Have questions about your taxes? Send them to [email protected] and we’ll get answers.
Other than making a profit, protecting company data may be the most important element to business owners. But the burden of maintaining on-premise data protection is a significant responsibility and for that reason many businesses are turning to “the Cloud” for software application use and data storage. While working with a Cloud vendor that stores your company data can reduce the onus of in-house protection, keep in mind that not all Cloud vendors are created equally.
When choosing a Cloud vendor, certain considerations must be taken, including a range of service options, flexibility to meet your business’s evolving needs and equally important, solid security protocols. At a bare minimum, these security features should include a documented written information security policy (WISP), intrusion detection system, security information and event management and monitoring (SIEM) system, data encryption along with a compliment of anti-virus/malware software, among others.
In addition, it is highly recommended that Cloud vendor obtain an independent audit of their security environment. A SOC 1 (System and Organization Controls) or SOC 2 are two examples of an outside independent audit. These standards were developed by the AICPA (American Institute of Certified Public Accountants) to help consumers understand if their data is secure. As an example, SOC 1 is associated with outsourced financial services, such as payroll, that have a material impact to your company’s financial statement. A SOC 1 is performed by an outside auditor to ensure security and to validate that the transaction processes (processing payroll and managing tax withholdings, as an example) is being handled appropriately.
SOC 2 was introduced to meet the needs of Cloud vendors that provide other technology-based services. The SOC 2 framework is designed specifically for entities like data centers, IT managed services and SaaS (software as a service) vendors. Within the SOC 2 framework is a five-pronged set of criteria known as the Trust Services Principles, which include security, availability, processing integrity, confidentiality and privacy of personal information collected by the Cloud vendor.
It is important to select a Cloud vendor that submits itself to a formal SOC audit. Before moving forward with your selection of a Cloud Vendor ask for their SOC audit report(s). If they don’t have one, be suspicious of their security and control protocols, it might be a warning sign of future issues. Even if contracting with the major Cloud service vendors, such as Amazon Web Services, Cisco, Google Cloud, Microsoft or Oracle Cloud, there are other matters that should be discussed and documented.
What happens if the Cloud vendor is breached? Who is responsible for paying identity theft protection? Who is accountable for reporting a breach? Who is responsible for paying any fines? You need to document and confirm ALL obligations and responsibilities of the Cloud vendor. In addition, make sure the vendor has cybersecurity insurance. Don’t assume that by handing over your data to a Cloud vendor your accountability and/or liability ends there.
While keeping your data in the Cloud may be the best cybersecurity option for your business, make sure to you understand all the details and risks.
Jeffrey Ziplow, MBA, CISA, CGEIT is a partner at blumshapiro, the largest regional business advisory firm in New England. He can be reached at [email protected]