Day 31 — Bozo Buckets
Today I setup the buckets of risk for each of our vendors
When I was a kid, I used to dream I was live on Bozo Buckets gameshow winning the GRAND PRIZE of $50 and a brand new bicycle (it’s also probably why I maintain a healthy fear of clowns).
If you’ve never played, it’s pretty simple: you throw a ping pong ball into a series of 6 buckets that each win a prize. If you hit all six in a row, you win the grand prize.
Today I set up my own (nerdy) version of bozo buckets.
Today’s Problem to Solve
Today I continued work on vendor assessments — evaluating all the 3rd party tools and providers I use at Invincible to ensure they meet our security standards.
When evaluating a vendor, in a perfect world I‘m looking for 3 things:
- ISO:27001 or SOC 2, Type 2 Certification (the vendor has very rigorous security standards and our data is safe with them)
- A signed agreement identifying how the provider will store, process, or transmit our data (the vendor is contractually obligated to store, process, or transmit our data securely)
- A signed BAA if provider is storing any personally-identifiable health information (vendor can safely store PHI).
If a vendor satisfies each of these criteria, easy peasy. But as I quickly found out today, this activity was far from easy:
- Just finding the security documentation for vendors took a bunch of digging. And when I did, most didn’t have the certifications I needed.
- Most of the vendors didn’t have a signed agreement, just standard terms of service. Many offer to sign a data processing agreement, but it’s extra time and work.
- Other vendors have the security and the agreements in place, but I need to make internal changes to how we’re using the tools in order to be compliant.
That brings us to today’s game of bozo buckets.
Today I evaluated all 30 of our vendors based on our risk, what information we store, and their security processes. I was left with the following:
1 — Approved (no conditions)
These were the easy ones. These are the solutions that have a SOC 2, Type 2 report in place and a signed agreement with Invincible. From every app I evaluated, Sentry.io by far set the gold standard for ease of access to this information by setting links right from my account information and downloadable reports. If you sell SAAS and care about security and your customer’s time, do this.
2 — Approved (w/ exceptions)
These were a bit trickier. These were generally cases where I am missing a SOC 2 report but I have no choice but to proceed ahead. Here were a few examples:
- Google — Firebase Cloud Messaging (no ISO:27001 / SOC 2 Certification)
- Apple — App Store Connect (no ISO:27001 / SOC 2 Certification)
- Facebook — Instagram and Facebook (no ISO:27001 / SOC 2 Certification)
Nevertheless, I have no choice but to proceed ahead. We absolutely need these services and have no real alternative available. Plus, while they don’t have these certifications, they have strong security measures in place and we’re only storing minimal user information in each of these services.
3 — Agreement Requested
These were circumstances where I just need a signed agreement for approval. This was a case where GDPR legislation makes this task much easier, as most companies have either build a data processing agreement into their standard terms of service or else they’re willing to sign a DPA with us.
If you search “Data Processing Agreement” and the company, you can usually find the answer. Most companies have an @security email address where you can request it.
4 — Upgrade Account for Security Enhancements
These companies are frankly just annoying: they sell security as a feature. “Oh, you want to make sure you’re data is secure? No problem, just give us a bunch of money and we’ll be happy to help.”
Each requires upgrading to an Enterprise Account, which translates to a bunch of money for the exact same set of features I have today.
5 — Changes required before approval
These systems are just cleanup, changes I need to make on my end to ensure good data security practices and HIPAA compliance for PHI.
- Google / AWS: Need to sign a BAA to process PHI
- Typeform / Mailchimp: Need to consider how I’m interacting with end users and the potential for PHI transmission. Most likely, I need to move away from these services toward something that will serve our long-term security needs.
- Hubspot: Remove any PHI references (or better yet, get rid of it and switch to a HIPAA-compliant CRM).
I had hoped this would be a one-day activity, but it’s clear it’s turning into a much bigger project than hoped. On the bright side, I feel much more comfortable about navigating data security with our vendors and the risks we currently have with our data.
More to come tomorrow!