Tech Talk with Craig Peterson featuring Tyler Quinn
Craig Peterson: Welcome back to Tech Talk with Craig Peterson. We’re joined right now by Tyler Quinn. He’s a supervisor at an accounting firm called Kaufman Rossin, kaufmanrossin.com. They’ve been doing a lot of work over the many years here, since about 1962, in helping companies out. We’re going to talk a little bit about data processing, and the cloud security– some of the issues that come up, of course, if you are a public company. Nowadays if you even deal with a public company, you may be stuck in the Sarbanes Oxley Loop, which requires certain accounting standards and standards of data storage. Of course there’s also HIPPA regulations that if you basically have any medical information on anybody, you fall underneath, which means any business that has an employee with any sort of health issues. Gramm-Leach-Bliley is another real big one that’s out there.
They’ve been helping companies for years here. Tyler is a licensed CPA in the state of Florida. He’s also a Certified Information Systems Auditor. With all of the talk that’s been going on about cloud computing, data storage in the cloud, all of these things, these guys are a great resource to go to get more information. They’re among the top 100 CPA firms in the country. Tyler, welcome to Tech Talk with Craig Peterson.
Tyler Quinn: Thank you. Glad to be here.
Craig: We’ve had a lot of talk over the years about data in the cloud. We’ve been talking with telecom companies who are interested in getting into that business. There’s, of course, other big boys that are already here. Really, what we’re talking about is taking data, using some else’s storage to store records, maybe to do computing instead of having some of our own servers. Or in some cases, where it’s software as a service, we’re actually using their software and everything else. What kind of concerns should businesses have when it comes to using these external IT resources?
Tyler: The main concern that comes to mind is security of your data, the fact that this information is out there on servers. Often people don’t know exactly where they data resides. There is potential for that data to possibly be accessed by people who shouldn’t.
Craig: We’ll not even necessarily know that it was accessed by people who shouldn’t, because it’s pretty hard to put different types of audit procedures in place which are required, in fact, under some of these federal laws I mentioned.
Tyler: Absolutely. There are stringent requirements. Guidelines are still being developed. There’s a lot of resources out there currently to help people if they are trying to make a decision, or already have gone to the cloud, to help them evaluate the vendors who are currently providing these services.
Craig: Are we seeing any sort of an improvement when it comes to the laws regarding the security of data? I know Sony very recently had multiple breaches at multiple sites. California had some of the earliest and strictest laws about data and data loss. Is it something that’s trickling down now? Do all companies really have to pay close attention to that? Or is there a certain size where it gets to be more important?
Tyler: I would say that’s the hot topic now. Definitely the larger companies are more under the gun in this regard. However, what we’ve seen is – this is usually the case – that the market is the head of the regulations. What we’re seeing now is that the consumers are demanding more transparency with cloud computing and better security. We actually think that the whole cloud environment and centralizing security is leading to more secure data in the long run.
Craig: There’s these SSAE 16 reports that are out now. Why don’t you tell us a little bit about how those impact businesses in general. Then, of course, with everything moving to the cloud, how does the cloud get impacted?
Tyler: OK. SSAE 16 basically – a lot of people haven’t heard of it yet. It superseded SAS 70 reports. What these reports do is it’s an independent verification of IT controls that are in place at a particular company. SSAE 16 reports focus on controls that affect financial reporting for a user entity. In response to that, the AICPA has actually come out with several other reports that you an get. The SSAE 16, although it addresses a baseline of IT controls that are in place, they don’t really address other controls relating to security of data, availability, confidentiality, and integrity. These are all things of great importance to users, obviously.
Craig: There’s a number of different things people can do to evaluate the security of their data. We’ve only got about 45 seconds left here. There’s a number of frameworks that are out there, risk assessments, contract service level agreements. Bottom line here, Tyler, what should businesses be looking to do right now to make sure that they don’t have too much exposure?
Tyler: I would definitely do standard due diligence procedures on your vendor in terms of identifying how many customers they have, looking at references, and that sort of thing. I’d also, as a baseline, make sure that they do have an SSAE 16 report. I would go a step further. SysTrusts are the new reports out that I was talking about, where the controls will be tested over confidentiality, and privacy, and availability of data. I believe that’s very important as well. In terms of doing independent research, I would say the Cloud Security Alliance. There’s a website cloudsecurityalliance.org. They’ve got a lot of good resources to use.
Craig: We’ve been speaking with Tyler Quinn. He’s with Kaufman Rossin. They’re an accounting firm, and Tyler helps organizations ranging from 10 million dollars in size to two billion dollars addressing internal control and compliance needs. Again, kaufmanrossin.com. You’re listening to Tech Talk with Craig Peterson. We’ll be right back.
Ranked the #1 radio show in the Boston Market in its time-slot, and with more than 5,000,000 Podcast Downloads, Tech Talk with Craig Peterson is rated as the top tech show nationwide. Craig interviews top industry insiders and explains the technology secrets everyone needs to know. For more on the show, go to www.tech-talk-with-craig-peterson.com.
Tyler Quinn, CISA, CPA, is a Assurance & Advisory Services Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.