When it comes to evaluating security of an information system, CIA is an important consideration. It’s not Central Intelligence Agency, even though that’s most likely what you first thought of. In this context, CIA is an acronym for “confidentiality, integrity, and availability.”
A board portal is a meeting and information system, so it should be subjected to CIA evaluation as well, especially when data exchanged before, during, and after board meetings is sensitive in nature. It’s critical for such kind of information to be kept under wraps to protect the interests of stakeholders. Leakage of target acquisition strategies, for example, can seriously affect a company’s standing in the stock exchange.
A prime example of a major security breach is NASDAQ’s hacking incident a couple of years ago. NASDAQ’s Directors Desk portal was hacked and confidential board documents of hundreds of companies’ were compromised. It was believed that either foreign government operatives wanted access to corporate secrets, or criminal hackers wished to get data they could use for insider trading. Given how most of the companies involved are part of the Fortune 500, there was indeed a lot of valuable information at stake. NASDAQ was able to handle the breach through a swift implementation of its crisis management plan, so suspicious files were removed and law enforcement officials were contacted before sensitive data could be accessed or acquired. Still, it made organizations question just how secure board portals are.
But not all board portals are created equal. Some are more secure than others, so the best thing an organization can do is to look for a board portal that passes the CIA evaluation:
Confidentiality
Sensitive information should be protected from disclosure to unauthorized parties. When such kind of information is made available to the public without proper authorization, or is used for illegal and criminal purposes, it can damage an organization’s credibility.
- A board portal should be available only to those who are granted access. It should be safe from outside security breaches, and must have an effective crisis management plan in case they do occur. To ensure a high level of security, it should have a multi-tier authentication process. A single combination of username and password is not enough.
- A board portal should also be safe from unauthorized access coming from within the organization. People should have different kinds of access depending on the role they play, especially for non-executive directors. The ideal setup should be on a need-to-know-basis: Everyone has access to information that they need to know to perform their job, and nothing else.
- Some board portal solutions have a public cloud where they put all their client organizations’ board portals. The service provider should ensure that organizations can’t access each other’s board portals, even by accident.
Integrity
Data should also be protected from modifications by unauthorized parties. When information is tampered with, it loses its value because it becomes inaccurate or incorrect. It also poses a major threat to the organization when used as basis for major decision-making. A board implementing strategies based on wrong information may put the organization in negative direction.
- Changes made in board meeting documents should be traceable, and original versions and succeeding updated versions of files should be made available for reference. The revision trail should show timestamps and the names of the authors who made changes. All updates in any document should reflect in all copies. When different board members open the same document on whatever device – be it a tablet a smartphone, or a laptop – they should see the same content including the revisions.
- Data stored in the board portal should be encrypted using industry-standard encryption. Service providers should not have access to the data. Their role is limited to providing the infrastructure and corresponding support.
- Data integrity extends to archived files in compliance with data retention policies. Even old documents that are recently revised should show documentation of the changes.
Availability
Information should be accessible to those authorized at any time they need it. When an organization loses its access to its files for whatever reason, it may also lose opportunities to take action and make timely decisions.
- A board portal should support two hosting options: cloud and on-premise. Organizations that want to use their own infrastructure and implement their own security measures should have the option to go for on-premise hosting. This kind of hosting gives organizations control over all aspects of the board portal, including its uptime.
- Organizations that want to go for cloud hosting should work with a board portal solution that partners them with a reliable cloud service provider (CSP). A CSP is a third party over which the organization has no control, so it’s best to choose one with a proven track record, like Amazon Web Services (AWS).
- A board portal should also support online and offline access to documents so that participants can still retrieve information even when they’re offline.
There are many board portals to choose from in the market like Convene. Convene is one of the board portal solutions among plenty others you’ll come across with when you’re looking for the right option for your organization. To whittle down the list, just apply the CIA evaluation to see if your choice makes the cut.
Did Convene pass the CIA evaluation? It sure did, and with flying colors!
You can confirm it for yourself when you enquire for a free demo at no cost or obligation.
Mark is an experienced Cybersecurity Consultant at Convene. He is knowledgeable in aspects of information security and data privacy. Propelled by his commitment to network security, Mark has written extensive guides on cybersecurity best practices and a playbook on improving an organization's IT systems.