Tag Archives

2 Articles

How Secure Is My Tax Data?

Posted by presspass on
0
Business
How Secure Is My Tax Data?

When we enter a tax preparer’s office for the first time, we are unknown and have to provide not only our W-2’s and/or business records, we often need to provide copies of prior years tax returns, social security cards for all family members, birth certificates, and other highly personal and private information.  The office either makes paper copies or scans the information into some type of electronic filing cabinet.  In this era of rampant identify theft, often times we hesitate to provide such information, wondering how secure will our private information be in this accountant’s office.  This concern is very valid as hackers are trying to penetrate accountant’s systems now more than ever, because of the amount of private information that is contained in accountant’s computers.  How can you as the tax client know how secure your information is?  What steps should a tax office take to protect client data?

First, ask about the accounting firm’s privacy policy.  Is a copy provided on the firm’s website?  Is a copy provided with each tax return?  I have the company privacy policy posted on the website and have copies available in our waiting area.  This policy should disclose any 3rd parties that have access to your data and describe any outsourcing of services by the firm.  As a practice, I keep all work inside my office completed by employees under my supervision.

Second, what physical measures are in place to protect client data?  Does the office have a security system with 24-hour monitoring?  Not only does this office have 24-hour monitoring,  we also place any physical client data in locked desks and file cabinets at the close of business each night.  During business hours client data is kept out of sight of any outside parties entering the office for assistance.  All original information is returned to the client.  Any physical copies no longer needed are shredded into confetti.

Third and probably the most important step is how data is protected electronically.  All paid preparers are required by IRS publication 4557 to maintain a written electronic security policy.  In harmony with the IRS direction, my office uses a quality internet security software suite that provides a firewall, anti-virus protection, and malware protection.  To maintain security at a high level, our router and switch were recently upgraded.  High risk and threatening websites are blocked, so employees cannot access places they should not be going.   Employees are well trained on the “No-Click Policy”.  This policy reduces risk by not allowing the clicking on links and attachments in emails.  All clients are required to submit tax information by physical delivery, fax, or by upload to their client portal.  Next, what kind of backup systems are used?  In the event of disaster, theft, or data loss, will the office be able to restore my data?  We keep multiple on and off site secure backups.  One last necessary action is complete hard drive encryption.  All computers used to access client information must use hard drive encryption.  Without hard drive encryption a desktop or laptop computer is vulnerable if physically stolen.  Computers that have hard drive encryption require a password even before the operating system, such as Windows 10, starts.

Warning: No system is 100% safe from a data breach.  We do take all the precautions possible to protect and maintain client data in the best and most secure environment that we possibly can.

For the security and safety of your data, it is vital that you check with your accountant on the steps they take to protect and secure client data.  Click here for my podcast.

Don’t Let Third Parties Bring You Down

Posted by Editor on
0
Business
Don’t Let Third Parties Bring You Down

Without an effective vendor management program, the threat looms large.

How can a business effectively manage the oversight of its third-party vendors’ security and privacy programs? After all, these are completely independent organizations, running their own businesses and executing their own practices.

It may sound overwhelming (perhaps even impossible), but it is doable with an effective vendor management program.

Below are five key components to such a program. Keep in mind these are not one-and-done to-do’s. Each of the following should be performed on an ongoing basis.

  1. Document all third-party vendors.

Do you know every vendor doing work for your organization? The first, and possibly most neglected, step is to identify and document at least the following details for all vendors:

  • Contact names
  • Office locations
  • Dates contracted
  • Services performed
  • Data shared

Be sure to keep these details up-to-date for all vendors. You should also retain this information for past vendors for at least six years (longer if your business must follow strict data retention requirements).

One thing to watch out for, especially in large organizations with multiple locations, is multiple vendor contracts. Often, these firms will contract the same vendor to perform the same activities for each location, yet under differing contractual agreements. This creates an additional risk of vendor non-compliance.

  1. Document the information each vendor accesses.

Once you have identified all vendors, you need to document the types of information each has access to. For example: full name, mailing address, phone number, social security number, email address, birthdate, etc. More access to sensitive information (e.g. health data, social security numbers, etc.) means higher risk, and therefore, requires more oversight. Be sure to document the security controls associated with each vendor and establish a way to keep the information up-to-date.

Once you’ve identified the data each vendor accesses, you are ready to determine the risks to that data. The most effective way is a data flow analysis in combination with a risk evaluation. When it comes to performing this analysis, keep in mind simpler is usually better.

  1. Establish and update contractual requirements.

Determine if your contractual requirements for each vendor are adequate. At a minimum, your contract should include rights to:

  • Audit
  • Request completed risk evaluations on a regular basis (quarterly or bi-annual)
  • Be notified and approve of any subcontracting involving data
  • Review vendors’ documented information security and privacy policies
  • Be notified as soon as possible (typically within one business day) of a breach
  1. Determine and monitor risk levels.

You also need to determine the level of risk each vendor presents to your organization. You can often establish a preliminary risk level based on the following details:

  • The amount of sensitive information involved
  • The number of locations, including number of countries, the vendor is using to store and process data
  • The number of the vendor employees who have access to data
  • The number of technologies / devices used
  • The maturity of the vendor’s information security and privacy program
  1. Establish a plan for ongoing oversight.

There are many effective ways to maintain oversight of your vendors. Which you choose depends on the type of service the vendor provides. Below are some options to consider:

  • Obtain monthly or quarterly attestations from your vendors’ executives. By attesting that security and privacy programs are maintained and enforced, the executives become even more personally accountable.
  • Perform risk assessments. These assessments may include requiring the vendors to complete surveys to help you evaluate their security and privacy programs.
  • Require and monitor your vendors’ regulatory compliance specific to their industries and applicable legal requirements.

The more automated you can make ongoing oversight the better. However, some of your highest risk vendors may require personal phone meetings, or even on-site visits.

How SIMBUS360 can help

If you need help with any of the above processes, consider a vendor tracking automation tool, such as SIMBUS Tracker. SIMBUS Tracker is powerful vendor management software designed to monitor organizations with access to personal information. It consolidates all necessary compliance verification information and associated records into one simple-to-use, secure platform and performs ongoing oversight of your vendor relationships.

SIMBUS Tracker is available for direct use. It’s also available in a white-label version. So, if you lead a business, such as a law firm, managed services IT firm, consultancy or an accounting practice, and you’d like to help your clients with their own vendor management, SIMBUS Tracker is ideal software for opening up that additional business line or revenue source for your firm. Contact Dave Greek to learn more.

For more information, download our Vendor Oversight & Risk Management Tips guidance document. The document includes common security and privacy risks discovered from more than 300 vendor assessments.

Enjoy this blog? Please spread the word :)

RSS
Follow by Email