• PRESS ROOMPUBLIC AREA
• STUDENTSCANDIDATES
• CONTACT USFIND A CPA
• HELPADVERTISE
• SEARCH SITE
  
• 901 Dulaney Valley Road | Suite 710 | Towson MD 21204 | 800.782.2036

• January / February
• March / April
• May / June
• July / August
• September / October
  • Form 1040: A marketing tool for wealth management services, part 1
  • Are we too trusting?
  • MACPA reaches out to young members in new initiative to grow membership
  • Making a difference
  • A new exam for a changing profession
  • How shall we teach tomorrow's CPAs?
  • Ehrlich to CPAs: 'Continue your activism'
• November / December

Are we too trusting?

NOTE: Chaim Yudkowsky, CPA, CITP, is an MACPA member and chief information officer at Textilease Corp., a uniform and first aid services company serving the Southeast.

By Chaim Yudkowsky, CPA, CITP

When I was a kid, the gas meter and electric meter were located in our house. When the meter reader would visit each month, he would knock on the back door, call out "gas man" and we would let him in to do his job.

As I got a little older, this process changed; we started to require the flashing of gas company identification to enter our house. Our community threshold and expectations of trust had fallen.

Recently, a senior analyst with Gartner described the methods of a security consultant for a specific project. This consultant created an official looking badge on his home computer, added a "swipe bar" made out of electrical tape, and visited his client's site. The front desk personnel did not stop him with his ID and he easily slipped in through the company's front door. Next, he walked to the door of the data center, waited for some folks to come by and pretended to be having a swiping problem with the card entry system on the door to the center. The trusting employees let him in, explaining, "I guess the system is misbehaving again." Once in the data center, he promptly instructed everyone to leave, explaining that he was there to fix something. After all of the IT staff in the data center had left, he promptly called the client's CEO. The consultant said, "I have complete control of your data room."

Right after Sept. 11, we became concerned and suspicious about all of our physical security. However, our underlying complacency made it easy to forget the message of not trusting anyone completely in our IT environments.

This is particularly important to discuss when considering that security spending remains one of the growth areas in many IT budgets. Though a periodic reminder of IT security priorities and ongoing vigilance is always appropriate, let's spend some time addressing the most basic weakness — physical access to our IT assets that can undermine any other investment we make to protect those assets. Those assets are human capital (people), hardware (machines) and data (physical and near physical access to large quantities of data).

Before defining specific steps to better safeguard our assets, we must define a framework for imposing those instructions.

1. Don't judge a book by its cover. People dressing as employees, confidently acting as employees, and even disgruntled employees pose serious threats to the safety of IT assets. We must have processes that impede the access and decrease the exposure to such people. Note: This is a learning process and will never be perfect.
2. There is such a thing as suspicious behavior. Everyone should feel a duty not to tolerate strange behaviors, even by fellow employees, without asking questions. The threat is not just theft but vandalism, corporate espionage and breach of customer / client / patient confidentiality. Political correctness has no place in protecting assets, though some instances require conversations with corporate counsel or even law enforcement personnel.
3. Training. We need training in the workplace to be more skeptical of people's intent without becoming paranoid. Our employees must create an atmosphere where people are sensitive to the risks of simple things like leaving fire exits open unattended, but still enjoy working there. We must feel safe and cared for.
4. Processes must assess the likely vulnerability of suspicious behavior. The new airport model seems to waste thousands of hours by assuming we are all risks. Lifetimes are being wasted in lines. Should we be scanning the shoes of everyone entering tall buildings or airplanes because of one failed hijacker who was acting strangely? Imagine the economic impact to consumerism if malls or casinos imposed the same rules as the TSA! There must be a logical association, some human ROI, between the practicality of security procedure and reduction of risk.
5. Any security adds an administrative burden. (Think insurance.) Remember to budget for IT security to include physical security or to include it more globally in the budget for each building housing your three types of IT assets.

Things to do

Having established the framework, the following should be considered in all IT environments.

1. Safeguard access to backup tapes and make sure they are all accounted for and cannot easily disappear.
2. Make sure your wireless and mobile users are not introducing risks by behavior.
3. Have an established process to revoke access to anyone fairly quickly. This includes access to buildings, rooms and even hardware or data. You should have a basic IT security breach / IT loss protocol.
4. Establish reasonable after-hours policies. Just as auditors typically frown upon employees who never take time off even for vacation, there may be some concern about personnel who always come into the office over weekends and holidays.
5. Use and change locks appropriately. Keys should be periodically updated or entry codes changed, especially after disgruntled people leave. Why invite trouble?
6. Make sure alarms work and know what they protect. Codes also should be updated in a timely fashion to reflect any new threat.
7. Reduce theft by using common sense. Keep equipment away from uncovered windows. Lock the equipment in a room, especially overnight. Tone down the room identification to be sure it is for people who should be in the building but might get lost. Room labels like "data center" for rooms that are not obviously the data center is advertising for trouble.
8. Consider establishing a sign in / sign out process for more sensitive IT areas. In some environments this adds to the accountability. One way to automate this may be archiving the card entry cards read.

Being sensitive to IT security by budgeting and maintaining tools like firewalls and antivirus software is not enough. We must focus foremost on the easiest attack point — physical access. Once that is robustly secured, we can move on to the more creative and difficult entry points.

HOME | HELP | RSS | DRIVING DIRECTIONS | SPONSOR | PRIVACY POLICY | SEARCH | SITE MAP
© Copyright 2010 Maryland Association of Certified Public Accountants, Inc. All Rights Reserved.