Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Digital Security in the Cloud: Overview of Basic Security Considerations

1,462 views

Published on

The AICPA has developed a set of principles for cloud providers to achieve Service Organization Control (SOC) certifications.
When deciding between on-premise and cloud solutions, consider for yourself how well you are managing your firm’s IT infrastructure. Cloud providers must attest to adhering to
these principles, but they can be useful for anyone who manages sensitive data. Visit CCHGroup.com/Axcess to learn more.

Published in: Software
  • Be the first to comment

Digital Security in the Cloud: Overview of Basic Security Considerations

  1. 1. When you have to be right Tax & Accounting Digital Security in the Cloud Overview of Basic Security Considerations
  2. 2. Digital Security in the Cloud 2 The AICPA has developed a set of principles for cloud providers to achieve Service Organization Control (SOC) certifications. When deciding between on-premise and cloud solutions, consider for yourself how well you are managing your firm’s IT infrastructure. Cloud providers must attest to adhering to these principles, but they can be useful for anyone who manages sensitive data. What Comprises Digital Security? Is the appropriate IT management structure in place? Are IT policies in place and communicated? Are risks actively monitored? Is system access limited?
  3. 3. Digital Security in the Cloud 3 For more information about the security measures in place for CCH Axcess™ , visit CCHGroup.com/Axcess and download our complimentary Information Security Measures for CCH Axcess white paper. A secure system requires the right personnel to manage and maintain your information technology. Whether your IT staff is in-house or outsourced to a consultant, make sure they have the right skills and proper training. Cloud service providers must prove that they have these policies in place, but all firms should evaluate their IT management structure, even when not required. Appropriate IT Management Structure Identify and hire competent personnel. Example IT management policies: • Formal, written job descriptions for each full-time and contractor position. • Formal classroom instruction, Web-based training and on-the-job employee training, including annual security training. • Background checks for new hires. • Mandatory training to be eligible for promotion. • Coordinated new hire orientation program. • Professional development programs to retain key talent. Provide staff with training they need to perform their jobs. Perform regular job evaluations to identify potential weaknesses. Identify opportunities for technical and professional growth. Enact policies and processes designed to:
  4. 4. Digital Security in the Cloud 4 For more information about the security measures in place for CCH Axcess™ , visit CCHGroup.com/Axcess and download our complimentary Information Security Measures for CCH Axcess white paper. Service providers must put into place IT policies for incident response, network security, encryption and system security standards. These policies should be reviewed at least annually, and it’s a good idea to perform vulnerability assessments to ensure the policies are being followed. Some sample IT policies include: • Acceptable use policy • BYOD policy • Encryption policy • Enterprise security policy • General emergency policy • Information sensitivity policy • Media destruction policy • Network access policy • Password policy • Patch management policy • Remote access/VPN policy • Router security policy • Server security policy • Software policy IT Policies in Place and Communicated 54% IT fraud prevention controls Policies put in place to identify the root causes of fraud and to remove any enabling factors. IT fraud detection controls Identifying signs of potential fraud and stopping fraud as early as possible. IT fraud response A plan for reporting fraudulent activity within the firm and communicating to clients. Management override controls Limitations put in place to prevent employee interference with fraud controls. IT Fraud Controls in Place at CPA Firms 50% 55% 47% Source: 2015 AICPA Top 10 Technologies Survey
  5. 5. Digital Security in the Cloud 5 For more information about the security measures in place for CCH Axcess™ , visit CCHGroup.com/Axcess and download our complimentary Information Security Measures for CCH Axcess white paper. Of course, it’s not enough to have processes and procedures in place. You must also systematically monitor the risks to keep on top of changes as they happen. Firms need to evaluate whether their networks are protected, how confident they are in their system availability and continuity, whether their security is appropriate for their firm size, how well they are addressing relevant threats and how quickly they can respond to cyberattacks. To get an objective evaluation of these factors, third-party assessment is a best practice. Active Risk Monitoring Vulnerability assessments designed to yield a prioritized list of possible vulnerabilities. Penetration tests to perform specific attack simulations using industry standard methodology. Simulate a disgruntled insider or an attacker that has obtained internal access to the network. Attempt to exploit identified vulnerabilities to determine whether malicious activity is possible. Modify tests as appropriate for changes in conditions or risks. Third-party vulnerability assessments on infrastructure and software:
