Guest Spotlight: Sheldon H. Eveloff – Take Technology Security Seriously
Sheldon H. Eveloff, CPA, CISA, CITP, is Partner-in-Charge of Goldenberg Rosenthal LLP’s Management Consulting Services Division. He can be reached at seveloff@grgrp.com. Goldenburg Rosenthal LLP is a member of PKF North American Network (PKF NAN).
Each year, the members of the AICPA’s Information Technology Section vote on the top technologies affecting the accounting profession and technology consulting. One of the most important is information security, which has been defined as the “hardware, software, processes and procedures in place to protect an organization’s systems, including firewalls, antivirus protection, password rearrangements, patches, and locked facilities, among other areas.”
Many employees play important roles in information security. Executives develop and approve policy, technology personnel implement it, and end-users follow it. Information security is a team effort; if anyone drops the ball, the entire organization suffers. Most if not all, security mistakes result from ineffective or unenforced information policy, inadequate system controls, or poor education and awareness of end-users and technology personnel. Effective security requires coordinated effort and heightened awareness.
Security policy is at the heart of any information security strategy, representing the objectives from which all security procedures are derived. Formulating effective security policy requires knowledge, time and effort.
Effective information security also requires commitment on the part of management. Management’s commitment is communicated by development of sound information security policy; implementation and enforcement of policy and procedures; effective resource implementation; workforce education; and continuous focus on information security issues. The routine discussion of security issues, in meetings and regular e-mail reminders on the importance of information security, sends a clear message to all employees that information security is important.
Too often, executives and managers pay lip service to information security, authorizing reactive short-term fixes assigning untrained personnel to security tasks, and failing to deal with the operation aspects of security. Unfortunately, most business executives and many technology professionals do not have sufficient knowledge or awareness of the issues at stake, so prudent executives often enlist the help of professional information security specialists.
Business risks underscore the need for management to regularly review its information security policies and procedures, as well as funding. Failure to properly resource an information security strategy will eviscerate policies and procedures, and lead to security failures. Adequate resourcing is necessary for an information security strategy to be effective. Technology personnel require training in security procedures for servers, workstations, and network devices, as well as training on the latest security risks, threats, and developments. End-users, too, must be educated on security issues and policies.
Employee education and awareness is the most important of all information security measures. Awareness comes from education, organizational commitment and focus, enforcement of information policies, and a proactive technology staff. Employees should receive ongoing training on common security risks encountered in the workplace, what risky activities to avoid, and when and how to report suspected problems. The employer must include a policy on computer use in its employee manual, recognizing that employees are the first line of defense in securing information assets. Both the Electronic Communication Privacy Act and the U.S. Patriot Act make it unlawful to monitor any activity without a usage policy.
The first step toward solving a security risk is recognizing that a business has one. Monitoring the security and health of the information technology infrastructure has become an ever-increasing challenge. There are many areas that need to be addressed in a security plan to provide a comprehensive and scalable security solution that is forward-looking, while fitting into a complete technology plan. Since it is impractical to address everything, each company should evaluate its own set of potential liabilities and develop a unique blend of controls within its architecture.
We CPAs are intricately involved in the flow of information within a business, and have become the logical choice for evaluating and recommending information security strategies. Be prepared to offer a comprehensive overview of security threats when asked.