Year after year “Information Security Management” stakes claim to the number-one slot on AICPA’s Top Technology Initiatives. The 2008 list was no exception with over 15 percent of those surveyed ranking it their number-one choice and over 45 percent ranking it in their top-five!

Whether you are involved in public practice, industry, government, education or any other area of our profession, the concerns around information security are widespread.

With our profession slowly transitioning over to a paperless environment and the continuing expansion of mobile and remote computing technologies, forcing the placement of confidential and private information to be placed in locations and portals that allow 24/7 access, the profession has every right to be concerned about the safeguards that are (or are not) in place, as well as those technologies that allow for the safeguarding of such data.

The Three Pillars of IS Management

When we discuss information security management we generally try to break the topic into three pillars:

• Confidentiality
• Integrity
• Availability

In protecting the confidentiality of client or private information, we utilize tools and processes that help to ensure such information remains confidential and only accessed by those authorized to do so.

While storing and maintaining client or private information, your firm needs to take steps in order to help guarantee that the integrity of the data remains the same as when it was first obtained from the source. Steps should include limiting file access rights and the tracking of file access.

In addition to protecting file integrity, your company needs to consider the availability of the data to the user. Files need to be made readily available to those who require such access and restricted to those who should have no access to such information.

When addressing information security management concerns, some of the items that generally make it to the “short list” include:

• Router/IP Addressing
• Access Control
• Firewall
• Patches
• Anti-
• Virus
• Spam
• Spyware

• Passwords/Passphrases
• Unprotected Shares
• Personal Firewall
• Web-based email/file sharing
• Wireless
• Physical Access
• Backups

Among the above list of items, access control, patches, spam and wireless continue to be recurring “hot topics” in this area.

Controlling access to systems, applications and data is beyond any doubt, one of the best ways to ensure such information remains protected and secure. A breakdown or weakness in access controls, places more reliance upon the other safeguards that may or may not be in place and therefore exposes systems, applications and data to external threats that could result in unauthorized access and/or exploitation of confidential or private data.

Setting up procedures that allow for the continued and monitored deployment of patches for operating systems and applications helps to ensure security “holes” and weaknesses that have surfaced in early releases of existing operating systems and applications are closed and repaired before data is lost, threatened or corrupted.

Many operating systems and applications have built-in patch or system maintenance functions. If such functions are utilized, patch deployment can be configured to easily take place, totally transparent to the end-user. Although most patches generally go through a significant amount of testing prior to deployment, at times, patch deployment results in other issues within the organization. These issues generally include such things as conflicts with other applications, systems or technologies that may not have been tested by vendors in connection with the specific patch being deployed. Good patch deployment involves roll-out of patches and fixes on a test basis within the same environment where they are intended to be ultimately deployed. Thus, if problems surface, vendors could be notified and such deployment postponed until conflicts are resolved.

As technology continues to evolve, so do the methods that spammers use to inflict our systems with unwanted messages and information.

The ultimate, often controversial way, to deal with spam is to utilize a “white-list” technology. White listing of preferred contacts allows for only messages from those preferred contacts to make it into your inbox. All other messages for those not on your preferred list are directed elsewhere or entirely rejected by your system.

The upside on the use of a white listing technology is that this type of system generally keeps out a majority of the spam. The downside is that this technology can lock out messages that should have been allowed through (i.e. from prospects, existing clients and customers that may have recently changed email addresses, new referral sources, and more). In addition, spammers are also continually working on ways to trick such technologies into thinking the message is from a preferred contact. One method frequently seen is the “spoofing” of preferred addresses (i.e. the message appears to be from a preferred contact when it in fact is from a spammer, etc.).

Wireless Security

Finally, the need for access anywhere/anytime continues to be a driving factor behind the growth in wireless technologies.

Because of their ease of availability and widespread use, wireless technologies continue to be a security concern for many. All too often, “out-of-the-box” and short-cut setup of wireless devices leave communication channels open, unencrypted and exposed to the risk of attack.

As the “802.11 n” standard takes hold, many manufacturers are now configuring devices to default to enable WEP (Wired Equivalent Privacy) and requiring passwords for modification of default settings.

Conclusion

Regardless of the standard utilized, firms need to ensure that the workplace is not the only site reviewed for potential wireless concerns. An open wireless connection at home or away, on a laptop, PDA (personal digital assistant) or Smartphone, leaves an organization’s infrastructure and underlying client and company data vulnerable to attack. Employees need to be educated on the proper use of wireless technologies at home and away from the office. Simple steps can be taken up front in order to avoid the consequences (not to mention the penalties) that come along with the breach of client or customer data.

As new technologies continue to develop and enter our profession, one thing is for sure; concerns surrounding information security will continue to prevail, leaving this topic at or near the top, of the list for many years to come.

James C. Bourke, CPA.CITP, is a Partner at WithumSmith+Brown where he is Director of Firm Technology. He is a past president of the New Jersey Society of CPA’s and currently serves on AICPA Council and the AICPA CITP Credential Committee.