Before I expand on Security aspects of a CRM/SFE application, let us look into some basic questions.
Security – What is it? All customers are aware of it.
Security – Needed? All customers will of course agree
Security – Criteria for vendor evaluation? Not always
Some Pharma companies of course have a stringent process to evaluate the vendor and the offering on various information security parameters. Some companies opt for own server which is not always feasible for all and also it will mean losing out on the advantages of cloud based solutions.
Since awareness regarding security and its need is well known, let me get into what has to be looked at when selecting a CRM product. Two things to be checked:
Security safeguards in the product. This can be done by making sure industry standards are implemented and there is evidence to back it up. OWASP is one such standard and a software vendor can get the product audited for this and get a certificate
Security in the processes defined by the organization. Again there are several industry standards available for this. ISO is one such option and again there are authorized firms who can audit and certify the adherence to standards.
Let me expand a little on what OWASP is.
OWASP – Open Web Application Security Project. This is a 501(c) (3) worldwide not-for-profit charitable organization focused on improving the security of software. The following categories of vulnerability have been identified and any web application should be safeguarded against.
I am translating some of the above categories into the actions that need to be taken:
All websites have to be HTTPS enabled.
Logging in safety precautions.
a. Number of unsuccessful attempts done
b. Locking of a user after some number of unsuccessful attempts after which admin would need to intervene
c. Login and logout tracking in terms of date and time
d. Mandatory changing of password after a set period of time
e. Password repetition controlled
Session management – Time set for idle session after which the session will be terminated. All session variables cleared post that
Encryption of key data like password both while passing to database and also storage within the password
Parameters should not be contacted with the SQL statement. It needs to be passed to stored procedure through parameter class
HTML Encoding and Decoding done.
How ISO ties up with Pharma CRM can be dealt with in another blog