06 May Physical Security Policy ERP Cloud SOX Compliance Requirements
In order to truly deliver SOX compliant cloud services and infrastructure, a cloud provider must have standardized and documented policies for Change Management, Logical Access Restrictions, Physical Security Policy, IT Operations and Backup & Recovery. We will be discussing physical security policy in this post. If you want to get in-depth info on all top five important controls for SOX compliance, check out this eBook on SOX compliance requirements for accounting in the cloud.
Physical Security Policy: Managing Cloud Servers for ERP SOX Compliance Requirements
In order to successfully go public, an enterprise with cloud accounting software must produce SSAE 16 SOC 1 Type II certification from its hosting provider. This certification applies to the physical data centers and it serves as a benchmark for satisfying the physical security objectives of SOX. Physical security standards include both physical protective measures and NOC security personnel on staff at the data center. SOC 1 Type II certification assures that financial data is stored in an audit-ready environment with necessary data security, availability, processing integrity, confidentiality and privacy.
To assess the physical security policy of a service provider’s cloud data center, ask the following…
- Will they provide documentation to verify recent SOC 1 Type II Certification of the data center in a timely manner?
- How often are data centers audited?
- Is data stored and backed up in multiple co-location facilities?
- Is data physically separated on boxes that offer secured ports?
Data Center Security
A data center that is truly secure will offer the highest levels of on-site security, including features like…
- A multi-factor security infrastructure
- Video surveillance
- Alarmed access and egress points
- Kevlar impregnated drywall and bulletproof glass
- NOC security personnel on-site 24/7/365
SOX Accounting Compliance Requires More than a Secure Data Center
While it is critical to meet the physical requirements of SOX security objectives, it is important to note that cloud security requires more than just secure systems.
There are a lot of cloud providers out there offering infrastructure that satisfies the physical security objectives of SOX. However, to truly gain the confidence of an enterprise, cloud based accounting requires a full-service cloud hosting partner. While many cloud providers can offer server environments with SSAE 16 Type 2 compliance, few cloud providers offer ongoing support for application availability, upgrades and compliance.
SOX compliance requires a cloud services provider that is there during the cloud deployment and continues to deliver audit-ready services after the sale.
The 5 Critical Controls for SOX ERP in the Cloud
In order to truly deliver SOX compliant cloud services and infrastructure, a cloud provider must have standardized and documented policies for…
- Change Management Plan and Policies
- Logical Access Controls
- Physical Security Policy
- IT Operations Management
- Enterprise Cloud Backup & Recovery
Did you know..?
If you are a publicly traded company with a Dynamics ERP system, you can upgrade to the newest version in the cloud quickly through a full-service cloud services provider that can address all of your needs regarding governance, risk management and compliance. Check out this Microsoft Dynamics compliance solutions and cloud services page.