Evaluating data tools for first-class security practices: A checklist

First-class security practices aren't a 'nice to have' — they're a non-negotiable for data tools. Security protocols, practices, and documentation can mitigate against legal risks, monetary fines, and loss of customer trust — all factors that can end a company if not addressed effectively.

At Hex, we know how important this is. Security is essential to our work and we’ve started year-long partnerships with enterprises of all sizes because of our attention to detail in this arena.

From this work, we've put together some of the key questions we recommend considering when evaluating the security of any data analytics or BI tool. While no set of questions will be a perfect fit for every threat model, these should give you a great starting point to refine your own approach.

A checklist for analytics tool security

Storage and encryption

The right storage and encryption strategies can keep your data secure and reduce the impact of a data breach if one were to happen. Learn how data is encrypted when in rest and transmission and what key management features are offered.

• Does the tool offer a BYOK (bring-your-own-key) feature?
• Does the company ensure that all stored data is encrypted while at rest using AES-256 or better?
• Does the company ensure encryption during data transmission using protocols like TLS v1.2 or newer and secure cipher suites?
• Does the company have a robust key management system and practices?

Data handling

Will the company’s data-handling policies suit your needs now and in the future? Learn how data is collected, how the company is prepared to handle disaster recovery, and what your options are for data storage and deletion.

• Does the tool offer single-tenant and multi-tenant options?
• What is the company’s data retention policies?
• What data does the company collect?
• Does the company have disaster recovery and data backup processes in place?
• Does the company support geographic restrictions for data storage and processing?
• Does the company provide customers with the ability to set and enforce data retention, deletion, and archival policies?
• Are critical network infrastructure components isolated?

Security policies and upkeep

Companies should tout their security features, yes, but they should also show that they perform risk assessments, undergo third-party audits and penetration tests, and proactively scan their applications and systems.

• Does the company perform ongoing risk assessments?
• Does the company provide a process for communicating changes to customers?
• Does the company have a regular data backup schedule?
• Does the company regularly test its backups to ensure data is recoverable?
• Does the company regularly scan applications for vulnerabilities, including first-party applications made by the company and third-party vendors and services the company buys and deploys within its network?
• Does the company publish the results of periodic penetration tests?
• Does the company provide robust logging for all security-related events?
• Does the company have regular third-party compliance audits?
• Does the company provide an active bug bounty program?
• Does the company have a documented process for reporting and responding to security incidents, such as breaches or unauthorized access?

Access control, identity management, and user training

See how the company addresses access attempts, learn how user sign-on is handled, if there are open connections to the internet, and how employee training is handled.

• Does the company have documented employee onboarding and termination processes?
• Does the company have an audit system to track user access attempts?
• Does the company regularly review user access rights and privileges?
• Does the company enforce Multi-Factor Authentication (MFA) policies for employees accessing critical systems and applications?
• Does the company enforce Role-Based Access Control (RBAC) to limit access based on the user roles? Do these roles use the principle of least privilege?
• Does the company use Single Sign-On (SSO) to secure user access across multiple applications?
• Are the company’s systems exposed to the open Internet? Or do users need to access internal systems through a VPN or zero-trust option?
• Does the company allow self-serve signups or do all customers have a vetted contracts in place?
• Does the company offer security best practices and user training to its employees to minimize human error (such as phishing and weak passwords)?

Compliance and privacy

If you’re in a regulated industry or region, checklist items for HIPAA and GDPR can be make or break. Below, we list some of the core questions that will filter out companies that are not HIPAA or GDPR-compliant, but keep in mind that this is just a starting list.

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a standard in the United States that enforces protections for medical records and other personal health information. Companies operating in healthcare and healthcare-adjacent industries need to evaluate every tool option against HIPAA regulatory requirements.

• Does the tool offer settings to shorten session lifetimes?
• Does the tool allow customers to add more controls or configuration changes as necessary depending on customer regulatory needs?
• Does the tool allow customers to limit access to PHI based on roles?
• Does the tool collect only the minimum necessary PHI required for any given task?
• Does the tool provide logs to help customers monitor access to PHI
• Does the company have policies in place for promptly detecting and reporting breaches?
• Does the tool align with HIPAA’s data retention requirements?
• Does the tool support secure deletion methods to ensure PHI cannot be recovered?
• Does the company provide compliance reporting features so that customers can demonstrate HIPAA compliance during audits?

GDPR

GDPR (General Data Protection Regulation) is a series of guidelines enacted by the European Union, that regulates the collection and processing of personal data of people within the EU. Similar to HIPAA, companies operating within the EU need to evaluate every tool option against GDPR requirements.

• Does the tool provide customers with the ability to clearly communicate with users about what data is collected, why it is collected, and how it will be used?
• Does the tool allow customers to only collect the data necessary for its purpose?
• Does the tool support automated data retention schedules that align with GDPR’s data storage limitation principle?
• Does the tool support automated deletion or anonymization of data when data is no longer needed?

Incident response and monitoring

A secure data tool will promote both security and rapid response to any lapses in security. See what audits the company has in place and ask about the processes for management around communication and escalation of incidents.

• Does the tool have a mature incident response process?
• Is the company internally prepared to handle emergencies? How?
• Does the company have documented incident response and monitoring policies?
• Does the company have certifications, such as SOC 2, that require audits and established frameworks for incident response.
• Does the company provide predefined roles and responsibilities for handling incidents?
• Does the company provide an escalation process for major incidents?
• Does the company provide SLAs?

Vendor trust and reputation

A tool that has a proven track record with customers you trust should always outweigh a tool that makes big promises with little backing. See if the company has other security-conscious customers, runs independent audits and penetration tests, and publishes transparency reports.

• Does the company regularly run independent security audits?
• Does the company regularly perform penetration tests?
• Does the company make reports from audits and penetration tests available for review?
• Are there security-conscious customers (e.g., financial institutions, healthcare organizations) using the tool?
• Does the vendor publish transparency reports on government data requests or potential breaches?

Security is not a nice-to-have, it's a need-to-have

The data that your company handles is one of its most valuable assets, so it's critical that vendors are meeting all requirements.

If you’re interested in learning more about our take on security, and why the largest security-conscious customers have chosen to partner with us, read about data security at Hex.