Category: Information management

Posted on

Compliance in the Cloud – Their System; Your Responsibility

Can you outsource compliance to the cloud?

Outsourcing IT to a cloud service provider can be tremendously beneficial for a business.  The model allows an organization to offload not just IT infrastructure costs, but also the costs associated with developing and maintaining all of the practices and processes involved in managing and maintaining the infrastructure and systems.   There is tremendous responsibility in handling everything from platforms and infrastructure to creating best practices for maintenance, management of scalability and growth, forecasting bandwidth requirements, implementing and monitoring security compliance, creating effective and comprehensive disaster recovery plans, and more.

The question which begs to be asked is whether or not HIPAA, PCI/DSS or any other compliance requirements, and the complexities, risk and legalities that come along with them, can also be outsourced to the CSP. For that matter, can any real level of responsibility be fully outsourced, where the liability for non-performance or noncompliance is also fully shifted?

Ummm. No. It is still your problem.

What too many companies really don’t understand is that they aren’t eliminating risk by moving to the cloud, and the requirement to meet various compliance requirements really can’t be outsourced. Particularly in this area, businesses need to recognize that outsourcing certain functions doesn’t reduce or eliminate responsibility or liability.  Just the converse, it could make things a bit more difficult if you don’t keep close tabs on how the provider implements and is involved with your solution. Even beyond that, what is the impact to the business operation when requirements are not met?  Cost recovery from the provider may be one option, but how does that help the business remain operating in the meantime?

Gramm-Leach-Bliley (GLB) Act  Requires financial organizations to enter into contracts with third parties that they share their customer information with (including cloud vendors) to ensure that the third-party handles that information securely. Executives of those financial organizations can be held personally liable for failure to do so.

Sarbanes-Oxley Act (SOX)  Defines specific security mandates and requirements for financial reporting to protect shareholders and the public from accounting errors and fraudulent practices. SOX dictates which records are to be stored and for how long and requires the data owner to know the location of the data in the cloud and to maintain control of it. Failure to comply can result in fines and/or imprisonment.”

source: CIO.com

This discussion Isn’t limited just to compliance with regulations (at least it shouldn’t be)

In this conversation we need to also address what a business should do in terms of protecting and preserving its information assets (data!) even beyond what the CSP offers. Keeping confidential and private information secure and protecting the data of the business (and clients or patients or other entities) is essential, even when the CSP fails in its obligations or abilities.  This aspect of disaster recovery and continuity planning is not often considered by the CSP yet remains critical to the business customer. The sales pitch, however, never really delves into this area, because it represents an aspect of service coverage that the provider simply can’t provide.

Illustrating this particularly difficult aspect of outsourcing to the cloud is the hard lesson learned by customers of a QuickBooks hosting provider who experienced a severe outage due to a ransomware attack. The hosting service provider promised customers it backed up their data and it did, but the backup archives were also compromised.  In order to restore service, customers were expected to have their own backups of the cloud-hosted data.

While there may have been items in the service agreement which address these issues, I can say – based on a great deal of experience in just this area – the service providers rarely make this point very clear to customers, and more frequently tell customers backing up their data is no longer something they need to really worry about. It’s like that really tiny type at the bottom of a contract that nobody notices until it is too late.

“..restoration proved more difficult in Texas. Lezama explained that for the Texas clients, the backups had been compromised as well, because their backup data had synchronized with corrupt files. But Cloudnine clients are obligated backup their own data as well, as a sort of third-level security measure..”

source: AccountingToday

With compliance in the cloud, it’s their system, but your responsibility.

Outsourcing IT to a cloud service provider in no way eliminates or reduces the obligations of the business to manage certain aspects of information systems and data.  What outsourcing can do is deliver a greater operational capacity and agility more affordably.

The responsibilities to establish information and systems management practices and processes remain firmly with the business, and actually represent a strategic component of the business that is unwise to outsource anyway. Resilience in a business and its ability to conform to regulatory and other requirements are the foundations of sustainability. Remember that cloud providers and services can be leveraged to improve certain cost and system performance metrics, but it remains solely with the business customer to find ways to reduce risk and create a greater assurance of continued operational capability.

Make Sense?

