By Thomas G. Stephens, Jr., CPA, CITP
Originally published in Accounting Network News
 
Information security remains a challenge for accountants in all walks of the profession. As accountants, most of the information we work with on a daily basis is sensitive and, as such, requires professional due diligence to protect that data. In fact, for the sixth consecutive year, information security was named as the technology initiative expected to have the greatest effect in the upcoming year, according to the American Institute of Certified Public Accountants’ 2008 Top Technology Initiatives survey.
 
In Part I of this multi-part series, we will address several fundamental aspects of securing your data and systems – the importance of policies, effective passwords, and email security.
 
It Starts With Policies
 
Underpinning the concept of information security are policies that every organization should have in place to ensure that each team member fully understands his role and responsibility in securing the organization’s data. Examples of these policies include anti-virus policies, encryption policies, password policies, and remote access policies. An anti-virus policy, for example, should address issues such as the minimum required length of passwords used to access corporate networks, the complexity of such passwords, and the frequency with which passwords must be changed.
 
In the absence of clearly-communicated policies, team members don’t have the guidance necessary to effectively and consistently apply security settings across the organization. Fortunately, there are numerous resources for such policies so that these do not have to be created from scratch. The SANS Institute is one such resource. The SANS Security Policy Project is an excellent resource for the types of policies required to successfully secure organizational data; sample policy templates are accessible at http://www.sans.org/resources/policies/.
 
Passwords Are Key
 
With the fundamental policies in place, the next step in securing an organization’s data is to ensure that appropriate passwords are in place so as to limit unauthorized access to systems and the data on those systems. These passwords must possess certain characteristics in order to be considered “strong.” These characteristics typically include:

• A minimum of eight characters, though 10 or more characters are preferred
• At least two alpha characters (mixture of upper and lower-case), two numeric characters, and two special characters
• Do not include a person’s name or word found in a dictionary
• Changed at least every 90 days and not re-used

Because of the complex requirements outlined above for strong passwords, many users find complying with these requirements to be exceedingly difficult. As such, many new tools have appeared to assist users in managing complex passwords. Examples of such tools include software applications such as Password Depot and RoboForms. In addition, USB keys such as IronKey are becoming increasingly popular as mechanisms for managing passwords. Both the software applications and hardware devices tend to operate by encrypting stored passwords using high-grade encryption algorithms, allowing complex passwords to be saved and automatically recalled when logging into an application or website.
 
Protecting Email
 
One of the largest issues facing accountants from a security standpoint is that of email. By nature, email is a highly unsecured medium of communicating with others. Unless proactive measures are taken, email messages and their attachments can be viewed by prying eyes. Accordingly, accountants have a professional responsibility to ensure that confidential data are not inadvertently disclosed in unsecured emails. Key strategies for securing email and email attachments include:

• Using Microsoft’s Information Rights Management (IRM) tool to control who can open an email message and what one can do with a message once it is opened. IRM is a component of Microsoft Office 2003 and Microsoft Office 2007.
• Encrypting with passwords any email attachments. For instance, if sending a Microsoft Excel 2007 workbook as an attachment, adding a password required to open the workbook encrypts the workbook with 128-bit encryption, making it almost impossible for a hacker to intercept the attachment.
• Using a tool such as Hushmail to encrypt the entire email message. Hushmail provides private and secure email accounts. These accounts can be established at no charge at www.hushmail.com. Another tool to consider along these lines is PGP Enterprise (www.pgp.com).

Additionally, for those who are connected to Exchange Servers, using Remote Procedure Calls over an “https” connection ensures that email sent within an organization will remain secure within that organization’s domain. This is a configuration setting available to users of Outlook 2003 and Outlook 2007.
 
While there are no absolute guarantees with respect to data and system security, a few practical steps can help to mitigate an organization’s risk of unauthorized access to critical data. The techniques discussed in this article – policies, passwords, and protecting email – are easy to implement and pay off with enhanced data and system security.
 
Next month, strategies such as whole-disc encryption, anonymous web browsing, and anti-virus and malware protection will be reviewed as a means of further securing critical information.
 
Mr. Stephens is a shareholder in K2 Enterprises, where he develops and presents technology-related continuing professional education programs to accounting and finance professionals across the United States. You may reach him at tommy@k2e.com.