• PRESS ROOMRESOURCES
• STUDENTSCANDIDATES
• CONTACT USNEED A CPA?
• HELPADVERTISE/
  PLACE AD
  
• SEARCH

• January / February
• March / April
• May / June
• July
  • Security — an issue that should concern you (Part 3 of 3)
  • 'Dot-pro' widens the world of Web names for CPAs
  • CPA firms should retool benefits to retain top employees
  • MACPA meets with Congressional leaders
• August
• September
• October
• November
• December
• Eight ways to market your firm's peer review

Security — an issue that should concern you (Part 3 of 3)

By T. Rose Rovelto, CPA
Boomer Consulting

In previous articles, we generally discussed the basic security fundamentals and identified common threats and enemies to a networking environment. Also, I concentrated on the particular threats and enemies that exist in the different levels of network access including local and wide area networks, remote access and the Internet. Finally, I’ll discuss how to establish a comprehensive security strategy to ensure that precautions are communicated and followed!

Comprehensive security strategy

A well-planned, well-executed security policy that balances user needs and security requirements will play a big role in the overall security of your business. A comprehensive security strategy starts with a strong network policy. Other important features include defining employee rights, privileges and responsibilities; termination procedures; and a well-defined, documented and tested disaster recovery policy.

• Network policy: There are two important aspects of a good network policy—service access and stringent network administration. On the one hand, the policy must balance the protection of the network while, at the same time, providing users access to network resources. This policy should be an extension of your overall business objectives and define the services that will be allowed or explicitly denied internally and externally.
  
  Most often, the external service access policy is achieved and physically implemented by the use of a good firewall. The internal service access policy is achieved through stringent network administration. Common network administration security tasks are a must for establishing file and application permissions; ensuring strict adherence to password policies as well as all other user policies (to be discussed later); and review and maintenance of security logs, following up when necessary.
  
  Having the precautions in place is not good enough.The system must be continually monitored and updated. Your review should be reported to management on a regular basis.
• Employee rights, privileges and responsibilities: Employees are given many tools and access to resources that are a direct benefit to their productivity (i.e. e-mail, Web access, file access, application access, remote network access and confidential client information). Many discussions and even lawsuits have been filed based on whether this information is public information or private. The resounding answer: It depends on your stated policies!

Let's take a brief look at the policies that should be included in your Comprehensive Security Strategy policy.

Client confidentiality

First and foremost, like any other client information, no matter what the medium, it is extremely important to ensure that client information remains confidential. Careless handling of client e-mails over the public Internet can be as damaging as leaving a client file on a park bench.

In addition, careless passing of information over the simple phone line can also be a link to your network. Social engineering is becoming an easy access point to your network. Anyone who is in a position to give information over the telephone without actually knowing who the individual is on the other end is a potential target.

I recently did a simple test on a bank by calling and "acting" like a long-standing client. I didn't know the individual with whom I was talking, but she gave me personal information on my accounts without asking for any confirmation of identification. That scares me, and it should scare you, too.

Your employees should be cautious about relinquishing client information and ANY information regarding your network. Remember, once someone is in your network, all client information is accessible. All requests of non-public information about your network should be answered by your network administrator who has the knowledge of what is safe and what is not.

With respect to employee rights, privileges and responsibilities, I have included potential policy excerpts that you might consider in your policy building process.

Build-a-policy:

• Confidential information is not to be transmitted over the Internet without proper encryption.
• Client or network information is not to be given out under any circumstances unless the individual is identified.
• No phone surveys will be done no matter how trivial it may seem.

Internet usage policy

Your firm provides each employee the use of the telephone for business purposes, although personal phone calls are allowed when kept to a minimum. The Internet privileges should be handled similarly.

Your people are professionals and you should treat them as such. They will prove it to you by using their judgment on their e-mail usage. However, it is important to convey to them through a written policy that e-mail is a privilege, not a right, and excessive use for personal reasons or with improper intent is prohibited. It should also be noted that the e-mail system is a public, not a private, medium, and any e-mails sent through the company’s system are considered company property.

Web access is a similar privilege to e-mail access. It should be used for business purposes only. The written policy should strictly prohibit the viewing or passing of potentially offensive materials. E-mail jokes and the passing of political and sexually offensive pictures and cartoons are the biggest culprits. Set your policy in writing and set an example by your actions. If not, be prepared for some controversy, headaches or worse.