J

Posted on

In Bookkeeping, Accounting, and Information Technology: The Value of Outsourcing

The Value of Outsourcing

The small-business market, unlike the mid- and enterprise markets, utilize the general services of public accountants in much greater volume and typically for more fundamental business services – such as business bookkeeping and daily process support. Larger organizations typically employ accounting and bookkeeping departments and/or in-house personnel, and rely on outside accounting professionals for higher-level work. Small businesses, on the other hand, want to hand off much more of the core bookkeeping and checkbook management functions to their public accountant. This creates a volume of fairly mechanical work which can be burdensome and not terribly profitable for many CPA firms. But this level of work is of significant value to the small business owner, and thus the value of outsourcing to the accounting professional should be clear.

CPA firms started to step away from bookkeeping activities (this is in the 1980’s or so), reserving their time for compliance, audits, and other engagements referred to as the “higher level work”.  As business accounting became more complex (largely due to advances in information management technologies as well as accounting and tax regulations, which generated a LOT more detailed information to “account” for), many professional firms saw a need to focus on their core offerings, and not on the lower level bookkeeping and record keeping activities.  As a result, the emerging cottage industry of bookkeeping service providers grew in power and numbers, and came to represent a critical intermediary between the CPA and the small business owner.  Truly, bookkeepers and software consultants are often the folks who help to automate the processes, capture the information, and organize the data so that it is useful to the accountant.

The issue that revealed itself was that small businesses started to pay more attention to the technology and business solution advice and direction of their bookkeepers and consultants than the advice of the CPA.  In a lot of cases, the CPA kept an arm’s length from the business, concerning themselves with their tasks, and not paying significant attention to how the data is collected or controlled.  As long as they got the data, that was OK.  As the reality started to set in, that bookkeeping and information management consulting also delivered the “higher level” accounting work, CPAs once again sought a means to gain more direct participation in the client business… but through a somewhat less direct manner than previous.  Now, partnering was revealing itself as the means to more fully engage the business, and the bookkeeper or consultant, in the overall accounting value chain, resulting with the delivery of work as well as value back to the accounting professional.

The enabler of this value chain, where the accounting professional, the bookkeeper, and the business owner can all work in concert without limitations in systems or based on location, is the cloud.  Providing standardization in terms of data platforms and integration, offering mobility and device independence, and combining resource management and access into a comprehensive approach to solving business problems is enabled through cloud technologies and connected solutions and services.

For many, this concept of fully technology-enabled business seems frightening, like a loss of control or individual accountability.  But it’s important to recognize that, as things become more complex, the opportunity for specialists is always created.  In the ever changing world of technology, it’s a dangerous approach to believe that you can be all things to all people, just as in accounting or tax.  You can’t be a specialist in every area, so you specialize in your niche, do it better than anyone else, and outsource/partner to get the rest done.  This is a philosophy of the cloud, and it’s working.

The true value of outsourcing, whether it is a small business outsourcing their bookkeeping and accounting to a public accountant, an accounting professional outsourcing bookkeeping work to a bookkeeping provider/partner, or those businesses outsourcing information technology management to cloud solution providers, the end-result can include improved focus on the core business, greater agility in embracing and adjusting to new strategies, improved quality of information through attention to process and control, and a much higher level of value delivered to all participants in the value chain.

Make Sense?

J


Posted on

There are only two types of businesses: those who have lost their data, and those who will

The portable computer was the secret business weapon of yesterday, and is today’s essential business tool.  The processing power, portability, storage, and connectivity available with laptops, tablets and even smartphones can create a seamless extension of the office.

Truly, the workforce of today is mobile and fully-enabled.  Business owners, working in conjunction with their accounting advisors and business consultants, are able to access all the information and analytical capability they need to make informed business decisions at any time, capture and collect important information, and keep productivity at the highest levels no matter where they are.

Mobility doesn’t come without risk, however.  Some studies estimate that as much as 80% of the business data that a company has (like customer files, contracts, financial data, product specifications) is stored on portable computing devices.   While these files may be recoverable from backups in the case of loss or damage, there is an even larger potential cost in terms of exposure of confidential or proprietary – or personal and private – information.

