Archive for April, 2013

Planning for your Digital Afterlife

April 15, 2013 Leave a comment

I read about an interesting new service from the folks at Google today.  They have started allowing their customers to control what happens to their online data after a pre-defined period of inactivity.  Although you don’t have to die for it to be activated, it started me thinking about all of the places in cyber-space where my data and information might live on.  For example, this blog is controlled by me through an id and password.  If I passed away tomorrow, what would become of the entries I have made over the last several years?  How long would they continue to exist?deactivatefacebook

For all the important accounts in my life, my wife is aware of the login credentials so that online banking, retirement accounts, email, etc. would not be a problem.  But what about all those other services that I use?  Facebook, LinkedIn, Twitter, Ebay, PayPal, the car insurance online account, UPS, rental cars, hotels, frequent flyer, etc.  I have no idea how long those accounts would remain active with no interaction from me or my heirs.  I can only imagine how difficult it would be for a surviving spouse or child to have control transferred to a new id and password.

There are certainly more accounts online than I have listed here.  Is there a mechanism out there somewhere that closes all these accounts in the event that I pass away unexpectedly?   What is the real risk of these accounts continuing to remain active after I pass?  There is certainly a risk that they could be taken over by an unauthorized party.  Would my heirs be responsible for any unauthorized transactions from accounts that I created?  Is there any case law involving digital assets in probate court? These are questions that I had never considered before.

A quick search online reveals several companies that help you plan for this.  I found Legacy Locker and SecureSafe.  I am sure there are lots of others.

I would be curious to know what the policy is for various types of accounts and what the “expiration date” is for automatic deactivation or deletion of an account.

Perhaps more companies will begin to follow Google’s lead and provide for the inheritance or elimination of online “property”.  It certainly has me thinking about what to turn off and what to leave on.   Now I just have to figure out who should inherit my blog…..

Categories: Uncategorized

How to know if your Data Center is Serious About Controls

April 15, 2013 Leave a comment

Every day I get an alert from Google for any new press releases about SSAE 16 reports.  The vast majority of the alerts come from co-location and “cloud” data center providers.  I believe I have already beaten the “SSAE 16 is not intended for general IT controls” horse to death in other blogs so I won’t go into that.  What I will continue to bring up is the colo, data center,  and cloud industry’s apparent unwillingness to recognize the importance of the SOC 2 report, especially now that the AICPA and Cloud Security Alliance have endorsed SOC 2, along with the Cloud Controls Matrix, as “likely to meet the assurance and reporting needs of the majority of users of cloud services”.

I’m sure that many readers will jump all over the semantics of cloud vs. data center vs. colo.  But conceptually all three house IT infrastructure at a facility that is not controlled by the customer.  As a result, IT general controls (non-ICFR) are extremely important.  The reason SOC 2 exists is to address all those IT general controls.  A customer of a colo, data center, or cloud provider that maintains responsibility for the initiation, processing, and reporting of transactions through IT infrastructure housed at a remote facility should be asking their provider for a SOC 2.  The Trust Services Principles and Criteria are the pre-established general controls criteria that have been missing from SAS 70 and SSAE 16 reports.  Without some type of framework, SSAE 16 reports are subject to all manner of missing and irrelevant controls.  The inconsistency in both structure and content is one of the primary reasons that information security professionals laugh at the mention of SSAE 16 and SAS 70.

Does your data center, colo, cloud provider offer a SOC 2 report?  If so, you can be a lot more confident that they are serious about providing you with meaningful information regarding their IT general controls.  They have taken the time to understand the new AICPA standards for SOC reporting and have made the decision to provide the appropriate report to their customers.  If your provider is still providing  only the SSAE 16 report, you really need to read the report and ask yourself “What’s missing?” because chances are, there are important controls being glossed over or ignored.

An easy way to test your provider’s SSAE 16 report is to compare the controls being tested and described to any number of controls frameworks, including the Trust Services Principles and Criteria or the Cloud Controls Matrix or COBIT or whatever you think is the best and most appropriate for the services being provided.  Chances are you will find that the report is missing important details.