Independent Audit Verifies AODocs’ Internal Controls and Processes

San Francisco, CA – KirkpatrickPrice announced today that AODocs, an enterprise document management solution, has received their annual SOC 2 Type II attestation report. The completion of this engagement provides evidence that AODocs has a strong commitment to delivering secure, high-quality services to its clients by implementing and maintaining the necessary internal controls and processes.

The SOC 2 service auditor report focuses on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of AODocs’ controls in meeting the standards for these criteria.

“At AODocs, we feel very privileged our customers trust us with their critical business data,” said Stéphane Donzé, founder and CEO of AODocs. “Getting certified is just another way for us to show our customers that we appreciate their trust, and that their data is safe with us. Companies moving their documents to the cloud often have legitimate security concerns about their sensitive information, but AODocs’ independent audit by KirkpatrickPrice is the assurance they need.”

“The SOC 2 audit is based on the AICPA’s Trust Services Criteria,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “AODocs has selected the security, availability, and confidentiality criteria for the basis of their audit. AODocs delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on AODocs’ controls.”

About AODocs

AODocs is the only document management platform built for G Suite, bringing Google Drive’s unique user experience, performance and reliability to enterprise business applications and document workflows. AODocs makes it simple to replace legacy document management systems like SharePoint and OpenText, automate business workflows, and comply with industry standards and records management regulations. Headquartered in San Francisco, California, and with offices in Paris, France, AODocs was founded in 2012 by software veterans having decades of experience in enterprise search, document management and PLM. AODocs’ patented document management platform is one of the first Google Recommended Partner Solutions for G Suite. Learn more at www.AODocs.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

 

 

As more and more organizations migrate to the cloud, it drives cloud service customers to consider how the cloud will impact their privacy, security, and compliance. First, cloud service customers must understand how their cloud service provider delivers a secure solution. Second, cloud service customers must consider their new role in cloud security. Some cloud service customers mistakenly believe that when they migrate to the cloud, their cloud security responsibilities also shift. Some important questions you should be asking when considering this shift are: Who’s responsible for cloud security? Why do you even need security in the cloud? Let’s discuss the shared responsibility model and help you understand which elements of cloud security that customers are responsible for and which fall under the responsibility of the provider.

What is the Shared Responsibility Model?

The shared responsibility model is a method for determining which roles cloud service providers and cloud service customers play in cloud security. In general, the shared responsibility model outlines that providers are responsible for the security of the cloud, and customers are responsible for security in the cloud. Cloud service providers and customers must work together to meet cloud security objectives.

The model varies with the provider and the service being offered. What this means is the cloud service provider takes responsibility for specific elements of the security related to the storage and physical security of the servers, and the customer takes responsibility for other specific elements. The line between who has responsibility for the different elements is dependent on the provider and the services being used. 

To understand the shared responsibility model, let’s think about security requirements as a spectrum. Cloud service customers add together all of the regulatory, industry, and business requirements (GDPR, PCI DSS, contracts, etc.) that apply to their organization and the sum equals all of that organization’s specific security requirements. These security requirements will help ensure that data is confidential, has integrity, and is available. On one end of the security requirement spectrum is cloud service providers and on the other is cloud service customers. The provider is responsible for some of these security requirements, and the customer is responsible for the rest, but some should be met by both parties. Cloud service providers and cloud service customers both have an obligation to protect data.

Microsoft Azure’s guidance on the shared responsibility model states, “The importance of understanding this shared responsibility model is essential for customers who are moving to the cloud. Cloud service providers offer considerable advantages for security and compliance efforts, but these advantages do not absolve the customer from protecting their users, applications, and service offerings.”

Shared Responsibility Model Across Service Models

When choosing which service model (IaaS, PaaS, or SaaS) your organization needs, you should consider which security responsibilities will apply to you. Technology stacks are a great way to see the shared responsibility model across service model types.

