Security essentials for any Volunteer Management System

Data Management, Governance, Security, Technology in third sector

Written by Katie Taaffe

Recruitment, retention and reporting features are some of the leading benefits of a Volunteer Management System, but what truly underpins any robust software is its foundations and infrastructure. Here are some of our most commonly asked questions around Security. 

How do I know if my volunteer management software is secure? 

Ensuring your data remains safe and secure requires a combination of factors, including how the provider conducts its practices, what safeguards are in place to continually challenge the security of your software, and the quality and frequency of training that exists for users within an organisation.  

We can’t stress enough the importance of security. It might not be an immediate priority, but the risk of having your data compromised in a breach can be largely mitigated. We know prevention is the best way forward, so we implore you to speak to us about our security practices and product architecture. 

Ensure you verify your volunteer management software’s security practices meet the most widely accepted standards and practices:  

Here are some to look out for: 

Cyber Essentials  

If you haven’t seen our blog on how charities can prevent a cyber-attack, we suggest you check this out. In a survey by Third Sector and National Cyber Security Centre (NCSC) only 50% of respondents were aware of the potential consequences of a cyber-attack. 

Cyber Essentials is a government-backed and industry supported scheme that helps businesses to protect themselves against the ever-growing threat of cyber-attacks.  

Many cyber-attacks are performed by those seeking obvious vulnerabilities, so preventative measures are essential. A Cyber Essentials accreditation will ensure that cyber security controls are in place and mitigate against common types of attack such as phishing, malware and hacking. 

Cyber Essentials is a mandatory requirement for all central government contracts involved in handling personal information and ICT services. Whilst software providers are not obligated to have this, we would urge you to look for this as the most basic approach to security. 

ISO 27001:2013 certification 

ISO 27001:2013 is in place so that technology providers can be audited against a rigorous set of information security controls, as well as an ability to demonstrate compliance within this framework. 

Assemble holds a BSI assessed ISO 27001:2013 certification. This is the International Standard for Information Security Management. Part of the certification involves displaying best practice for companies to comply with confidentiality, integrity and legal compliance, providing confidence that the appropriate controls and policies are in place to safeguard data. 

Penetration testing  

Penetration – or pen – testing is when you appoint a security testing company to attempt a simulated cyber-attack on your software. The idea is that ‘white hat hackers’ try to compromise or gain access to your environment by any means possible and expose any vulnerabilities or misconfigurations that would present themselves as a cyber-security risk in a real-world scenario.  

A pen test will typically identify and highlight any compromising weaknesses and expose the integrity of any issues. Furthermore, it will offer actionable guidance on how to mitigate against any risks that are identified. 

At Assemble, we invite customers to talk to us about our recent pen tests. Always ask to see a copy of your provider’s most recent pen test. The pen test should have been performed within the last 12 months and be ‘green’ (for good) on all fronts with no outstanding recommendations.  

Government National Cyber Security Centre 

The Governments National Security Centre Cloud Security Principles are in place to help you choose a Software-as-a-Service (SaaS) provider that meets your security needs.  

For each of the principles, they describe: 

  • The security goals that a good cloud service should meet 
  • Differentiators you should look out for that either give you more confidence in the cloud service, or make it easier for you to meet your own security responsibilities. 
  • Some suggestions for how the cloud provider could have met the goals 
  • Any related considerations you will need to make when determining whether the service meets your needs 

The Digital Marketplace 

If you are looking for secure, best-in-class volunteer management software, then a good place to start for qualified suppliers is via the Crown Commercial Service’s G-Cloud 13 framework, also known as The Digital Marketplace

The framework allows suppliers that comply with a series of suitability and security requirements to apply to list their software, making easier for UK central government departments to procure qualified cloud software and associated IT services.   

Its purpose is to improve the government’s commercial activity, making it simpler for public sector organisations, healthcare providers and local authorities to find, buy and deploy technology services, such as volunteer management software like Assemble. 

Volunteer Management System Security Checklist

  • Does your software provider hold ISO27001 certification? 
  • Is the software externally pen tested? 
  • Request a copy of the pen test 
  • Was the most recent pen test inside 12 months? 
  • Was it completed by a CHECK, CREST accredited security company? 
  • Did the test show green in all areas with no remedial action required? 
  • Does the software support 2-factor authentication? 
  • Is data encrypted at-rest? 
  • Does the software support single sign on? 
  • Does your software provider follow the Governments NCSC Cloud Security Principles? 

Still have unanswered questions? Then speak to a member of our team here.