five areas of information security to cover.
by penny breslin
it’s not just the numbers
your clients trust you with their information; however, in today’s world, where sensitive information can be compromised and distributed, clients want assurance that their information is safe and that you are protecting them from identity theft.
more: how to create effective communication systems | start every engagement with an sla | get the most out of your client meeting | why you need standard naming conventions | how to develop internal procedures | proper workflow demands consistency | workflow tools can deepen client relationships
exclusively for pro members. log in here or 2022世界杯足球排名 today.
although certain state laws (check with your state); federal laws such as gramm-leach-bliley (glb), which covers individual privacy disclosures; and the aicpa rules of ethics do provide some protection, we recommend that as the trusted business advisor, you should disclose to your clients how you:
- safeguard their information in your office and on your servers
- securely transmit sensitive data
- closely supervise access to authorized parties only
when companies work with off-site staff, one of their key concerns is feeling secure about what happens to their information. who has access to their data? what about privacy? the following are some security suggestions you may find helpful in your practice. this list is by no means exhaustive.
there are five areas of information security you need to incorporate into your procedures:
- application level – restricting access: requiring mfa (multifactor authorization)
- logical access – virus detection, protection and prevention
- transmission – encryption and user identification
- physical – protection of the equipment
- people – onboarding and offboarding team members
each of these areas is discussed below. we will be emphasizing the security of electronic information; however, many commonsense techniques can also be applied to client data in paper format.
application level
this level of security deals with allowing only authorized users access to applications and client-related data. this is typically accomplished by assigning usernames and passwords. however, the firm should enforce policies that further protect passwords (i.e., require passwords to be changed frequently, enforcing password rules with numbers and special characters). furthermore, the system administrator should provide only the applications and client data necessary for staff to complete the desired tasks. lastly, should a user be terminated, access must be immediately revoked. make this a step in your team member offboarding checklist.
granting and monitoring access is not enough. it is imperative that all users are known and properly screened. further, if you are working with a staff member who is located outside of the united states, we recommend that you disclose to clients the locations of the staff and offices up front and reassure them that the same security and supervision applies throughout your organization. if anyone outside the usa has access to an individual client’s tax data, written consent is required using a prescribed irs form letter under regulation 7216.
should you choose to partner with an outsourcing company, your outsourcing partner should thoroughly screen each staff member for educational degrees and qualifications, past employment history and personal references. passports should also be verified. depending on the crime and the terms of sentencing, probation or parole, people with a criminal past may not be allowed to have an active passport. you may also want to get a background check. my outsourcing group in chennai operates in teams of six people, with each team having one supervisor.
as for access to applications and data, remember your overseas staff is treated like any other staff member. you provide them with remote access to your asp/managed server and assign the client files that they may access. data is never sent outside of your secured environment, unless you have given permission beforehand.
logical access
this area involves your computer’s defenses for blocking viruses, worms and other malicious attacks on your system infrastructure containing client information. it is important that a policy exists requiring all computers, especially network systems, to have virus detection software. virus definitions also need to be updated frequently. fortunately, most virus detection software today has the ability to automatically update their virus files to protect against the latest threat. there must be a policy that forbids downloads or loading non-authorized software onto company computers.
logical access also covers the ability to detect and prevent hostile threats (including dos – denial of service and ddos – distributed denial of service attacks) before invading your system or progressing further. this is accomplished through intrusion detection systems (ids). think of ids as a burglar alarm for your computers and your network. it keeps unauthorized users out of your system, while allowing authorized users in. when using an asp or managed server, this security is inherent in the soc 2 certification of the provider.
transmission
cpa firms can better protect confidential data when sending and receiving information electronically. the use of digital certificates protects you in two ways. first, you can confirm the identity of the person you are exchanging information with. second, you can encrypt the data being transmitted so that only the intended recipient can read the information. if you send data that is not encrypted, it is sent in “clear-text,” which means that anyone who has the ability to intercept or monitor your transmission can read the confidential information.
very few firms actually use digital certificates and encrypt confidential client information when sending emails. class i digital certificates are recommended when transmitting confidential information. digital certificates can be obtained from verisign. you might even think about buying them for your client to ensure secure transmission of data.
