Posts

When choosing a managed service cloud provider, it's important to consider the consequences of SOC 1 & 2 compliance regulations

Why SOC Compliance Matters When Choosing An MSP

If you’re in a service industry, chances are you’ve run into the term SOC compliance. Some of you may have undergone a SOC I or SOC II compliance audit.

As remote work becomes increasingly more popular companies are choosing to adopt managed IT services and cloud based platforms.

However, even companies that undergo SOC compliance don’t consider how important it is when choosing a managed service provider.

What is SOC Compliance?

For those of you who don’t know or are wondering about SOC compliance, here’s a quick overview.

There are two main types of SOC compliance. There’s SOC I and SOC II compliance audits. There is such thing as a SOC III but it uses the same reporting as SOC II only it’s designed for public consumption.

A systems and organization Control audit I, or SOC I is a type of audit created to test the internal controls a service organization uses to protect sensitive client data. To be more specific, a SOC I audit tests the internal controls that could affect financial reports.

SOC II compliance audits were developed by the American Institute of CPA’s and exists to make sure service organizations controls like Security, integrity, confidentiality and privacy are up to standard.

Service companies like financial and CPA firms benefit from SOC compliance in the same way MSP’s do.

What are the Benefits of SOC Compliance?

A service organization goes through a lot of scrutiny in when it comes to compliance. SOC reports are among the most important pieces of information for a financial firm or CPA. They verify that the appropriate controls are in place and those controls work efficiently and securely.

For a financial firm it’s an invaluable tool and the same applies to an MSP. When you contract a Managed Services provider, you’re onboarding a new IT team. How integrated that IT team is depends on whether you choose a Co-managed plan or not. Either way, you’re making these service providers a part of your company.

Therefore, your firm is entrusting an MSP with highly confidential client information to one degree on another. That means your prospective provider should be able to comply with a SOC audit as well.

Benefits of SOC I Compliance

There has been a steady increase in SaaS adoption by a variety of industries. SaaS was predicted to grow 10.5 percent in 2020 by Gartner before the global pandemic of 2020. With companies forced to operate remotely, cloud and SaaS services became even more essential.

With a SOC I audit you can evaluate your provider’s policies and procedures, which is pivotal to running your operation. If they’re going to be the IT arm of your firm, they should be subject to the same regulations and systems checks.

Building Trust

Being able to check and validate a company’s security controls creates trust between you and your provider. A SOC I audit is proof that your MSP has the proper tools to protect both your and your client’s data.

Establishes Organization & Accountability

SOC 1 compliance audits can be costly and rigorous. However, if your MSP has multiple client organizations with a multitude of users, it can generate difficulties when keeping track of the right data. Conducting a SOC I audit provides, you the client, a report for review that saves time, money and makes your MSP’s process transparent.

Opportunities for Identifying Weaknesses and Improvement

Managed Services Providers are like any other company. Companies are subject to inefficiencies and faulty processes that can bring the quality of their services down. There are plenty of MSP’s that believe their controls and systems are enough and don’t need improving. However, as a potential client, it’s difficult to determine the security and efficiency of an MSP until something goes wrong.

An independent audit of your MSP will undoubtedly optimize your company’s internal processes because you don’t have to waste time searching for documents and paperwork if anything goes wrong. Moreover, if there are any security protocols that are not on par with SOC I standards the MSP should be proactive enough to adjust and improve where necessary.

If there is a malware attack, for example, you can rest easy knowing the proper controls are in place to prevent it from causing damage.

Cyber Security Protection

Cyber attacks have increased in both volume and breaches in the past 12 months, according to a VMware survey. 88 percent of North American respondents said they saw an increase in overall cyberattacks resulting from employees working from home. In other words, cyber protection has become more important than ever as companies learn to maneuver through a remote environment.

A SOC I audit gives you an understanding of your MSP’s business and security processes and your clients will have greater confidence in your firm. Don’t be fooled by a provider that promises complete and reliable cyber security when they’re unable to  provide evidence to support it. Ultimately, it is your firm that will end up paying for the wrong MSP’s cyber security deficiencies.

 

SOX 1 & 2 Financial Compliance Thumbnail

What is SOC 1 & SOC 2 Compliance?

What Are SOC 1 and SOC 2 Reports ?

Service organizations, like financial advisers and accounting firms, are required to meet compliance requirements. The two most common compliance frameworks are SOC 1 and SOC 2. But what exactly are they? More importantly, how does SOC I and SOC II work exactly?

SOC 1

Service Organization Control 1, or SOC 1, reports are for businesses that handle financial information for their clients, also known as service organizations. This report ensures that financial information is managed securely by the business itself.

