In January 2008, the AICPA released its 19 th Annual Top Technology Initiatives survey results, listing the most important technologies affecting IT strategy, investment and implementation in organizations. Once again, for the sixth consecutive year, “Information Security Management” was rated as the most important initiative by survey respondents. In the July/August 2008 issue of InfoTech Update we introduced a series of case studies based on the Top Technology Initiatives and like the survey results, Information Security Management was of concern to those individuals that were profiled.
To understand how the general topic of Information Security Management affects various segments of the accounting profession, three CPA.CITPs offered their opinions:
Q – What is the primary reason why Information Security Management continues to be #1 year after year?
Jim Bourke: As we deploy new applications and systems, and place more and more sensitive data into digital format, protecting those systems and related data has become a number one priority for many organizations. A significant amount of IT dollars are spent today in information security management. It is one thing to have state-of-the-art systems to increase efficiencies within an organization, but an organization that does not protect those systems will be at a loss. The critical and sensitive data contained within them could be a significant wake-up call for stakeholders, in the event those systems are breached or the data gets into the wrong hands.
Lydia Burns: I believe it’s due to the fact that we hear so much in the news relating to computer viruses causing millions of dollars in damages, and hackers from foreign countries stealing our identities from places like banks and other institutions.
Lisa Johnson: From an individual’s perspective, there is an increased amount of personal information available electronically vs. strictly paper form. From a company’s perspective, more information, including corporate and employee personal information, is in electronic form and made available to those who need access to it, whether at the main site or from remote sites from laptops. Individuals and companies are struggling to protect the information with the dollars and people they have, and integrating the right security people into place to properly manage the security across the company.
Q – Focusing specifically on your role as a CPA working in your respective field of accounting, what are a few of the top three security deficiencies you believe occur in today’s business environment?
Lydia Burns: First, laptops should be secure in government buildings and the data on them should never leave the facility on anyone’s personal thumb drive, portable hard drive, PDA or BlackBerry. Physical security isn’t enough. For example, when visitors walk in to a government building, they are given a visitor’s badge, which is returned when they leave. While these security measures are preventing unauthorized people from entering the building, these measures do not prevent visitors from accessing very sensitive information while they are there.
Second, an employee checking their e-mails on hotel computers when traveling may forget to erase the cache or the computer’s memory of pages visited and information stored upon exiting the hotel system. Even if they have not downloaded any files, a copy of those documents viewed may still remain on the computer.
Jim Bourke : Clearly, o pen and unencrypted WiFi access – not locking down a wireless network – is a significant problem. I can guarantee that you could go into an office business complex and very easily pick up an Internet connection floating around the complex. Unsecured wireless networks are a huge concern, not just for allowing an open window to the Internet, but for allowing access into another company’s system.
Next, consider e-mail. Sending financial statements, tax returns and other private information in an unencrypted or unsecure format is just a bad practice. I would recommend never e-mailing any form of sensitive information through traditional e-mail means. Instead, use encryption or better yet, some form of secure portal to transmit this type of information.
Lisa Johnson: My top three include trust in people, working with the dollars at hand and protecting information.
Security is only as good as the people who are implementing the security policies. Wherever there is human involvement, there is a potential for the security process or feature to be improperly implemented and/or circumvented. This results in a breakdown of the intended security controls and processes. In conducting root cause analysis ( problem-solving methods aimed at identifying the root causes of problems or events) for any company, you will find that the majority of their security issues are people not doing something correctly in the security process.
Many organizations, for example, will indicate that the reason something was not done was due to budget constraints; they were working with what they have in the time they had available. This does not mean they have done something wrong. Instead, their perspective is they have not been able to get to the issues yet.
Whether it is a Social Security number on a badge request form or birthdates on an employment application form, determining whether personally identifiable information exists in an organization is beyond just the “electronic” information. This information exists in a variety of forms throughout the organization and the same precautions/controls over the electronically identifiable information is not always extended to non-electronic information.
Q – In what ways do you think the CPA can educate his or her organization to ensure the three points of the InfoSec Triangle are adequately met?
Lisa Johnson: The most important concern is the business process itself, so it’s key to understand where in the process the controls have been identified as working to ensure confidentiality, availability and integrity. This would involve identifying where data rests or is located within the system or process, where data transmits or is sent, and where data is processed.
Jim Bourke : CPAs, especially those with the CITP credential from the AICPA, are accountants who understand the IT needs of an organization as they relate to business and finance. CITPs are well trained in information security and can relate many controls and safeguards to those involved with protecting confidential data and systems. We can use our auditing backgrounds and knowledge to ensure that such points are in place and protected.
Lydia Burns: We all have an obligation to stay on top of the issues. When we read about laptops being stolen out of our government offices or hackers getting into critical systems, we need to stop and figure ways to protect our systems in our local offices so we are not in the news next month.