Over the past few articles I’ve talked about different aspects of data privacy and how that links to project management deliverables and the ways of working for the team. One of the big things that we use as project managers is our software, and often we’re involved with selecting new tools or upgrading existing tools.
In this article, I wanted to point out a few things you should be looking for in your PM tools to make sure that you’re having the right conversations about whether they are secure enough for your data. I’m sure your info sec teams will also have a lot to say, so use the content below as a starting point for a discussion, not a replacement for guidance from your internal teams!
Access control and permissions
Ensure that the tool allows for granular control over who can access sensitive data. Role-based access control (RBAC) is essential for minimising the risk of unauthorised access.
What this looks like in practice is that you might have one person on the team with admin or ‘override’ permissions, and everyone else just enters the data. In one company I know, the workflow pushes a project between stages. While it’s going through the approval process, no one can edit the data. That’s good because it means all approvers are seeing the same thing, but also a bit annoying if you’ve accidentally left something out or there is another very valid reason for needing to add another attachment, for example. Admin users could have the power to make changes while a record is blocked for editing by ‘normal’ users, but it’s a power to use very carefully!
Data encryption
Verify whether the tool provides end-to-end encryption for both data at rest and data in transit. This ensures that data remains secure even if intercepted, which is important for software that is hosted in the cloud, or for financial information. I don’t know why you’d need information like bank card records in a project management tool, but even your business case information should be company-confidential and you wouldn’t want it accessible in case of a data breach.
Data storage and backup
Assess where the data is stored and whether that meets your requirements. For example, in the UK there are rules around where patient data is stored in the healthcare industry – we couldn’t have certain data stored in off-shore data centres, for example. Check out your regional data privacy laws.
Again, project management software isn’t going to have the kind of sensitive, personal information that’s on the same scale as medical records, but you still want to be sure it meets your company’s policies for storage.
The same goes for backup. However good your internal systems and however reliable your supplier, can you get the data back when there’s a problem?
Audit logs
This feature is so helpful in the project management software that I use. It’s great to easily be able to see what changed, when and who changed it.
Check if the tool has built-in auditing and tracking features that allow for monitoring access to data and changes to project information. And if it does, who has access to see the audit logs (I’m a believer in transparency here – why not make them available to everyone?).
Certifications
If you’re using software that you’ve bought in, check to see if it (or the company that makes it) has any data or compliance-related credentials like ISO 27001, SOC 2, or EU-U.S. Privacy Shield, which indicate that the tool has passed rigorous security and privacy assessments.
That’s not an exclusive list, but you can use the ideas above as a starting point for thinking about the requirements for data security and privacy for your project management software. What did I leave out? Let me know in the comments!