In other words, SOC 1 reports assure customers that your business has the appropriate controls in place to protect their financial information. Furthermore, SOC 1 features Type 1 and Type 2 compliance reports.

This report is conducted by a third party SOC Audit service and usually applies to businesses that provide financial related services.

The SOC 1 report focuses on the service organization’s controls and key control objectives decided by the organization.

A SOC 1 report is part of the SSAE, the Statement on Standards for Attestation Engagements (SSAE) 18 AT-C Section 320. SOC 1 reports were established by the American Institute of Certified Public Accountants (AICPA).

The purpose of SOC is to evaluate service controls. However, a service organization is responsible for deciding key control objectives for the services they provide clients. Control objectives refer to business processes (controls concerning processing client information) and IT processes ( controls concerning the security of client information).

A service organization that needs a SOC 1 report can be companies that offer payroll services to clients. Typically, outsourced services provide their customer or client with a SOC 1 report as proof that they have reliable internal controls in place.

Type I Reports vs Type II Reports

Now that we’re clear on the difference between SOC 1 and SOC 2, we can go into the types. A type 1 exam evaluates the design of controls as of a particular date.

A type II exam also evaluates design of controls, however it also includes testing operation of controls over a period of time. The type II exam covers a minimum of six months.

Type I reports

Essentially, Type I reports allow auditors to perform risk assessments and let businesses know they can perform critical assessment procedures. The report describes an organization’s system and how it works to achieve goals clients and customers. These reports also test how controls achieve specific objectives on a chosen date.

Type II

A type 2 report demonstrates the effectiveness of those controls over a period of time. Moreover, type 2 reports are a review of an organization’s internal controls over a period of 6 to 12 months and includes an in-depth review of those controls.

When an organization undergoes the audit, they are continuously audited either annually or semi-annually. Additionally, a type 2 report analyses an organization’s environment to evaluate if the organization’s internal controls design and functionality are effective.

SOC 2

The difference a SOC 2 report have from SOC 1 are that the SOC 2 report addresses an organization’s controls pertaining to operations and compliance standards. The AICPA developed Trust Service Criteria, or TSC, which determines the standards for trustworthy controls.

Things like security, integrity, availability, privacy, and confidentiality are all aspects of TSC. However, the only TSC required in SOC 2 is security.

So, if a service organization chooses, they can take a SOC 2 report that focuses solely on security or all five TSCs depending on their specific requirements for audit.

SOC 1 & 2 AICPA Regulations values security, privacy, confidentiality, processing integrity, and availability.

In Summary

  • SOC 1 reports deal with internal controls pertinent to the audit of a service organization’s client’s financial statements.
  • A SOC I audit allows service organizations to report and examine internal controls that pertain to its customer’s financial statements.
  • SOC 2 reports deal with  service organization’s controls pertinent to their operations and compliance. This is detailed by the AICPA’s Trust Service Criteria (TSC).
  • A SOC II audit covers a combination of five distinct criteria:  Security, availability, process integrity, confidentiality and privacy.

For more content regarding Compliance, cyber security, Cloud technology, news and more visit our blog.

SOC 1 & 2 Financial Compliance Leaderboard

Os33 Workplace cloud complies with FINRA, SOX, SOX11

Compliance on the Cloud 101

What is Compliance?

Compliance when dealing with cloud computing can be an issue for those using cloud storage or backup services. When you transfer data from your internal storage to a cloud provider’s you must examine how that data is stored so that you stay in compliance with laws and regulations. Financial cloud computing, for example, requires IT sox compliance to ensure quality of service.

In 2002 the Sarbanes-Oxley Act (SOX) was implemented as a response to huge accounting scandals. Companies like Enron, Global Crossing and others misled investors and cost shareholders billions of dollars. This, in turn, changed the IT world forever. What does this have to do with IT? It changed how we approach things like storage, data, security and other functions. 

Cloud compliance is, simply put, a principle that states a cloud based system must be compliant with standards that the cloud customer faces.

Compliance departments ensure that businesses conform to established rules and it’s important to understand, when switching over to a cloud service, how and in what ways the cloud meets compliance standards. Luckily, there are cloud providers that ensure compliance with regulations like SOX. 

If you’re in the financial services industry there are a few things to think about when considering an IT solutions cloud provider. 

How Compliance Works 

A global survey conducted by Veritas Technologies, a data management company, revealed that of the 13 countries and 1,200 businesses surveyed, 69 percent of organizations or 828, wrongfully believed that data protection, data privacy and compliance are the responsibility of the cloud service provider.

It isn’t.

When it comes to cloud compliance you need to be aware of the data you should move to the cloud and the data that should remain in house, the questions you need to ask of your cloud provider and what be written in a service-level agreement (SLA) to maintain industry compliance.

