LMS Must-Have #4: Additional Security Measures
In a previous article, LMS Must-Have #2: Highly Secure Data Practices, I covered 10 essential questions that your LMS vendor should be able to answer about how they secure your company’s LMS data, and the standards you should be looking for. There are at least two other additional aspects of security you should be paying attention to when it comes to evaluating a current or potential new LMS.
Data Center Security
The previous article was focused on practices around data security, but all that data also resides in one or more physical locations, which means you need to know some things about the LMS vendor’s data center security practices. After all, we’re talking about a lot of highly sensitive data related to your company and its employees. There are seven aspects to pay attention to here:
- Physical Access Requirements. There need to be robust measures in place in terms of physical barriers that prevent anyone from accessing data center hardware. Authorized personnel should go through at least two levels of security clearance before being admitted to such areas. These might include sign-in/badge assignment, biometric hand scans, optical scans, PIN access, and so on.
- Access List Control and Maintenance. The fewer the people involved in this, the better. And it should be routinely audited by security personnel.
- How Many People can Access the Data Center. The larger this list, the greater the vulnerability. Access should be strictly limited to as small a necessary group of people as is needed to maintain the data center.
- Security Monitoring Practices. There should be both physical security guards as well as cameras monitoring the data center 24/7×365.
- Data Center Location. Your vendor’s data center(s) should be located in the same country as your company, and preferably in regions with enough proximity to allow for faster data transmission.
- Redundancy and Availability Protections. Having data copied to a second location is key in terms of power outages or other disasters and emergencies for uninterrupted access to your LMS. Knowing what procedures your vendor’s data center has in place to deal with such contingencies is crucial. One way to gauge this is by your vendor’s “uptime” percentage, which should be nothing less of just shy of 100%. The lower it is, the more vulnerable the data center is to various interruptions. Also find out the tier-rating of the data center, with 1 being the lowest and 4 being the highest – and you should be aiming for 3 or 4.
- Data Center Certification. You’d want to at least see either SOC or ISO certification to be sure the center is up to industry standards. Going above and beyond those would be such certifications as the Cisco Certified Network Professional (CCNP) Data Center credential or the VMware Certified Professional 5 – Data Center Virtualization.
Network and System Security
In addition to security concerns around data and the physical data centers in which it is stored, your company should also know a number of things about how an LMS vendor handles network and system security, including the following:
- Access to Productions Systems. By production systems, I mean the actual hardware and software that make up the LMS. The only people who should have access to this area are authorized personnel who actually work on the hardware and software.
- Personnel Authentication. This needs to be highly secured through bastion hosts requiring multi-factor token-based VPN access. You don’t need to know what that means, it just needs to be there.
- Password Policy Enforcement. Passwords need to be strong and come with strict expiration and length requirements. Good standards here are password policies enforced by central authentication directories like LDAP or Microsoft Active Directory.
- System Access Log. There should be a detailed log entry each and every time the production system is accessed, period.
- Network Security Testing. There should be regular vulnerability scans as well as penetration testing. Weekly is good for vulnerability scans, and monthly is fine for penetration testing.
- System/Network Monitoring. Simply put, this should be done 24/7×365 by qualified personnel.
Are you surprised that so far out of four articles about LMS Must-Haves that two of them have to do with security concerns? It’s a sign of the times in this digital era, and one that companies ignore at their own peril. Make sure your LMS vendor is up-to-speed on these security issues.