Build-a-policy:

• E-mail and file transfers are to be for business use only by authorized users.
• E-mail is considered the property of the firm and employees should not expect privacy in e-mail sent from the firm's mail system.
• Use of another employee's account or access to their personal files without their consent is strictly prohibited.
• Transmission of harassing, discriminatory or otherwise objectionable e-mail or files (as determined by the recipient) is strictly prohibited.
• All downloaded applications must be approved by the firm's network administrator before being installed on the network.
• Access to non-business related, obscene or offensive sites is strictly prohibited.
• Any personal use of the network for commercial or illegal activity is strictly prohibited.
• Transmission of any religious or political messages is strictly prohibited.
• Game playing is strictly prohibited.

Anti-virus

According to Network Computing's Nov. 27, 2000 issue, the number one ranked crime type for the highest dollar losses was through malicious viruses.

It is very easy to drop into a false sense of security. As most viruses are obtained through e-mail, a sophisticated firewall can prohibit viruses from ever entering your user's mailbox. However, user awareness and skepticism must remain at a high level.

Build-a-policy:

• All floppy disks are to be scanned for viruses before opened.
• All downloaded files or applications are to be scanned for viruses before being saved on the firm's network.
• Disruptive behavior, such as introducing viruses or intentionally destroying or modifying files on the network, is strictly prohibited.

Anti-piracy

The installation and/or use of unlicensed software is a violation of federal law and, therefore, should be a violation of firm policy. As stated in previous articles, the Software Publishers Association (SPA) and the Business Software Alliance (BSA) have been hot on the trails of companies that have abused the software licensing laws. The only way to ensure that you will not become one of the statistics is to write a clear policy statement and practice what you preach! Remember, the number one lead generator is from disgruntled employees.

The company should request affidavits from employees regarding compliance with company policy and conduct unannounced audits of employees' computers.

Build-a-policy:

• All software paid for by "Your CPA Firm" is to be licensed to "Your CPA Firm" and installed on "Your CPA Firm"-owned machines.
• Personally owned software may be installed on company computers only if it is business-related, does not require extensive computer capacity, has supervisor approval and has been legally obtained.

Remote access policy

Remote access is a popular medium for effective communication and network connection from outside the office environment. As firms open their networks, they must ensure adequate security as well as provide guidance of proper usage. Your policy should address several issues while still encouraging usage.

Build-a-policy:

• Employees should request approval in order to activate their account on the firm's communications server.
• Software must be installed on your notebook computer or your home computer. This will be done upon completion of a training session on the use of remote access. The firm's technology group will provide employees with the client software, a password and instructions on how to use the software.
• Employees should not allow anyone to access the firm's network under their user account or password.
• Employees should log off upon completion of remote tasks in order to not consume simultaneous user licenses and reduce bandwidth available to other employees.

Educate and enforce

Written policies are only as good as they are communicated, monitored and enforced. The level of "watchdogging" is up to your management team. But setting policies without checks and balances are of little use. Furthermore, recognizing intolerance and dog nothing about it nullifies the policy. Finally, if management doesn't practice what they preach, don't waste your time writing policies.

Build-a-policy:

• Activities related to employee rights and responsibilities will be monitored and reviewed by management.
• Violation of these policies is subject to disciplinary action, up to and including termination.
• Employee termination procedures: Whether or not your employee leaves on good or bad terms, certain steps should be taken upon his/her departure. Just as you would require him/her to return the key to the front door of the building, network access should be terminated immediately
• Disaster recovery policy: A Comprehensive Security Strategy would not be complete without a written, communicated and tested disaster recovery policy. My favorite test when I was an auditor was to take a company's written disaster recovery policy and select one of the key individuals listed in the policy and ask them to describe their role during a disaster. Nine times out of 10, they had never even seen the policy. How can this policy be effective?

Unfortunately, I do not have the space to delineate the items needed in a Disaster Recovery Policy in this article, but I don't want to devalue its importance. Don't make the could-be-fatal mistake of waiting for a disaster to strike before you are properly prepared.

Conclusion

There are a number of security issues and measures that you can take to protect your firm. Without policies, you could be wasting your time and money. Furthermore, policies are only as good as they are communicated, practiced and enforced.

HOME | HELP | RSS | DRIVING DIRECTIONS | SPONSOR | PRIVACY POLICY | SEARCH | SITE MAP
© Copyright 2009 Maryland Association of Certified Public Accountants, Inc. All Rights Reserved.