Firm Confidentiality Policy
Confidentiality is one of the cornerstones of the tax profession. We know client financial
information is private, and you can be assured that we employ every reasonable data
security measure available – including physical locks on file cabinets, network password
protections, hard and soft network firewalls, and data encryption techniques. Our
physical location is monitored by XYZ Security, Inc. Client files, electronic and otherwise,
are available only to our firm staff. Electronic files are backed up daily and stored on
private, offsite storage media with high-level password protection. All copies of client
documents not needed in hard-copy format are shredded. All hard drives on old
computers are physically destroyed before disposing of old computers. And, all original
business and accounting records provided to us are returned to our clients promptly. We
retain scanned copies of the documents necessary for the performance of our services
and those which are required by law.
Without the client’s specific, written permission no personal information may be
disclosed to anyone, except that which is already public or required or permitted by law.
The information clients give us about their personal or business records is reserved only
for our employees who need to know in order to properly service the account.
All new employees hired at our firm undergo a background check and are required to
sign this acknowledgement of our firm’s strict adherence to confidentiality regarding
client information.
Employees are required to turn off computers, clean off their desks and return files to
secure locations when leaving their office for more than 15 minutes and abide by our
computer usage policy to protect client information.
Employees may never discuss firm or client information with anyone other than the client
or fellow employees working on the account. In particular clients and client information
should never be discussed in public places such as restaurants or social events.
Our company policy also prohibits disclosing client names to anyone outside the
accounting firm. When a client calls requesting information the identity of the client must
be verified by date of birth and social security number.
In the event of litigation, or other disclosure allowed by IRSethics and confidentiality standards only the minimum client information necessary tocomply with the event will be disclosed.
The undersigned employee has read the above confidentiality policy and agrees to
comply with the policy.
______
Signature Print Name Date
Security
Utilize engagement letters, portal policies, employee confidentiality policies andcompany-wide computer and internet use policies. Emphasize confidentiality regularly inthe office as it is one of the very few things we sell. Clean off desks every night, lock upfiles and drawers and require strong passwords on encrypted systems to startcomputers. Utilize off-site backup. Maintain a redundant computer system at home withall of the same software in the event of disaster. Maintain a disaster policy and update itevery fall when daylight savings time ends.
Security in any business has three aspects: electronic; physical; and disaster plans. Allthree elements overlap, for example electronic security must include protection of theelectronic data from intruders or viruses as well as protection against the physical theftor destruction of the equipment that contains the data.
Here is a simple example. Let's say that you store all of your electronic data about yourbusiness on a firewall and anti-virus protected computer which requires a passwordbased Windows log in to access anything on the computer. Although this systemprovides fairly good protection against electronic theft it provides minimal protectionagainst physical theft. If a thief steals your computer he can bypass the password basedWindows login by physically removing the hard drive, installing it in his computer and
logging in to his own Windows system which can now see the data on the hard drive. This means that the data must be electronically and physically protected through the useof encryption, which requires a password to "unlock" the data on the hard drive.
Here is another example. A disgruntled soon-to-be-former employee logs in to thesystem to get a copy of all client information. Without physical and electronic protectionprohibiting and physically/electronically stopping such activity the employee can plug in atiny USB drive into their computer and copy everything. In this case a written policyprotects the employer (and incriminates the employee); a logging system can track whatthey did; and a USB drive disabling program can keep employees from copying suchdata.
Finally, what if a flood/hurricane/fire hits your office. Many firms back up their data, butdo you keep a copy off site? Do you have duplicate equipment loaded with duplicatesoftware to get you up and running ASAP. Most importantly do you have a disaster plantelling people what to do, when to do it and how to handle such events?
This information is designed to address these 3 main security issues of electronic security,
physical security and disaster security.
Disaster Planning
Disaster concerns range from fires, floods and natural disasters to theft, criminal activityand electrical surges. The solutions include prevention, inventory, backup and disasterplanning.
1. Electrical surges. Surge protectors are required at every computer andperipheral device. A surge protector has a useful life of 2-3 years, so theyshould be replaced periodically. Make sure that you use surge protectors,not surge suppressors or power strips, neither of which provideprotection. Additionally, some smaller offices can use a whole buildingprotector where the power enters the building. Finally, recognize that alightning strike will still burn through most surge protectors, so a fusedsurge protector is required.
2. Uninterruptable power supplies should be placed at servers and importantdesktops. These devices should provide for 5-15 minutes of backup time,and automatic saving and shutdown. The battery in these devices has a 2-3year life and should be replaced periodically. Plan on spending $250 or soeach. Tiger Direct has an excellent unit from Cyberpower for $270 withautomatic shutdown and a 3 year guarantee.