digital signatures are used in signing documents to give your clients a certain level of comfort and help to defend against fraudulent emails and identity theft. your client should obtain at least one digital certificate as well, so that you can encrypt email and data attachments between the two entities.
any time information is shared or transmitted between two or more users or servers outside an internal system or the firewall, the transmission of data must be secured. unless the transmission is secured, information leaks can occur. there are three main alternatives for achieving transmission protection:
- implement vpn (virtual private network) software and hardware
- use a remote access tool that allows transmission encryption, properly configured and maintained, such as citrix or remote desktop protocol (rdp) with mfa
- use secured external, but “shared” hard drives for online files, documents and applications. it is important that communications between the shared drive and remote users are encrypted. an example is coaxis. with coaxis, files are protected by 128-bit encryption (rsa security). files and folders posted on the drive can further be protected with access controls and permissions.
physical
surprisingly, physical theft is the most popular way to obtain confidential information. computer theft is every cpa’s worst nightmare: sensitive information falling into the wrong hands. however, theft is not the only way to lose information. hardware failures occur frequently. therefore, constant data backup is critical for protecting firms from not only hardware failures, but events such as fire, electrical spikes, floods, storms and any other natural disasters.
people
onboarding and offboarding your internal staff properly are crucial security steps that many firms ignore. have a checklist of the steps that occur when providing access to new employees. these employees will have access to sensitive data of the firm and the clients. define the limitations around the access. if the employees are going virtual, how are you protecting the access points of their byod (bring your own device)?
larger firms will assign this to their internal it staff to handle. smaller firms can rely somewhat on their managed server providers. however, do you know all the access devices that are being used? is this documented, so that if you need to turn off an access, you know where the device is, who owns it, what they access with a given device and whether you can remove the access? how long does it take you to remove an employee who has left your employment?
recommended client disclosure letter
communicate with your clients at least annually on how your firm gathers, stores, shares and distributes sensitive client information. below is a sample letter:
dear [client]:
you trust us with important, sensitive information. this letter discloses our data protection measures, assuring only authorized access to your information.
we safeguard your information using security methods surrounding four main areas: software application, virus protection, transmission of information and protection of information from physical damage or theft. in addition, we have every staff member sign a privacy and ethical behavior statement. (a copy of the statement is available upon request.)
please don’t hesitate to contact us if you have any questions regarding our security measures.
kind regards,
disclaimer: while every effort has been made to provide the most up-to-date information relating to data security, please consult security professionals for the latest best practices in physical and cybersecurity. we strongly recommend that you consult your insurance professional to ensure that you have a cyberinsurance rider on your liability policy.
the aicpa has an online resource with updated cybersecurity and a plethora of articles they aggregate from multiple sources. there are some interesting best practices you can apply to clients also – a nice value-added process you can add to your repertoire of services to provide. https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/cyber-security-resource-center.html
how to use mfa when your team members don’t have phones
another challenge has been security to cloud app logins. many sites require secondary authentication codes, or mfa to obtain access. because we do not allow mobile devices in the workroom, our accountants were having problems with timeouts to obtain codes that were being relayed by the person whose mobile phone received the access code. searching the app directory on slack apps, we found yodel.io. yodel provided us with a phone number. this is not a google number but an actual voip phone that can receive voice and sms messages. the security preferences of our cloud apps have the yodel.io phone number listed as the receiver of the two-factor code. we connected yodel.io to slack and now we have a dedicated phone channel for these codes. anyone on our secure slack with the correct user permissions can request a code.
we use rdp to access client servers. rdp is not secure by itself, but you can place an mfa requirement within the login policy to enhance the security. both google and microsoft have these authentication protocols available. i have seen two clients have their rdp hacked because they were not using mfa. one of these was a rather large firm.
recently an accounting client instituted mfa on their rdp that we access. i asked him why she finally added this new mfa policy. turns out she was at a peer group meeting in chicago and met a cpa firm that had had their rdp access breached. i was quite happy that we had the capability to log in that very night the mfa was established, without a hiccup, thanks to yodel.io and slack. yodel.io also allows for voice messages and auto responses that can be texted or voiced back to the sender. check out yodel.io whether you use slack or not and you can automate a lot of incoming communication easily.