The SEC OCIE guidelines are vague in many areas, subtly suggesting some things and forcefully recommending others (with the caveat that security may be different for each firm). One thing that they do not mince words on, though, is the need to vet vendors. They clearly state that a company does not abdicate its need to ensure that its data is secure just because it moves the data to the cloud.
How can you verify that data kept on servers that you don’t control is safe? You obviously can’t. At the same time, both as a good practice and to satisfy the SEC (and other governmental, compliance, and regulatory agencies), it is important to conduct due diligence on vendors.
What’s involved in this process? In theory, it is actually quite easy. Just start asking questions. Ask the vendor, check their website, Google them. Ask in-depth questions and follow up when the questions yield information that is different than you’d expect. If you are already using a vendor, look at how they are performing. Basically, you want to do a miniature Risk Assessment on each vendor that holds your data or has access to your systems.
Some vendors will cooperate quickly, providing all the necessary information immediately. Others will get the same information slowly, and still others won’t even bother calling back. Some (like Microsoft) really don’t care. The trick is to find out everything possible anyway. It often takes a little detective work. Figuring out how data is backed up, what a company’s reputation is, whether they’ve had any incidents, how good their security really is (all of these can be discerned). It is just a matter of – as the title suggests – being diligent.
Cobaltix Compliance is happy to do this work for clients or to guide them if they would like to do it themselves.