  6. 6. Digital Security in the Cloud 6 For more information about the security measures in place for CCH Axcess™ , visit CCHGroup.com/Axcess and download our complimentary Information Security Measures for CCH Axcess white paper. Digital security is not limited to the virtual world. Physical security includes standards for reception areas, perimeters, surveillance, security guards and security patrols. Special standards may be needed for securing specific types of locations and assets. Firms must ensure their locks and physical security devices meet quality expectations. In addition to performing background checks on employees, prospective employees and vendor employees, firms should issue ID cards to access facilities and ensure procedures are in place to remove access by terminated employees and vendor personnel. Lastly, policies must be in place to monitor movement of assets and investigate security violations if and when they occur. The physical security measures at a cloud provider’s data center are much more restrictive than a typical accounting firm can provide. Physical Security and Limited System Access Electronic Motion Sensors Redundant HVAC- Controlled Environment Continuous Video Surveillance Gas-Based Fire Suppression System Biometric Access and Exit Sensors Server Operations Monitoring Seismically-Braced Server Racks On-Premise Security Officers UPS Backup Generators Security Breach Alarms
  7. 7. Digital Security in the Cloud 7 For more information about the security measures in place for CCH Axcess™ , visit CCHGroup.com/Axcess and download our complimentary Information Security Measures for CCH Axcess white paper. Ensure Systems are Actively Documented and Managed Sometimes security risks come from carelessness rather than any outside, malicious force. Effectively documenting and managing your system is an important part of ensuring your data is safe. And, as always, having a good policy in place is only the first step. You must also communicate and enforce your policies for them to be successful. Effective System Management Defined Hardware and Software Configuration Standards Managed Firewalling to Protect Mission‑Critical Data Operating System Patch Management Processes Data Retention Policies Defined and Enforced Managed Backups, Including Testing Your Backups Secure Password Enforcement, Including Complexity and Expiration Managed Intrusion Protection Systems to Identify Malicious Activity Managed Load Balancing to Distribute Workloads Across Multiple Servers
  8. 8. Digital Security in the Cloud 8 For more information about the security measures in place for CCH Axcess™ , visit CCHGroup.com/Axcess and download our complimentary Information Security Measures for CCH Axcess white paper. What are the tiers?  Uptime Institute created the standard Tier Classification System to consistently evaluate various data center facilities in terms of potential site infrastructure performance, or uptime. The below is a summary. Please see Tier Standard: Topology and accompanying Accredited Tier Designer Technical Papers for more information. The Tiers (I-IV) are progressive; each Tier incorporates the requirements of all the lower Tiers. Data center infrastructure costs and operational complexities increase with Tier Level, and it is up to the data center owner to determine the Tier Level that fits his or her business’s need. A Tier IV solution is not “better” than a Tier II solution. The data center infrastructure needs to match the business application, otherwise companies can overinvest or take on too much risk. Uptime Institute removed reference to “expected downtime per year” from the Tier Standard in 2009. The current Tier Standard does not assign availability predictions to Tier Levels. This change was due to a maturation of the industry, and understanding that operations behaviors can have a larger impact on site availability than the physical infrastructure. Uptime Institute Tier Classification System Wolters Kluwer data centers are currently required to meet Tier 3+ data center specifications Source: Uptime Institute, Explaining the Uptime Institute’s Tier Classification System, https://journal.uptimeinstitute.com/explaining-uptime-institutes-tier-classification-system/
  9. 9. Digital Security in the Cloud 9 For more information about the security measures in place for CCH Axcess™ , visit CCHGroup.com/Axcess and download our complimentary Information Security Measures for CCH Axcess white paper. Provides dedicated site infrastructure to support information technology beyond an office setting. Includes a dedicated space for IT systems; an uninterruptible power supply (UPS) to filter power spikes, sags, and momentary outages; dedicated cooling equipment that won’t get shut down at the end of normal office hours; and an engine generator to protect IT functions from extended power outages. Includes redundant critical power and cooling components to provide select maintenance opportunities and an increased margin of safety against IT process disruptions that would result from site infrastructure equipment failures. The redundant components include power and cooling equipment such as UPS modules, chillers or pumps, and engine generators. Requires no shutdowns for equipment replacement and maintenance. A redundant delivery path for power and cooling is added to the redundant critical components of Tier II so that each and every component needed to support the IT processing environment can be shut down and maintained without impact on the IT operation. Adds the concept of Fault Tolerance to the site infrastructure topology. Fault Tolerance means that when individual equipment failures or distribution path interruptions occur, the effects of the events are stopped short of the IT operations. Tier I Tier II Tier III Tier IV Source: Uptime Institute, Explaining the Uptime Institute’s Tier Classification System, https://journal.uptimeinstitute.com/explaining-uptime-institutes-tier-classification-system/ Uptime Institute Tier Classification System
  10. 10. Digital Security in the Cloud 10 Information Security Measures for CCH Axcess™ Additional Resources AICPA Guidance on Service Organization Control Reports Information and toolkits regarding SOC reports. Visit AICPA.org for more information. General use report regarding security, availability and processing integrity. Visit https://cert.webtrust.org/pdfs/soc3_cch.pdf for more information. Put your IT department's concerns at ease. Visit CCHGroup.com/Axcess to download your complimentary white paper. CCH Axcess™ SOC3 Report Information Security Measures for CCH Axcess
  11. 11. Contact information: Wolters Kluwer 2700 Lake Cook Road Riverwoods, IL 60015 United States 800-739-9998 Please visit CCHGroup.com/Axcess for more information. © 2016 CCH Incorporated and its affiliates. All rights reserved.4/16 2016-0154-2 When you have to be right

×