Open Forum

  • 1.  Should data security be a topic at the annual conference?

    Posted 04-12-2017 04:01 PM

    For those people attending Idealliace Experience annual conference this year, I'm curious if anyone would be interested in learning more about data security and if that should be a learning track?

    There seems to be a dearth of knowledge in this area that's negatively impacting the print industry. A few examples are people claiming to have a SSAE 16 SOC 1 or SOC II certification, I hate to tell you but there is no such thing.  The AICPA has never "certified" IT infrastructure and having worked with them directly I'm pretty sure they never will. 

    I read this in a recent release from software company that has some web services: "With XYZ Company, all data storage and processing is performed in-house without the reliance on external data centers. At XYZ Company, the belief is in transparency and clear communication regarding security, including compliance audits at all ends of the process."  Does a statement like that make you feel comfortable or does it raise the hair on your neck? 

    Do you feel like you're equipped to vet a SaaS vendor about issues such as availability, disaster recovery and their data center/data closet assets, etc?   



    ------------------------------
    Scott Eganhouse
    V.P. Business Development
    TEC Mailing Solutions, LLC
    Sun Prairie WI
    (608) 825-8525
    ------------------------------


  • 2.  RE: Should data security be a topic at the annual conference?

    Posted 04-13-2017 11:45 AM
    Scott Eganhouse brings up a good point. The word is "Compliance" not "Certification" combined with the terms SSAE 16, Service Organization Controls (SOC) 1 or 2. I applaud Scott for raising this important subject and would personally like to see more focus on data security in a comprehensive learning track. SOC 2 however involves much more than simply data security. SOC 2 Compliance is designed to provide comfort over the following principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy (if applicable) of a System. A System is comprised of the Infrastructure, Software, People, Procedures, and Data used to complete the services provided.

    Scott, please reach out to myself or our President, Kristen McKiernan anytime, and AccuZIP can put together a comprehensive "How To" workflow presentation for companies in our industry, and share our multiple years of experience with working through the processes necessary to successfully completed our SOC 2 examination under AT Section 101, Attest Engagements (AICPA, Professional Standards) for the fourth consecutive year, along with HIPAA (Health Insurance Portability and Accountability Act of 1996), HITECH (Health Information Technology for Economic and Clinical Health) compliant this year.

    You can also share your personal experience with working through the entire Compliance processes as well. This would provide a well-rounded, in-depth presentation that the industry could adopt and implement within their organizations.

    Here is an informative article "Securing Your Customer Data" written by Toni McQuilken (http://www.printingnews.com/article/12297407/securing-your-customer-data).

    Thank you for raising this important subject.

    ------------------------------
    Steve Belmonte
    CEO
    ACCUZIP Inc.
    Atascadero CA
    805-461-7300
    ------------------------------

    Original Message


  • 3.  RE: Should data security be a topic at the annual conference?

    Posted 04-13-2017 04:04 PM

    Thanks for the thoughtful response Steve, in former work life I worked with a think tank of C level SaaS executives brought together by the AICPA's CPA2Biz group to promote hosted solutions to various service bureaus within the financial services sector.  I have a good grasp of data security and also an understanding and history  of how many organizations have misused and abused these audits which was a common discussion. 

    At that time the folks at the AICPA had serious issues with people referring to the original SAS 70 protocol as a certification when it was simply an audit to check for adherence to an organizations defined policies.  Since the organization defined the polices they may adhere to best practices or they could be absolutely backward but as long as they were documented and adhered to you could produce a SAS 70 audit.  They felt many of the organizations claiming "certification" were using it to con unsuspecting clientele that their environment met an industry defined standard (BTW the term certification drove them nuts and still does).   

    The AICPA recognized the problem, re-branded and defined their new audit procedures under the SSAE 16 brand and started using the term attestation front and center in lieu of the terms compliance or compliant.  The new SSAE 16 audit defines a minimum set of standards so it has a little more meaning then it did but in my  opinion still misses the mark for some of the same reasons above.  It's good to know what your solution provider is having their audit firm attest to, it may not be what you have in mind.    

    If your organization relies on cloud vendors to provide solutions an attestation is a great place to start but I wouldn't end there.  Most organization start at a high level an get down to the nitty gritty if they have an information security officer which is becoming more common these days. 

    You'll get a good idea how serious a company is by looking at their data center and at a minimum I would ask for a virtual tour.  They should look something like this:  https://www.youtube.com/watch?v=8WFQFipCLyk  

     



    ------------------------------
    Scott Eganhouse
    V.P. Business Development
    TEC Mailing Solutions, LLC
    Sun Prairie WI
    (608) 825-8525
    ------------------------------

    Original Message