How Your Accounting Site And Sas 70 Certification Can Protect Your Clients’ Private Info


Does your website include a secure file transfer? Nowadays just about all CPA website designs do, but not all secure file transfer systems are the same. I’m not worrying about about the online security here. Your IT specialist will find that straight forward to assess by just perusing your website and it’s source code. Just make certain the data is nicely password protected and encrypted and you’re pretty well covered. The weak spot in most CPA site security isn’t in the data management, it’s the real datacenter that the data is stored on. Datacenters with professional looking websites and first rate code may very well be stored in the basement of a private residence. It takes a physical examination of a datacenter to determine it’s real quality, and that can make shopping around rather expensive. You don’t want your client’s accounting data hosted on a low cost “cheap” datacenter.

A few years ago I had something of an epiphany when a transformer explosion outside a datacenter I was using was using disabled some of my clients’ data portals. It wasn’t just a matter of the power going down for a few hours. The explosion started a fire that was so close to the room that it the servers were stored in that many of the servers were damaged or destroyed. Well this really opened my eyes. It also threw me into something of a panic. I had made a mistake common to code-monkies. I had been myopically focused on the web-based security. I had utterly failed to properly consider the physical security of the actual servers. What good was all my hard work on the website and security design if the server it’s running on isn’t secure?

As bad as this was I got lucky. It could have been a whole lot worse. While “what if” scenarios were rolling around in my head when a worst case scenario made me shudder. A server sitting in an office building someplace would be easy pickings for a gang of identity thieves.

This is a pretty horrifying prospect. Not all identity thieves are in India or Russia. There is an increasing number of American gangs getting into the business. I had to address this, and address it fast.

After researching the subject for a few days I determined that the the best datacenters for storing information on your accounting website would be SAS 70 Type II certified. SAS 70 is a security protocol set up to audit accounting firms, and this includes reviewing their data centers. By law publicly traded companies have no choice but to use this type of datacenter, but it just so happens that they’re requirements are exactly what I was looking for, rigorous and thorough. These exhaustive security audits are administered by the American Institute of Certified Public Accountants and performed by specially trained CPA firms.

Once I decided what I was looking for it was time to start shopping around. The difference between these data centers and the ones I had been using was night and day. They were secured in what can reasonably be described as a fortress. The facilities were locked and guarded twenty-four hours a day, seven days a week. They were also equipped with state of the art electronic security, including motion sensors and closed-circuit video surveillance systems. There was no casual access to the site. Only authorized personnel were permitted on site. When I made my choice I went high-end. I found a place that used fingerprint scanners, and nobody gets in without being authenticated by their own prints and a fingerprint from the guard at the front desk.

When assessing the security precautions of your accounting website design don’t overlook the value of the physical security of your datacenter. Finding a good datacenter can be tough but, providentially, someone has already taken care of the work. SAS 70 certification is a much easier way to check if a datacenter is reasonably protected.

Kenny Marshall is a consultant and former Officer of CPA Site Solutions, one of the nation’s largest website firms oriented solely to accounting website design.