Podcast: Risk Management and Compliance in the Data Center

AICPA / SOC seal
Is compliance and risk management important to you?

If you have concerns about the risk factors inherent in your IT infrastructure, you’re not alone. Data center risk management is getting more complicated all the time, and the risks increase as you go up the stack with managed services or cloud computing. We explore these issues in this interview with IT risk management expert Dan Schroeder. Dan is partner-in-charge, Information Risk Management of H,A,& W, a CPA firm that services leading national and international tech-based businesses.

In the interview Dan shares insight from his nearly 30 years in technology and risk management, including some thoughts on trends in data center compliance and the increasing complexity of compliance issues as IT solutions become more layered and complex. Dan talks about the need to develop a risk management plan based on best practices instead of just having a goal of meeting a particular compliance standard.

The way privacy and confidentiality are now being layered into security concerns, particularly in the healthcare sector, and the future direction of IT risk management are among the subjects on which Dan offers insight based of his many years spent reducing risk in data center and cloud environments.

If compliance and risk management in data center and cloud environments is on your radar, the full interview is worth a listen. Some excerpts are below:

 

4:00 Where does the most risk lie in the data center?

The crux of the matter is understanding the nature of the risk that’s represented by the data center. From a colocation perspective maybe there aren’t so many risks to the application on the data. In other cases when there is more sophisticated managed services and cloud computing being rendered or provisioned the risks move up the stack and maybe we are talking about access to data and integrity of applications.”

10:20 Mapping a Compliance Plan that Avoids Overlapping Audit Costs

“As you can imagine, if you’re a technology service provider and you have to provide evidence that you’re doing PCI and HIPAA and do an SOC2 report you don’t want to have a wave of three different auditors coming in there week after week after week. You want one audit team coming in there that can produce all three of those reports. If there’s evidence can be gathered that achieves a common requirement of each of those you want it gathered one time not three times. There are fees from the auditor like us and then there is your time to provide all that evidence. ”

13:25 Don’t Try to Earn a Certificate, Aim to Reduce Your Risk

“If you’re just thinking about generate your reports and you don’t think about risk, your reports may not rationalize, they may not be harmonized, and chances are you aren’t going to achieve risk management and it could very well be that your report isn’t going to be effective and meet the objective your stakeholder needs with respect to that report.”

21:00 Availability is a Higher Risk Factor than Security

“Speaking to both data center providers and to users of data centers and you ask them what is the most critical thing you that think about in terms of risk that is represented by that data center, 95 times out of a 100 they aren’t saying security, they’re saying ‘I need to make sure that thing is highly available.’ “