The Risks Inherent in Uncertified eProcurement Solutions

BravoSolution Security Director Marco Argilli explains the benefits of a certified solution for IT Services Management (ISO 20000-1), Security (ISO 27001) and Business Continuity (ISO 22301).

Screen Shot 2015-10-26 at 8.06.58 AM

Software as a service now supports even critical processes like Procurement. But how do we guarantee data security, regulatory compliance and business continuity?

The take-up of cloud-based application services (both private and open to the public) continues to report double-digit growth as companies seize the benefits of low startup costs, the possibility of implementing solutions in stages, technology that is constantly upgraded by providers and an easy evolution path to satisfy new business needs.

But not all cloud-based solutions are equal. Where Business Critical processes are concerned, the features of services and the guarantees offered by their providers need particularly careful assessment: business continuity and the security, availability, integrity and confidentiality of data are issues that need to be studied in detail before making a decision.

Procurement is one such strategically important business process. The information involved is extremely delicate and includes supplier registers, price lists, contract award data, etc. An Italian multinational with over 600 clients, BravoSolution specialises in this area and has 14 years’ experience working with a variety of players, some in highly delicate environments, like the Bank of Italy, the Ministry of Defence in the UK and the Internal Revenue Service (IRS) in the USA.

To provide clients with guarantees of maximum reliability, BravoSolution invests systematically in research & development to improve the technology in its products and services on an ongoing basis, also in terms of its compliance with leading international certification systems. In detail, ISO 20000-1 is the standard applicable to software factory design, development and delivery processes and to operations management, while ISO 27001 certification obtained previously is more focused on security and provides assurances that data is managed in compliance with the principles of confidentiality, integrity and availability. They have recently been joined by ISO 22301 certification of service delivery continuity.

“The combined action of the three ISO certifications, applied in an integrated framework, provides clients with assurances of excellent standards throughout the solution’s lifecycle, from when it is designed to when it is implemented and used, including the management of periodic upgrades. This approach protects clients from risk,” explains BravoSolution Client Solutions and Security Director Marco Argilli.

Let’s look at the risks a company runs if it purchases a solution without ISO20000-1, ISO27001 and ISO22301 certification.

We’ll start with ISO 22301: “The risk here is not having any guarantee of business continuity, either if a minor problem causes a temporary loss of service, or a serious event like a fire or earthquake puts an entire data center out of action,” says Argilli.

In this particular area it is essential to have a Disaster Recovery Plan, configured on the basis of two key indicators: the Recovery Time Objective (RTO), or how long after the incident service is restored, and the Recovery Point Objective (RPO), or the point up to which full data recovery is guaranteed.

“BravoSolution guarantees that service will be reinstated within 8 hours and that data will be fully recovered up to one hour prior to the disaster,” explains Argilli.

While business discontinuity represents a risk for companies in all sectors, regulated and public operators have an additional risk to deal with, one which is covered by ISO 20000-1 certification.

“Contractors subject to the Code of Public Procurement must comply scrupulously with regulations. When an entity chooses a platform to manage its purchasing activities, compliance with regulations is clearly part of the evaluation process. But regulations, as we know, keep changing…

“Which means that what is compliant today, may not be compliant two or three years from now. ISO 20000-1 certification ensures that specific processes are in place to monitor developments in relevant regulations (mandatory and in force) and assess their impact on the solution delivered to clients. This is a fundamental factor both in the public sector and for operators working in regulated markets”.

One of the requirements of ISO 20000-1 certification is the definition of a special process to monitor significant regulatory changes and assess the compliance of the platform over time. BravoSolution implements specific procedures to monitor regulatory developments in the countries in which it operates and ensure they are reflected in the platform’s design.

Another risk inherent in the purchase of an uncertified solution is uncertainty over the confidentiality of sensitive data, which in the area of procurement means prices, offers and contract values. “ISO 27001 establishes 114 control parameters, for which specific security measures must be implemented at various levels. Certification entails an assessment process that takes into consideration infrastructural, logical/application-related and organisational aspects. The IT security of a solution must be guaranteed at all levels of the client’s specific operating environment, or in other words by implementing adequate measures not only at physical, but also at logical and process level. Many operators stop at offering data center certification, which provides guarantees only at physical level and is just one of the three basic factors involved, leaving the other two unattended: the logical level (the application) and the organisational level (processes and procedures),” continues Argilli.

The physical security level protects the data center that is hosting the application and involves security guard services, access control, fire and smoke control systems and redundant electric power supplies. But even more important are the software protection systems, including strong authentication mechanisms, data encryption, countermeasures against hacking, etc. Finally, there is the organisational level. Here, the platform is managed by the various different teams that handle design, development, installation and maintenance, with a clear separation of tasks and responsibilities assigned to the groups of people working on these activities, which are regulated by specific processes performed by applying standardised procedures.

“Absent ISO 27001 certification, all these guarantees lapse, leaving companies open to the risk of unfortunate disputes that may also lead to the cancellation of tender processes,” clarifies the manager.

As can be seen, certifications continue to be a distinguishing factor for the technology used to support business critical processes and represent an essential requirement to take into consideration when choosing the solution to implement.