That is, who is actually involved in providing the services and are they the same entity (or entities) that are processing or storing data?
In the case of aggregators, for example, a Cloud user could be dealing with a single entity which itself is provided services by various third parties.
The Add-On Dilemma?
Recently, many Cloud accounting providers, chose to only offer core features. This leads to of the required business functions, are now provided by a range of Add-On providers. You now need to ensure that you perform due diligence on all providers; required to support your operational requirements.
For example, a review of terms should seek to assess issues such as:
- The parties in the Cloud stack not just the contracting parties and their roles, rights and obligations, especially regarding data, its processing, storage location, and ownership;
- Whether each party has the rights required from other parties in the Cloud stack;
- The capabilities and liability of other parties in the Cloud stack;
- Backup/restoring data and disaster recovery plans;
- Service levels and what happens if the internet is unavailable;
- Continuous availability of services for business continuity;
- Treatment of data on termination/insolvency;
- What happens in the event of a security breach?, client reporting obligations; and
- Issues such as change of control, service levels, service credits, audit rights, compliance with security standards, procedures in the event of a breach, force majeure.
If you cannot get answers to all these question then you should consider the Google example below as a typical response for most Cloud providers, and make the appropriate assessment.
Google Apps noted that “... Google and its licensors make no warranty of any kind, whether express, implied, statutory or otherwise, including without limitation warranties of merchantability, fitness for a particular use and/or non-infringement. Google assumes no responsibility for the use of the service(s). Google and its licensors make no representations about any content or information made accessible by or through the service. Google makes no representation that Google (or any third party) will issue updates or enhancements to the service. Google does not warrant that the functions contained in the service will be uninterrupted or error-free.”
Google also has a complex set of corporate relationships where the Australian licenced Google Entity, which in fact may not actually be involved in any Google related activity, typically one can find that one is actually using a foreign Google entity located in Island or Bermuda, rather than the Australian Entity, even if the transaction is totally inside Australian jurisdiction.
Specific Security questions for your cloud providers:
- Where is the data hosted, and if outside of Australia is there documented support to meet APP8
- Is all data encrypted in transit, i.e. is it possible to access the site via http:?
- Is all data encrypted at rest, on-line and archive (should be a minimum of AES256)
- If encryption is used are the keys unique, and under the exclusive control of the Practice
- Is there support for Industry standard Multi Factor Authentication(MFA)
- Can MFA support be mandated on all outside of Australia logins to support APP8
- Does the system support industry standard mandatory password changes, on at least every 60 day basis
- Is the system PCI or ISAE3402 certified.
Perform the due diligence, ask the questions, and then assess the Risk vs Benefit..
There is nothing new about Cloud outsourcing, just need to understand the risks for your practice and your PE liability for your clients data, especially the cyber crime related liabilities. The above general questions are designed to assist with this risk assessment.
Disclaimer The contents of this site should not be understood to be accounting, legal or security advice but rather as general educational information that may or may not meet your specific requirements. You are advised to always seek professional advice to meet your specific requirements.