Compliance is a crucial component of every organization. From adhering to local fire regulation codes to federal regulations monitored by the EPA (Environmental Protection Agency), it is important to understand what is expected of your business and how to mitigate your exposure.
So, what about the software you are using to run your operations? Does your software provider have robust controls in place to help you keep your exposure to a minimum? The software your team uses each day, such as your workforce management software, should be reviewed for how it complies with the expectations of your organization. At SubItUp, we have seen a significant increase in customers looking for compliant scheduling software due to pending lawsuits and increased awareness within the compliance teams. Below is a brief overview of two very important of software compliance topics that should be top of mind.
Providing a tool to your team that ensures that content is accessible for individuals with disabilities is crucial. First, it's just the right thing to do. Second, the liability of not being compliant can be severe. In 1998, the Rehabilitation Act was updated with Section 508, which was refreshed in 2017. You may have heard about Section 508 or the Americans with Disabilities Act (ADA), but what does this mean? There are many laws related to Section 508. These include laws that prohibit discrimination against individuals with disabilities.
- ADA: prohibits discrimination against individuals with disabilities.
- Communications Act - Section 255: necessitates telecommunications products and services to be accessible to individuals with disabilities.
- 21st Century Communications and Video Accessibility Act of 2010: necessitates advanced communications services and products to be accessible by individuals with disabilities.
Over the years, the Website Accessibility Initiative (WAI) was formed to help organizations understand accessibility guidelines and technical requirements to meet regulations. Through the WAI, the WCAG (Web Content Accessibility Guidelines) was developed. WCAG 2.0 was published in 2008 and followed by WCAG 2.1 in 2018.
If you are wondering what types of questions you should ask your software provider, The U.S. Department of Justice has provided a simple checklist here. The best products will have documents ready for you to review that explains how compliant they are, such as a VPAT (Voluntary Product Assessment Template). At SubItUp, we take accessibility compliance seriously and have our VPAT available to all managers when they log into the platform. We are WCAG 2.1 Level AA compliant, which satisfies a very high testing success criteria.
With the proliferation of recent cyber-security attacks, the security of your sensitive data should be of the utmost importance. Even if you have the best physical security practices in place, using software that has limited data security measures in place is a large risk. For this reason, always be sure to ask potential software vendors about their data security practices. Ask if your vendors have completed a 3rd-party security audit and what the results were. They will most likely not share the entire report with you, but they should be able to share a summary including any medium or high risk gaps along with mitigation plans. Better yet, they will leverage an independent, 3rd party cyber security partner to provide the information you need. Data security (a.k.a. cyber security) is an ever evolving, robust program. Software providers must evolve as well to the ever changing threats and controls needed to mitigate the threats.
There are many types of cyber security programs out there. All of them involve a set of robust, detailed controls that each organization sets to follow in order to ensure that their system (which houses your data) is secure. The more controls there are along with the level of how strict they are, the greater level of security is in place. Two very common cyber security programs are SOC and NIST. SOC (System and Organization Controls) was developed by the AICPA (American Institute of Certified Public Accountants). NIST (National Institute of Standards and Technology) was developed by the United States Commerce Department. Both of these programs have multiple levels of compliance.
SubItUp voluntarily complies with the requirements of the NIST Cybersecurity Framework (NIST CSF) and Information Security Best Practices. This includes, but is not limited to:
- Account and Access controls including Least Privilege, Role Based access, and Separation of Duties
- Technical controls including Encryption, Anti-Virus/Anti-Malware, Vulnerability Scanning and Change Management
- Business Continuity and Disaster Recovery including comprehensive backup solution, high availability and redundancy
If you haven't vetted your current software vendors, now is the time to start. As the lawsuits mount up for non-compliant organizations, it is always better to be proactive than reactive to avoid a similar fate. We strongly recommend that you perform an internal analysis of your current providers to understand their level of compliance to mitigate your exposure in the future. Determine if your organization has policies on this topic. If you have an internal compliance or risk management team, partner with them to understand your current status. If you need to develop internal programs to follow, search for an independent external partner. There are great, qualified third part IT security and compliance experts out there to partner with. Once you understand your areas of exposure, you can then build a plan on what will be required to close any significant gaps.
If you would like to talk more about compliance with one of our product specialists at SubItUp, click here to schedule a call.