  • For IaaS solutions, the elements such as facilities, data centers, network interfaces, processing, and hypervisors should be managed by the cloud service provider. The cloud service customer is responsible for securing and managing the virtual network, virtual machines, operating systems, middleware, applications, interfaces, and data.
  • PaaS solutions shift the cloud service provider’s responsibilities and add a few elements to their duties. The customer is still responsible for securing and managing applications, interfaces, and data.
  • For SaaS solutions, the responsibilities shift again. Now, the cloud service customer is responsible for the security of interfaces and data.

Cloud service providers and cloud customers both have a responsibility to protect data. It’s also important to note that the execution of individual security management tasks can be outsourced, but accountability cannot. The responsibility to verify that security requirements are being met always lies with the customer.

Physical Security in the Cloud

Physical security in the cloud sounds like an oxymoron, right? Isn’t less management of a physical environment a major benefit of migrating to the cloud? We often hear this case from organizations who haven’t or don’t want to implement cloud security best practices. But…not everything is in the cloud. Everything can’t possibly be in the cloud. Office locations, employees, servers, heating and cooling systems, power regulation, device management—these things don’t exist in the cloud. That’s why physical security must be a major aspect of cloud security.

Best Practices for Managing the Shared Responsibility Model

If you’re a cloud service provider, we believe these best practices will help you better manage the shared responsibility model:

  • Consider risks from your customers’ perspectives, then implement controls that will demonstrate you’re doing everything you can to mitigate those risks.
  • Document the internal controls you use to manage risks.
  • Provide ample documentation on how your customers can use the security features that you provide in your solution. AWS does a great job of this through its educational programs.
  • Create a responsibility matrix that defines how your solution will help your customers meet their various compliance requirements.
  • Turn to the CSA’s CAIQ and CCM as starting points for establishing the shared responsibility model.

If you’re a cloud customer, consider these best practices:

  • Define your cloud security requirements before selecting a cloud service provider. If you know what you’re looking for in a cloud service provider, you can better prioritize your needs.
  • Harmonize your corporate governance program between traditional and cloud-based IT delivery. Migrating systems and applications into the cloud is going to require a difference in policy.
  • Establish contractual clarity on the roles and responsibilities of each party, especially when you get into the public cloud. Who’s responsible for cloud security? How far does the cloud service provider go?
  • Develop a responsibility matrix that defines the security roles and responsibilities for you and for each vendor, including cloud service providers.

Who’s responsible for cloud security? Does your organization understand the security requirements of your cloud provider? Do you understand what your own role is in cloud security? For more information on how to secure the cloud, contact us today.

Independent Audit Verifies ComGraphics’ Internal Controls and Processes

Chicago, IL – April 2018 – KirkpatrickPrice announced today that ComGraphics, a printing and mailing service provider, has received their SOC 2 Type II attestation report. The completion of this engagement provides evidence that ComGraphics has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of ComGraphics’ controls to meet the standards for these criteria.

Your Premiere Document Solutions Provider

“The SOC 2 audit is based on the Trust Services Criteria. ComGraphics has selected the security, availability, and confidentiality p criteria for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “ComGraphics delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on ComGraphics’ controls.”

About ComGraphics

With over 35 years of experience, CGI has the ability to tackle any document process with ease, taking the frustration out of the hands of our client.  Our focus is on providing our clients with the most efficient and reliable end to end solutions for all client communications, complimented with the highest level of customer service and responsiveness! Let us create the customized and comprehensive solutions that will reduce your costs and enhance your client relationships!

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 700 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Independent Audit Verifies CIO Solutions’ Internal Controls and Processes

Santa Barbara, CA – KirkpatrickPrice announced today that CIO Solutions, a leader in providing IT and network solutions, has received their SOC 2 Type II report. The completion of this engagement provides evidence that CIO Solutions has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of CIO Solutions’ controls to meet the standards for these criteria.

“We designed security into our data center architecture and processes from its inception 6 years ago,” said David Ashamalla, Director of Security Operations, and one of the original architects of the data center.

“Not just building, but also maintaining a secure data center is a requirement for service providers in today’s environment. Our customers can be assured that we will maintain the integrity and security of their systems,” said Eric Egolf, CEO of CIO Solutions.

