Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Top Technology Initiatives > Top 10 Technologies Archive > Top 10 Technologies 2004 > Information Security > Information Security Overview
Information Security Overview
By: Susan E. Bradley, CPA/CITP, MCP, GSEC, Fresno, California

Firms large and small rely on data from accounting information to track customer relationships. Lose the trust in that data, and the firm loses a key competitive advantage. Arguably, you have no business. In the past, information security was for the spooks government agencies and defense department contractors who had real secrets. Today, it is an integral part of how we all do business.

 

As it relates to the accounting environment, security knows no size; the sole practitioner should be equally concerned as his or her counterpart at Big 4. At the same time, security is typically mandated by a controlling organization. For example, solo medical transcribers must be concerned about the security and privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA), while large accounting firms are trying to define the security implications of Sarbanes-Oxley legislation.

 

California, the regulatory bell-weather state, led the pack in 2003 by signing into law SB 1386 mandating that any California resident be notified when there is an unauthorized intrusion that could lead to identity theft of their names and personal account information. In early 2004, this regulation forced Wells Fargo Bank to notify some customers whose names and Social Security numbers were stored on a computer that was stolen by an individual intending to use customer information for identity theft.

 

First and foremost, Information Security begins with education, awareness, and setting policies. To begin the process of setting forth workable policies, invite a group of employees to a brainstorming pizza party. Discuss risks you have in your firm or business and the protection methods you currently undertake and evaluate on a regular basis. Talk about your systems, threats (internal and external), and your internal policies on security and access to information.

 

Next, compute the potential damages and the price of remediation. While determining the ROI on prevention can be difficult, without a realization of the potential for losses, you are putting your business at risk.

 

It's a fact that Information Security is just part of a much larger concern. The definition of Information Security, as defined by the Top Ten Technology Task Force, is: The hardware, software, processes and procedures in place to protect an organization's information systems from internal and external threats. This includes firewalls, anti-virus, password management, patches, locked facilities, IP strategy, and perimeter control. Many other areas are affected as well, including intrusion detection systems, security standard setting, social engineering, digital identity, privacy, biometric authentication, and digital rights management.

 

With the constant 24/7 "on-and-connected" world in which we live, the information technology help desk has been transformed into a war room of sorts. For example, in 2003, we started the year with the SQL worm, a tiny little program that overwhelmed the Internet in the mere space of 30 minutes, causing systems and ATM machines around the world to grind to a halt. In the middle of the year, we had MSBlast, which caused unpatched Microsoft Windows XP and Windows 2000 machines to reboot.

 

Late in the year came word that Linux distribution source code servers were compromised with backdoors, causing team members to review code checksums and patches to MAC OSX soon after its release.

 

If you learned nothing else in 2003, you realized that no operating system holds the panacea for absolute security, and, in fact, the concept of managed risk became vogue. The former only-embraced-by-large-firms concept of Patch Management became a new constant; several vendors even began discussion lists, including www.patchmanagement.org to discuss best practices and polices for the most ideal way to deal with distribution of patches to workstations.

 

As we continue working in 2004, what else will this year bring in Information Security? We've already seen several worms and its highly probable there will be many more. A new worm? A new threat? More bulletins or less? One thing is for sure: every one of us needs to insure that security is built into every single application from the ground up. You cannot layer on security at a later time and receive the same results as when security is built into the project from the beginning. At each step of any project you undertake should be a risk analysis to fully understand how best you can build in protection.
Copyright © 2004 by the American Institute of Certified Public Accountants, Inc., New York, New York.