The AICPA has developed a set of principles for cloud providers to achieve Service Organization Control (SOC) certifications.
When deciding between on-premise and cloud solutions, consider for yourself how well you are managing your firm’s IT infrastructure. Cloud providers must attest to adhering to
these principles, but they can be useful for anyone who manages sensitive data. Visit CCHGroup.com/Axcess to learn more.
Digital Security in the Cloud: Overview of Basic Security Considerations
1. When you have to be right
Tax & Accounting
Digital Security
in the Cloud
Overview of
Basic Security
Considerations
2. Digital Security in the Cloud 2
The AICPA has developed a set of principles
for cloud providers to achieve Service
Organization Control (SOC) certifications.
When deciding between on-premise and cloud
solutions, consider for yourself how well you
are managing your firm’s IT infrastructure.
Cloud providers must attest to adhering to
these principles, but they can be useful for
anyone who manages sensitive data.
What Comprises Digital Security?
Is the appropriate
IT management
structure in place?
Are IT policies
in place and
communicated?
Are risks actively
monitored?
Is system access
limited?
3. Digital Security in the Cloud 3
For more information about
the security measures in
place for CCH Axcess™
, visit
CCHGroup.com/Axcess and
download our complimentary
Information Security Measures
for CCH Axcess white paper.
A secure system requires the right personnel to
manage and maintain your information technology.
Whether your IT staff is in-house or outsourced to a
consultant, make sure they have the right skills and
proper training.
Cloud service providers must prove that they
have these policies in place, but all firms should
evaluate their IT management structure, even
when not required.
Appropriate IT Management Structure
Identify and
hire competent
personnel.
Example IT management policies:
• Formal, written job descriptions for each full-time
and contractor position.
• Formal classroom instruction, Web-based training
and on-the-job employee training, including
annual security training.
• Background checks for new hires.
• Mandatory training to be eligible for promotion.
• Coordinated new hire orientation program.
• Professional development programs to retain
key talent.
Provide staff
with training they
need to perform
their jobs.
Perform regular
job evaluations to
identify potential
weaknesses.
Identify
opportunities
for technical
and professional
growth.
Enact policies and processes designed to:
4. Digital Security in the Cloud 4
For more information about
the security measures in
place for CCH Axcess™
, visit
CCHGroup.com/Axcess and
download our complimentary
Information Security Measures
for CCH Axcess white paper.
Service providers must put into place IT policies for incident response, network security, encryption
and system security standards. These policies should be reviewed at least annually, and it’s a
good idea to perform vulnerability assessments to ensure the policies are being followed.
Some sample IT policies include:
• Acceptable use policy
• BYOD policy
• Encryption policy
• Enterprise security policy
• General emergency policy
• Information sensitivity policy
• Media destruction policy
• Network access policy
• Password policy
• Patch management policy
• Remote access/VPN policy
• Router security policy
• Server security policy
• Software policy
IT Policies in Place and Communicated
54%
IT fraud prevention
controls
Policies put in place to
identify the root causes
of fraud and to remove
any enabling factors.
IT fraud detection
controls
Identifying signs of
potential fraud and
stopping fraud as early
as possible.
IT fraud response
A plan for reporting
fraudulent activity
within the firm and
communicating to clients.
Management override
controls
Limitations put in place
to prevent employee
interference with
fraud controls.
IT Fraud Controls in
Place at CPA Firms
50% 55% 47%
Source: 2015 AICPA Top 10 Technologies Survey
5. Digital Security in the Cloud 5
For more information about
the security measures in
place for CCH Axcess™
, visit
CCHGroup.com/Axcess and
download our complimentary
Information Security Measures
for CCH Axcess white paper.
Of course, it’s not enough to have processes and
procedures in place. You must also systematically
monitor the risks to keep on top of changes as
they happen.
Firms need to evaluate whether their networks are
protected, how confident they are in their system
availability and continuity, whether their security
is appropriate for their firm size, how well they are
addressing relevant threats and how quickly they can
respond to cyberattacks.
To get an objective evaluation of these factors,
third-party assessment is a best practice.
Active Risk Monitoring
Vulnerability
assessments
designed
to yield a
prioritized list
of possible
vulnerabilities.
Penetration
tests to
perform
specific attack
simulations
using industry
standard
methodology.
Simulate a
disgruntled
insider or an
attacker that
has obtained
internal access
to the network.
Attempt
to exploit
identified
vulnerabilities
to determine
whether
malicious
activity is
possible.
Modify tests
as appropriate
for changes in
conditions or
risks.
Third-party vulnerability assessments on infrastructure and software:
6. Digital Security in the Cloud 6
For more information about
the security measures in
place for CCH Axcess™
, visit
CCHGroup.com/Axcess and
download our complimentary
Information Security Measures
for CCH Axcess white paper.
Digital security is not limited to the virtual world.
Physical security includes standards for reception
areas, perimeters, surveillance, security guards and
security patrols. Special standards may be needed for
securing specific types of locations and assets. Firms
must ensure their locks and physical security devices
meet quality expectations. In addition to performing
background checks on employees, prospective
employees and vendor employees, firms should issue
ID cards to access facilities and ensure procedures are
in place to remove access by terminated employees
and vendor personnel. Lastly, policies must be in
place to monitor movement of assets and investigate
security violations if and when they occur.