When SOX was first written, it explicitly left out how regulations should be met. This ensured that industries could adopt the most recent technology instead of having to wait for lawmakers to catch up to technology. Because of this, the cloud is a viable infrastructure for financial companies that forced to adhere to compliance rules. 

 The way IT departments store records changed due to the implementation of SOX. Regulations state what kind of information needs to be stored that relate to SOX compliance. Things like electronic records and messages, spreadsheets and emails are considered valuable and fall under the regulation.  

It’s important that you not take this for granted, and evaluate your SLA’s with the provider.

The first thing that organizations need to do is be aware of the type of services they use. There may be certain information that’s regarded as highly confidential and a company may decide to keep it on an internal network. Or if it is moved to the cloud, it’ll be a private cloud that will be hosted on the premises.

Nerds Support has a hybrid cloud in a secure location that has military grade security.

Ensuring Cloud Compliance 

Once your company has decided what information is to be transferred over to the cloud look at the contracts you have between with your cloud provider. Depending on whether the cloud is internal or external the approach will be slightly different. If it’s external, you have to make sure both you and the provider are clear about what type of data should reside on their cloud services and how they’ll protect said data. If it’s an internal cloud, are you going to have internal compliance checklist to make sure you’re within the regulatory standards?

With cloud financial services, customers and cloud providers share the responsibility to maintain compliance. It’s the duty of the organization to investigate the security policies of the vendor. 

Important questions to ask include: 

  • Where is data stored?
  • Who has access to the storage areas or data centers?
  • How is my data protected?

Compliance 101 SOX FINRA Cost Statistics

Service Organization Controls 

In some cases, companies can look at providers that certify compliance and chose their services without any further research. There are times, however, where a company will have to be more thorough and get involved in the cloud providers security to make sure it complies with industry standards. When it comes to SOX compliance, however, you should look for a vendor that provides you with Service Organization Controls.

This report enables user auditor to evaluate audit risks associated with the use of a financial cloud provider.   

It’s also important to establish and verify benchmarks that help check the effectiveness of the security around your data on the cloud.  Make sure your provider uses federal government guidelines for cloud security if it’s based in the US.

In order to avoid miscommunications between your cloud provider and your organization, make sure you take the time to classify the data in level of importance, delegating carefully what is suitable for the cloud and what needs to remain internally stored. Have the right contracts and go through them, establishing what will be covered under their services and how they’ll protect and back up your data. A business continuity plan is also imperative, just in case of any hiccups.

Nerds Support has cloud services that comply with financial regulations.

Contact us today to schedule a free IT assessment that can identify gaps in your IT infrastructure.

Financial firms use finacial cloud computing to remain competitive

How Financial Firms Can Digitize & Stay Competitive

Financial organizations are using financial cloud computing technologies to remain competitive as new research reveals banking and finance are becoming more dependent on emerging technology.  

In the old days, the cloud technology was adopted by small start-ups who didn’t have legacy architecture in place or the resources necessary to develop their own onsite IT. Now, larger institutions are moving to the cloud as well. Financial cloud computing stems from the growth of modern cloud providers. They have better security, compliance controls and privacy features. Furthermore, a modern cloud provider can automate many of the manual tasks that could put companies at risk if done improperly. Companies use the cloud to meet compliance and cybersecurity standards.
Although transition to the cloud requires upfront investment, for many financial firms the change means more than cutting costs.

Changing Demographic & Tech

56 million Millennials (ages 23-37) were working or looking for work in 2017, according to the PEW research center, making them the largest portion of the U.S. labor force. This means millennials are becoming the largest drivers of the economy. Millennials are on average more technologically savvy than the previous generations and have driven growth towards a more digital economy.

Banks and other financial institutions must adapt to account for this new trend. Digital banking users have increased from 26% to 51% between the years 2012 and 2017, according to the U.S. Federal Reserve. Consumers are banking digitally, meaning through desktops, laptops, tablets and smartphones.

82% of consumers ages 18-24 were using mobile banking platforms in 2017, indicating a shift towards a more personalized banking experience. They also want to sign up for banking services without needing to visit a physical branch.  

Valued Digital Financial Banking Features Statistics

The Rise of Mobile Banking

Based on a 2018 survey, PwC, a professional services firm, found that mobile users grew from 10% in 2017 to 15% in 2018. This means mobile banking is becoming more popular as time passes. Taking all of these statistics into account, banks should adjust their priorities towards increasing and personalizing digital banking services. There is growing competitive pressure coming from companies like Alibaba and financial startups to go digital in terms of how companies should function and engage with customers.The goal is to make banking services available to people in remote locations where they may others be unable to access local branches.