3. Backup generators might be considered in remote locations. Some examples are theHonda Black Max available at Sam’s Club for $1,000 which provides 9,500watts of power with 7-110 volt outlets.
Maintaining a physical and electronic inventory of hardware, software and all relevantserial numbers should be practiced as a regular, semi-annual update. In our officewe video record the interior of our building once or twice a year, saving it on our harddrive for back-up, and also maintain an Excel spreadsheet inventory on an office byoffice basis.
Microsoft offers a free Excel download Software inventory sheet at theirdownload site. Belarc, at has a wonderful free program thatinventories every software, update, serial number, etc installed on yourcomputer, Belarc's Advisor.
Disaster Recovery
According to a recent NFIB National Small Business Poll, man-made disasters affect10% of small businesses, whereas natural disasters have impacted more than 30% of allsmall businesses in the USA. Disasters can also include such diverse topics as illness orsudden death of employees or owners, changing laws that affect the business’s revenuestream, demographic or financial changes in the area where the business is located, orroad closures or illnesses.
1. To minimize disasters, or the effects of disasters all businesses should
a. Maintain a 30-foot combustible-free zone around the building, andalso cleaning gutters, roofs and fireplaces. Be particularly carefulabout hardwood mulch which can spontaneously combust in dryweather.
b. Maintain at all desks a list of emergency phone numbers of police,fire, EMT and owners and provide a copy to employees for take homepurposes. Build this list into your cell phones as well!
c. Establish interior safe places for tornados, intruders or similar issues.
1. Establish an office-wide security “signal” in the event ofintruders,
2. Keep blankets, water, flashlights, radios, first-aid kits, cleaningsupplies and rubber gloves on hand in the emergency area, aswell as cameras to immediately document any damage.
3. Determine safe parking places for storms, intruders or nightworkers and add exterior lighting for safety.
d. Unplug all electrical devices in storms.
e. Verify replacement cost and business interruption insurance coveragefor contents.
f. Create a phone tree for calling employees in emergency situations.
1. Create a client phone or email tree for similar clientnotification.
2. Have an alternate worksite location planned in advance withadequate electricity and internet connections, as well as atleast one functioning computer with internet connection. (Theowner’s home works well)
3. Document all processes that the business follows, in additionto the backup procedures previously discussed,
2. In the event of physical or electronic data theft, business owners need tobe aware of FACTA (Fair and Accurate Credit Transactions Act). Manybusiness owners don't know that under FACTA all businesses in the U.S.are required to shred or thoroughly destroy anything of a sensitive nature.
Others may know the various laws addressing these issues but don'tmake compliance a priority, as demonstrated by having shredders easilyaccessible for employees' use.
a. All potential employees should have a credit and backgroundcheck
b. All systems should be encrypted, particularly network serversand laptops,
c. Most states have passed “Breach Notification Laws” whichrequire notification to affected customers. The business shouldhave their attorney determine what constitutes a breach, what
is an appropriate method of notification for customers andenforcement agencies, and what safe harbors exist.Interestingly, in most situations, encrypted data is protectedfrom the disclosure rules.
Disaster Planning ChecklistCompleted
TELEPHONE
Develop Emergency Phone Call List-Police, Fire, EMT & Display at all desks
Develop Home/Cell/Spouse Phone list for all employees
Add Call list #1 and #2 to all owner/manager cell phones
Develop calling tree for emergencies-Owner/Manager down
Plan for telephone forwarding or restoration if disaster
INSURANCE
Perform video & spreadsheet inventory of all equipment/software with invoice copies
Store copy of inventory both on and off site
After performing inventory obtain replacement cost coverage
Obtain business interruption insurance
Update fire & personal injury liability coverage
Update professional liability coverage
SYSTEMS
Install surge protectors at all workstations
Install uninterruptible power supply at server & main work stations
Install antivirus software at all workstations, set to automatic update
Install firewall software at all workstations, set to automatic update
Install hardware firewall at Internet connection
Run Windows Update on all systems, set to automatic update
Encrypt all server data
Encrypt all laptop data
Develop backup policy & enforce
Develop employee policy manual, educate & enforce
INTRUDERS or DISASTERS
Develop office-wide alert system
Develop alternate physical office location
Establish interior safe place
Unplug all electrical devices
Document office procedures
Obtain and prominently mount fire extinguishers
Obtain and prominently mount smoke detectors and weather radio
Obtain first aid kit and educate employees to location
Obtain emergency water, blankets, flashlights, batteries, radios
Obtain cleaning supplies, rubber gloves, miscellaneous tool kit
Electronic Security
“If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked.” - Former White House Cyber-Security Advisor, Richard Clarke
Let's start this section with some basic discussion about two things: how you access theinternet and what you are doing to protect yourself from all of the daily security threats.
