Certainty Blog

16 Things To Ask Your IT Department When Evaluating Enterprise Software

We’ve been involved in the design, development, and implementation of enterprise-level software for over 20 years, which is why our team of experts puts together this 10-part series on evaluating Enterprise-level software. We’ll cover topics ranging from security, data collection and reporting requirements, implementation resources, pricing/cost models, and more, to ensure your next enterprise software deployment is a success. You can also download the entire Evaluating Enterprise-level Software whitepaper here

________________________________

All enterprise-wide software projects are led, managed or at the very least approved (or denied) by your company’s IT department. So, don’t waste time evaluating a solution the IT department would never approve. First make sure the solution will meet the data access, privacy, and security needs of your business and your business’s IT gatekeepers and guardians! 

If your company is considering deploying cloud-based software – SaaS or otherwise – there are a number of items that should be considered by your IT team as the first step to evaluation. 

Enterprise Level Inspection Software and the top 16 factors you’ll want your IT department to consider: 

  1. Will the software vendor be able to meet the technical due diligence requirements of your own IT department? Each IT department’s requirements will differ, but departmental standards should always be upheld.
  2. Does your company have an IT security risk assessment questionnaire, and will the solution meet those requirements (e.g. vulnerability, recoverability, data protection, virus & malware protection, intrusion detection, etc.)
  3. Different industries have different regulations. Do their hosting and data security practices meet the data security requirements of your own business and IT department?
  4. Does the solution provider conduct (and can they provide evidence of) regular vulnerability and penetration assessments on their own software and server environments (i.e. both web interface and network infrastructure)?
  5. Is accessibility protected against distributed denial-of-service (DDoS) attacks? Make sure you’re protecting your business from downtime and potential lost revenue.
  6. Does the hosting environment have redundant firewalls to protect against malware and intrusion?
  7. Do their backups (and schedules), redundancy and disaster recovery practices meet the standards required by your own business’s IT department?
  8. Do you know where (and in what legal jurisdiction) your data is stored and does that meet the data storage requirements of your business? In some industries – for example, governmental organizations – this is extremely important.
  9. Is the solution hosted by a third party and if so, are they reputable and do they meet the needs of your IT department and business?
  10. Do you know who has access to your data? Is it only the service provider or is it also employees and third parties?
  11. Are service provider employees that have access to your data vetted and are they bound by a Code of Ethics and non-disclosure agreements?
  12. Is your company’s data stored completely separately from that of other clients’ data and if not, what protections are in place to ensure data privacy?
  13. Is the solution (and provider) compliant with the latest international data privacy regulations such as the EU’s General Data Protection Regulations or Canada’s PIPEDA? This is important to ask if you want to avoid huge fines and remain compliant.
  14. Will the service level (uptime) meet the needs of your business and does the provider have a software service level agreement (SLA) for review by your legal team?
  15. Has the database been designed for scalability? Make sure your software can grow with your business.
  16. Does the provider have – and can they readily provide copies of – their own data security policies and procedures including:
    • Antivirus Policy Code of Ethics
    • Cross Border Personal Data Transfer Procedure
    • Data Protection Policy;
    • Data Protection and Audit Polity
    • Data Subject Access Request Procedure
    • Employee Code of Conduct
    • IT Disaster Recovery and Service Continuity Plan Security Incident Response Procedures
    • Media Sanitation & Destruction Policy

Only after these questions have been addressed can your organization move on to the next step of enterprise software deployment:  evaluation your data collection requirements. 

In the next article of our series on Evaluating Enterprise Software, we’ll look at just that.

Ps. if you want access to the full whitepaper today, you can download it here