “Our data is hosted in one location. You have no choice of where your data is located – it falls under the legal jurisdiction of where we select for it to be stored.”

Other key board portal security items to consider

The challenge with security is the complexity of board communication. When choosing board collaboration tools, you need to consider the end-to-end activities of board members, as they access, review, and communicate.

It may seem like a lot of information to consider, but cybersecurity is priceless in the long run. Consider these three additional security-focused features to help keep your data safe:

• Ability to restrict downloads if required
• Easy, secure forum for shared notes (e.g. annotations within a portal)
• Easy, secure way to record decisions (e.g. survey tool).

Compare Aprio to other board portals

Data breaches are unnerving to everyone, and with many of us now working remotely, we need to be even more aware of data security. The best means of protection is to be practical, proactive, and selective in choosing our vendor partners, as well as mindful in how we build our internal systems. 

Ask yourself, does our solution conform to the highest industry standards for data encryption and security controls? Does it provide two-factor authentication and remote locking and data wiping if a device is lost or stolen? 

The Aprio board portal offers these protections and a choice of international locations for secure data storage. In addition, Aprio considers how to protect board members from cybersecurity risk as they work, balancing convenient, mobile access to board meeting materials with the most robust technical methods to continuously protect your organization’s data. 

We welcome your questions and the opportunity to show you Aprio board portal software. To learn more about the most common cybersecurity threats and how to overcome them, download our free security guide.