Scott Eganhouse brings up a good point. The word is "Compliance" not "Certification" combined with the terms SSAE 16, Service Organization Controls (SOC) 1 or 2. I applaud Scott for raising this important subject and would personally like to see more focus on data security in a comprehensive learning track. SOC 2 however involves much more than simply data security. SOC 2 Compliance is designed to provide comfort over the following principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy (if applicable) of a System. A System is comprised of the Infrastructure, Software, People, Procedures, and Data used to complete the services provided.
Scott, please reach out to myself or our President, Kristen McKiernan anytime, and AccuZIP can put together a comprehensive "How To" workflow presentation for companies in our industry, and share our multiple years of experience with working through the processes necessary to successfully completed our SOC 2 examination under AT Section 101, Attest Engagements (AICPA, Professional Standards) for the fourth consecutive year, along with HIPAA (Health Insurance Portability and Accountability Act of 1996), HITECH (Health Information Technology for Economic and Clinical Health) compliant this year.
You can also share your personal experience with working through the entire Compliance processes as well. This would provide a well-rounded, in-depth presentation that the industry could adopt and implement within their organizations.
Here is an informative article "Securing Your Customer Data" written by Toni McQuilken (http://www.printingnews.com/article/12297407/securing-your-customer-data).
Thank you for raising this important subject.
------------------------------
Steve Belmonte
CEO
ACCUZIP Inc.
Atascadero CA
805-461-7300
------------------------------
Original Message:
Sent: 04-12-2017 03:17 PM
From: Scott Eganhouse
Subject: Should data security be a topic at the annual conference?
For those people attending Idealliace Experience annual conference this year, I'm curious if anyone would be interested in learning more about data security and if that should be a learning track?
There seems to be a dearth of knowledge in this area that's negatively impacting the print industry. A few examples are people claiming to have a SSAE 16 SOC 1 or SOC II certification, I hate to tell you but there is no such thing. The AICPA has never "certified" IT infrastructure and having worked with them directly I'm pretty sure they never will.
I read this in a recent release from software company that has some web services: "With XYZ Company, all data storage and processing is performed in-house without the reliance on external data centers. At XYZ Company, the belief is in transparency and clear communication regarding security, including compliance audits at all ends of the process." Does a statement like that make you feel comfortable or does it raise the hair on your neck?
Do you feel like you're equipped to vet a SaaS vendor about issues such as availability, disaster recovery and their data center/data closet assets, etc?
------------------------------
Scott Eganhouse
V.P. Business Development
TEC Mailing Solutions, LLC
Sun Prairie WI
(608) 825-8525
------------------------------