“The SOC 2 audit is based on the Trust Services Criteria. CIO Solutions has selected the security and availability criteria for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “CIO Solutions delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on CIO Solutions’ controls.”

About CIO Solutions

Throughout CIO Solutions’ 32-year history of providing premier IT support to Central California, the company has maintained a commitment to thoughtful innovation, security, and client partnership. CIO Solutions serves its clients as a trusted advisor ensuring solid advice and the technological support to help businesses grow.

CIO Solutions has developed a world-class help desk with technically proficient, experienced and helpful agents who have become experts in managing and maintaining IT networks. In addition, CIO also provides consultation, implementation and support for Private Cloud Services, Enterprise Storage, Virtualization, VoIP Phone Systems and other solutions.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 700 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Is your small business considering migrating to the cloud? Has your large business seen more and more competition from small businesses? Cloud computing is essential for businesses of all sizes, but small businesses have seen an endless amount of benefits from cloud computing, including financial, operational, and security benefits. Let’s discuss how each of these items related to cloud computing is changing small business.

Affordable Investment

There’s been an enormous change in IT spending, shifting away from traditional IT offerings (enterprise software, data center systems, etc.) to cloud services. In fact, Gartner research shows that more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud by 2020, making cloud computing one of the most disruptive forces of IT spending since the early days of the digital age.

So much money is being poured into cloud computing because there are so many financial benefits for small companies. The cost of cloud computing gives small businesses and start-ups access to the same software tools that larger competitors have. In the past, sophisticated software tools were only available in expensive, large packages. Now, cloud products are specifically designed to be used in the cloud and by businesses of all sizes and budgets. Instead of a huge annual fee, priced for hundreds of employees, small businesses can pay monthly fees and pay per user. This gives the users the ability to predict how much their cloud solution is going to cost and how to budget accordingly. Additionally, cloud solutions allow small companies to save on the cost to physically store servers and network equipment or pay for IT support.

Flexibility

Cloud computing gives small business the opportunity to be virtual instead of physical – think of all the ways this can positively impact a business. Employees have on-demand access the cloud environment anywhere, any time and the environments are readily available and dependable, which could improve overall team performance. Contractual agreements are also likely more flexible, solutions are customizable, which is important for a small business; you don’t want to get locked into a contract that doesn’t fit your needs. As your business grows, so can your cloud solutions.

Easy to Use

There’s a cloud service for everything: web hosting, email hosting, application hosting, productivity solutions, infrastructure, business support, and many more. No matter what type of service it provides, a well-designed, quality cloud solution should be user-friendly and customizable to your business. Cloud computing solutions usually easily integrate with other applications that you use, don’t require manual software updates, and increase overall productivity.

Security

People often say that cloud computing makes security easier or less costly. On one hand, yes, cloud computing enables small businesses to scale back on their information security resources if they use a secure cloud provider. What is a secure cloud provider? A provider who can assure their clients that their information is secure, available, and confidential through validation. If you’ve chosen a cloud provider whose cost is low, but they have not gone through an information security audit, you’ve chosen a solution that doesn’t make securing your data easy. It’s vital to choose a provider who’s invested in providing secure solutions. Your reputation, business continuity, competitive advantage, and branding depend on the quality and security of your cloud computing provider.

Preparing for the Future

Cloud computing helps small businesses prepare for the future. As the business grows, scalable cloud solutions can also grow and enhance.

In Gartner’s research, Ed Anderson states, “Cloud shift is not just about cloud. As organizations pursue a new IT architecture and operating philosophy, they become prepared for new opportunities in digital business, including next-generation IT solutions such as the Internet of Things. Furthermore, organizations embracing dynamic, cloud-based operating models position themselves better for cost optimization and increased competitiveness.”

Cloud computing is giving small businesses more opportunities to compete and grow their business. Is your small business considering migrating to the cloud?  Do you know which cloud security threats may impact you? To learn more about cloud adoption and how to empower your cloud environments through security audits, contact us today.

More Cloud Computing Resources

How Can a SOC 2 Bring Value to Your SaaS?