The physical security measures at a cloud provider’s
data center are much more restrictive than a typical
accounting firm can provide.
Physical Security and Limited System Access
Electronic Motion
Sensors
Redundant HVAC-
Controlled Environment
Continuous Video
Surveillance
Gas-Based Fire
Suppression System
Biometric Access and
Exit Sensors
Server Operations
Monitoring
Seismically-Braced
Server Racks
On-Premise Security
Officers
UPS Backup
Generators
Security Breach
Alarms
7. Digital Security in the Cloud 7
For more information about
the security measures in
place for CCH Axcess™
, visit
CCHGroup.com/Axcess and
download our complimentary
Information Security Measures
for CCH Axcess white paper.
Ensure Systems are Actively Documented and Managed
Sometimes security risks come from carelessness rather than any outside, malicious force. Effectively documenting
and managing your system is an important part of ensuring your data is safe. And, as always, having a good policy
in place is only the first step. You must also communicate and enforce your policies for them to be successful.
Effective System Management
Defined Hardware and
Software Configuration
Standards
Managed Firewalling
to Protect
Mission‑Critical Data
Operating System
Patch Management
Processes
Data Retention
Policies Defined and
Enforced
Managed Backups,
Including Testing Your
Backups
Secure Password
Enforcement, Including
Complexity and
Expiration
Managed Intrusion
Protection Systems
to Identify Malicious
Activity
Managed Load
Balancing to Distribute
Workloads Across
Multiple Servers
8. Digital Security in the Cloud 8
For more information about
the security measures in
place for CCH Axcess™
, visit
CCHGroup.com/Axcess and
download our complimentary
Information Security Measures
for CCH Axcess white paper.
What are the tiers?
Uptime Institute created the standard Tier
Classification System to consistently evaluate various
data center facilities in terms of potential site
infrastructure performance, or uptime. The below is
a summary. Please see Tier Standard: Topology and
accompanying Accredited Tier Designer Technical
Papers for more information. The Tiers (I-IV) are
progressive; each Tier incorporates the requirements
of all the lower Tiers.
Data center infrastructure costs and operational
complexities increase with Tier Level, and it is up to
the data center owner to determine the Tier Level
that fits his or her business’s need. A Tier IV solution
is not “better” than a Tier II solution. The data
center infrastructure needs to match the business
application, otherwise companies can overinvest or
take on too much risk.
Uptime Institute removed reference to “expected
downtime per year” from the Tier Standard in 2009.
The current Tier Standard does not assign availability
predictions to Tier Levels. This change was due to a
maturation of the industry, and understanding that
operations behaviors can have a larger impact on site
availability than the physical infrastructure.
Uptime Institute Tier Classification System
Wolters Kluwer data centers are currently required to meet Tier 3+ data center specifications
Source: Uptime Institute, Explaining the Uptime Institute’s Tier Classification System,
https://journal.uptimeinstitute.com/explaining-uptime-institutes-tier-classification-system/
9. Digital Security in the Cloud 9
For more information about
the security measures in
place for CCH Axcess™
, visit
CCHGroup.com/Axcess and
download our complimentary
Information Security Measures
for CCH Axcess white paper.
Provides dedicated site infrastructure to support information technology beyond an
office setting. Includes a dedicated space for IT systems; an uninterruptible power
supply (UPS) to filter power spikes, sags, and momentary outages; dedicated cooling
equipment that won’t get shut down at the end of normal office hours; and an
engine generator to protect IT functions from extended power outages.
Includes redundant critical power and cooling components to provide select
maintenance opportunities and an increased margin of safety against IT process
disruptions that would result from site infrastructure equipment failures. The
redundant components include power and cooling equipment such as UPS modules,
chillers or pumps, and engine generators.
Requires no shutdowns for equipment replacement and maintenance. A redundant
delivery path for power and cooling is added to the redundant critical components
of Tier II so that each and every component needed to support the IT processing
environment can be shut down and maintained without impact on the IT operation.
Adds the concept of Fault Tolerance to the site infrastructure topology. Fault
Tolerance means that when individual equipment failures or distribution path
interruptions occur, the effects of the events are stopped short of the IT operations.
Tier I
Tier II
Tier III
Tier IV
Source: Uptime Institute, Explaining the Uptime Institute’s Tier Classification System,
https://journal.uptimeinstitute.com/explaining-uptime-institutes-tier-classification-system/
Uptime Institute Tier Classification System
10. Digital Security in the Cloud 10
Information Security Measures
for CCH Axcess™
Additional Resources
AICPA Guidance on Service
Organization Control Reports
Information and toolkits regarding SOC reports.
Visit AICPA.org for more information.
General use report regarding security,
availability and processing integrity.
Visit https://cert.webtrust.org/pdfs/soc3_cch.pdf for
more information.
Put your IT department's concerns at ease.
Visit CCHGroup.com/Axcess to download your complimentary
white paper.
CCH Axcess™
SOC3 Report
Information Security
Measures for CCH Axcess