When you’re selecting a board portal – or thinking about changing portal provider – security should be one of your key considerations.
Alongside capability, cost and user-friendliness, security is one of the most important criteria when you are weighing up potential solutions.
Here’s our list of the 5 questions you should ask a potential provider about the security aspects of their solution.
1. Does the provider host it – or am I expected to?
In its ‘Five questions for your board agenda’, the National Cyber Security Centre (part of GCHQ) suggests that you ‘Make appropriate use of 3rd party or cloud services’.
This is important, the Centre suggests, because while ‘Even the most competent organisations will struggle to build and maintain complex technology infrastructure’, hosting and computing services firms can, on the other hand ‘provide security benefits at a scale that isn’t possible to build yourself’.
This is worth bearing in mind when you consider where to host your board portal.
One of the questions often asked by firms considering a portal is whether they should self-host it on their own servers, or whether it’s best to choose a solution that is hosted elsewhere.
Because your provider has the experience and expertise needed to host your data safely, outsourced hosting is recognised as the more secure option. Read more on this in our blog on board portals – the in-house/outsourced debate.
2. Does the portal create a compliant audit trail?
Being able to access documentation and past board papers is an important element of good corporate governance. If you are governed by an external regulator, such as the Financial Conduct Authority, this sort of audit trail is even more essential, as it might form part of your regulatory compliance.
Check that the portal delivers the compliant record-keeping you need. Can you easily access past papers, evidence of decisions that have been made, and corporate documentation that supports board strategies?
3. What business continuity planning processes are in place?
The best portal providers will ensure their systems are regularly security checked and tested by independent security experts. This sort of testing is essential to ensure the solution is water-tight and not vulnerable to cyber or other risks.
Preparing for the worst is an essential part of business continuity planning. A good provider will keep disaster recovery plans up to date, with robust processes for recovering any lost data.
4. What log-in requirements does it have?
Ask whether the solution you’re considering has two-factor authentication. As the National Cyber Security Centre says, ‘passwords can be a relatively weak method of authenticating users, so your password policy should be complemented by other controls to protect your enterprise’.
Two-factor authentication enhances the security of your portal by requiring users to provide two methods of identification before being given access. This gives you increased confidence that no unauthorised users can retrieve your documents.
In addition, the best portals will use additional permissions to govern the information each user can access. You will be able to further limit the number of people who can edit documents. Ability to view particularly confidential or sensitive information can be restricted within your wider user group.
5. What experience does the provider have in handling sensitive information?
What history does your chosen provider have? How experienced are they in handling sensitive client information? This doesn’t necessarily need to be just as a portal provider – if they have evolved from, for instance, a financial print firm, they will have experience of being entrusted with confidential corporate data.
Are they able to evidence that they can discreetly and securely handle your sensitive strategic documents? The best portals will store all documents and data in data centres certified to ISO27001 (security management) and ISO9001 (quality management).
Take security into account when making your choice
Selecting a board portal can be a big decision, and it’s important to make sure you consider all the essential elements.
Providers will take varying approaches to security; you should only shortlist those that take it seriously.
To read more about the criteria you should take into account when selecting a board portal, and the benefits of delivering board packs via a portal, you can download our whitepaper, Board portals – what’s in it for directors? It’s free and you can get a copy from our resource library.
Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.