Digitalization 

Digitalization is also far less expensive than banking in a traditional brick-and-mortar branch. PwC ‘s report titled  Bank of the future: Finding the right path to digital transformation, mentions how some banks create full on digital native banks that use completely digital customer interface and back end.

The report also says, that branch transactions cost about $4 each, while online and mobile transactions cost $0.09 and mobile transactions cost $0.19. Automation is the biggest channel in terms of growth for many businesses across the board.

Going digital makes banks more agile as well. It allows them to quickly adapt to changing customer trends and tastes. Going digital will provide for a testing ground for new services and products where a bank would otherwise have to commit to a strategy and hope it’s successful.

Financial Cloud Computing 

It’s possible to use modern IT infrastructure to set up a digital bank using third party architecture, also known as cloud services or cloud computing. In other words, one can set up an entirely digital bank without the need for internal IT, which would be a huge financial barrier. Instead, one may outsource hardware, software and maintenance to a cloud provider, further decreasing costs and risks.

The true benefits of the cloud appear as teams use these features to operate in more dynamic, agile and efficient ways. The cloud uses virtual machines, digital computers to share and distribute new projects across platforms and devices.

The main reasons companies are adopting the cloud are to improve mobile access and collaboration. Collaboration services improve workplace efficiency, communication and overall improves their bottom line. Companies that migrated to the cloud experienced a 19.3 percent faster growth than those who hadn’t.

Furthermore, the average financial services firm uses 1,004 different cloud services, according to a study by Skyhigh. The survey was performed for 3.7 million finance employees across more than 14,000 cloud services. The report was anonymous and tracked the usage data of bank employees, insurance companies, investment firms etc. Also, the fastest growing cloud service category in the industry is collaboration. This included programs like Microsoft office, Gmail and Evernote.

Security & Compliance: IT Solutions for Finance

While this might sound exciting it means nothing in such a heavily regulated industry as finance. Less than 0.1 percent of financial firms using the cloud meet compliance requirements and security standards. IT solutions for financial institutions are subject to human error as it is. But many cloud providers lack the experience and expertise to help manage highly sensitive data financial institutions must keep secure for their clients. Choosing the wrong provider could mean failure to comply with PCI DSS, SOX, and GBLA standards. This means looking for a provider that specializes in high-end security that complies with these governmental regulations with extreme care. A cloud provider that you can trust, means a firm your clients can trust as well.

A secure cloud means not only compliance, but proactive preventative IT solutions for financial firms specifically. Even secure cloud services pose a risk. A hacker can gain access to data stored in the cloud using login credentials obtained through targeted social engineering or malware. It’s a common practice for users to rely on same passwords with multiple online accounts. 31 percent of people reuse the same passwords, according to a University of Cambridge study.

Multi-factor Authentication

A hacker could gain access to an employees Instagram or twitter account and those to login to other cloud accounts. Look for a cloud service with multi-factor authentication, this decreases the likelihood of this happening. For example, with a multi-factor authentication process, even if your passwords were obtained, the employee would receive a notification on their mobile device requesting authorization. If authorization isn’t given through the device, the user cannot gain access.

Some cloud services providers, like Nerds Support, use programs that require users to change their passwords every month, further decreasing the chances of a breach. The same Cambridge study also revealed users rely on the same 20 unsecured passwords as login credentials. Changing passwords periodically will force the user to create new and distinct login credentials. Highly trained systems engineers could provide further insight into crafting intricate passwords that are inaccessible to anyone except the user.

 

Nerds Support has 17+ years of experience helping financial institutions digitalize while meeting important IT compliance.

Do What’s Best for Your Firm

 It’s important to understand that digitizing everything is not necessarily the best option. Each bank is different and has different strengths and core capabilities. You might not be in a place to fully digital overhaul.

In order to succeed in digitizing where others fail is to define and evaluate your long term strategy. PwC suggests you consider the questions:

  •  What do we want to be known for?

  • What consumer segments are we targeting?

  • What are our core capabilities and how can a digital strategy strengthen them?

Many industries are also on the way towards digitization in order to appeal to the Millennial and Gen -Z that’s following behind. This also means that adopting a digital infrastructure is going to be pivotal in business-to-business (B2B) interactions.

Having outdated or incompatible business models may become a deterrent to industries you want to service and conversely, an updated, innovative structure may appeal to start-ups or bigger companies that are looking to change and want to work with work with institutions that they feel will help them achieve their goals.

Contact Nerds Support today for a complimentary IT assessment where we identify gaps and areas of opportunities in your IT infrastructure.

Transform your team into an agile, lean, modern work environment with Nerds Support’s IT Solutions.