Loss or theft can create big business and legal problems, too. Customer or client privacy may be compromised, sensitive information may be exposed, and confidential plans may be made public if a business doesn’t take steps to secure mobile data.   Software and network attacks are also prevalent, with a variety of exploits designed to take advantage of any vulnerability present.

There’s an old saying we IT folks have that there are only two types of businesses: those who have lost their data, and those who will.  Imagine the potential chaos and risk exposure, not to mention the expense, of losing your valuable business data, or having it exposed to unauthorized users.

While computing mobility delivers a host of advantages to the business and the user, care must be taken to ensure security, privacy, and confidentiality of business information.  Cloud computing solutions and managed IT services will help you provide the mobile capability your business needs, but with the additional protection, additional security, and ongoing management that the value of the data demands.  Increased exposure to liability is a reality for any mobile business, and the risk is only multiplied by the number of systems a company has in the field.  The smart business reduces risk by deploying secure yet versatile platforms for their workers that allow data to be stored and protected in centralized environments, rather than on the individual computing devices. Via the cloud, businesses of all kinds are reaping the benefits of new and innovative service delivery models and enhanced security solutions, achieving the freedom and functionality (and data security) the mobile workforce demands.

Here are a few data loss statistics for your reading pleasure…

Enjoy  🙂

J

(stats drawn from summary on BostonComputing.net.  They may be a bit dated, but the numbers have only increased since then.) http://www.bostoncomputing.net/consultation/databackup/statistics/

The following statistics were gathered from various sources:

  • 6% of all PCs will suffer an episode of data loss in any given year. Given the number of PCs used in US businesses in 1998, that translates to approximately 4.6 million data loss episodes. At a conservative estimate, data loss cost US businesses $11.8 billion in 1998. (The Cost Of Lost Data, David M. Smith)
  • 30% of all businesses that have a major fire go out of business within a year. 70% fail within five years. (Home Office Computing Magazine)
  • 31% of PC users have lost all of their files due to events beyond their control.
  • 34% of companies fail to test their tape backups, and of those that do, 77% have found tape back-up failures.
  • 60% of companies that lose their data will shut down within 6 months of the disaster.
  • 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington)
  • American business lost more than $7.6 billion as a result of viruses during first six months of 1999. (Research by Computer Economics)
  • Companies that aren’t able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute)
  • Every week 140,000 hard drives crash in the United States. (Mozy Online Backup)
  • Simple drive recovery can cost upwards of $7,500 and success is not guaranteed

 

Posted on

Help Your Business Move to the Cloud

With all of the cloud computing options and services available to support business operations and administration, selecting the right ones can be a daunting task for any business owner.  While some cloud solutions offer simple “get started” options and “click to activate” plug-ins, its important to recognize that each business and operation works a bit differently. While there are standard requirements to support every business, individual business owners may have strong beliefs or habits that will impact how well or not a solution works for their particular operation.

Selecting the right technologies and applying platform and application solutions wisely can introduce efficiency in both time and cost that was previously not recognized by the business, or it can create all sorts of havoc and disrupt what were once smoothly-operating workflows. And once a solution is “plugged-in”, consider what might happen if it needs to be unplugged at some point in the future.

Because there is no single solution or set of products which will provide the necessary functionality for the lifespan of the business, it’s important to establish a process and framework which recognizes the need for agility and addresses the requirement to meet new business needs as they arise.

“With the evolution of cloud computing, one inescapable reality continues to surface and that is, as with service-oriented architecture before it, the fact that cloud computing promotes the idea of continuous proliferation of services,” said Daryl Plummer, managing vice president and chief Gartner Fellow.

While software and data integrations and “plug-in” data may be delivered through technology, there will always be a requirement for individuals who understand just how the pieces need to fit together and how the data and work must flow. Its okay to rely on service providers to service and support the implementation, but the direction and design of how the information and work will flow throughout the entire company can provide a strategic advantage and should be an internally-driven project.

As your business looks to the cloud for innovation, efficiency, and mobility – remember to keep your feet firmly planted on planet earth until you know where you’re going.  There are a lot of options available, and not all of the hype is representative of reality.  You’ll want experienced professionals to help you get off the ground the right way.  That’s where we come in.

“What sits between you and the cloud will become a critical success factor in cloud computing..”

Daryl Plummer, managing vice president and chief Gartner Fellow