Internet Access
To access the internet you use a web browser program-a free software, and it is mostlikely that you use a version of Internet Explorer as most of the people in the world do. Inrecent years other browser programs have also become popular and you have heard ofmany of them, in order of popularity: Firefox, Chrome, Safari, and Opera. All offer certainadvantages over the others of speed, functionality, security, etc. Although I am a fan ofChrome and Firefox because of their speed, Internet Explorer 10 (the latest version) isnearly the same speed and offers several great security features. It may be slower thanChrome, it may lack some of the features of Mozilla, but IE 9's built in SmartScreen filteris simply the best, hands down, at stopping malware. The bad news? IE 10 (or 9 forthat matter) does not and will never run on Windows XP according to Microsoft. For XP users, continue to use IE 8 if security is more important than speed, or upgradeto Windows 7.
Privacy is part of the pitch for IE 10 and Firefox 4. Both try to help users stop Web sitesfrom monitoring what they do elsewhere on the Web, a concept that’s been called “donot track.”
IE 10 offers two ways to do that, one hidden and the other outright clandestine. If youselect a sub-menu of the safety menu available under a gear icon in its top right corner,you can enable a “tracking protection list” of sites that the browser can then stop fromtracking your use through such technologies as saving cookie files to your computer. Oryou can add a special, empty tracking protection list to activate a feature added that hasthe ability to tell every site you visit not to track you.
Sites don’t have to honor that request. Firefox 4 spells that out by labeling this option(under the advanced category of its preferences or options window, not privacy as youmight expect) “Tell Web sites I do not want to be tracked.” But as political pressureincreases, sites might feel obliged to pay attention.
Both IE 10 and Firefox 4 look like major, welcome advances. But each falls short ofChrome in one key aspect: security. Although Google’s browser automatically updatestwo major security risks — the plug-ins used to display Adobe Flash multimedia andPortable Document Format file — IE doesn’t even warn you that you’re running out-ofdate,unsafe versions. Firefox 4 can, but it’s up to you to install updates. (Note that on aMac, it still can’t display PDFs by itself.)
How to Choose a Good Password?
Most people use passwords that are based on personal information and are easy toremember. However, that also makes it easier for an attacker to guess or "crack" them.Consider a four-digit PIN number. Is yours a combination of the month, day, or year ofyour birthday? Or the last four digits of your social security number? Or your address orphone number? Think about how easily it is to find this information out about somebody.What about your email password—is it a word that can be found in the dictionary? If so,it may be susceptible to "dictionary" attacks, which attempt to guess passwords basedon words in the dictionary.
Although intentionally misspelling a word ("daytt" instead of "date") may offer someprotection against dictionary attacks, an even better method is to rely on a series ofwords and use memory techniques, or mnemonics, to help you remember how todecode it. For example, instead of the password "hoops," use "IlTpbb" for "[I] [l]ike [T]o[p]lay [b]asket[b]all." Using both lowercase and capital letters adds another layer ofobscurity. Your best defense, though, is to use a combination of numbers, specialcharacters, and both lowercase and capital letters. Change the same example we used
above to "Il!2pBb." and see how much more complicated it has become just by addingnumbers and special characters.
Longer passwords are more secure than shorter ones because there are morecharacters to guess, so consider using passphrases when you can. For example, "Thispasswd is 4 my email!" would be a strong password because it has many characters andincludes lowercase and capital letters, numbers, and special characters. You may needto try different variations of a passphrase—many applications limit the length ofpasswords, and some do not accept spaces. Avoid common phrases, famousquotations, and song lyrics.
Don't assume that now that you've developed a strong password you should useit for every system or program you log into. If an attacker does guess it, he wouldhave access to all of your accounts. You should use these techniques to develop uniquepasswords for each of your accounts.
Here is a review of tactics to use when choosing a password:
Don't use passwords that are based on personal information that can be easilyaccessed or guessed.
Don't use words that can be found in any dictionary of any language.
Develop a mnemonic for remembering complex passwords.
Use both lowercase and capital letters.
Use a combination of letters, numbers, and special characters.
Use passphrases when you can.
Use different passwords on different systems.
How can you protect your password?
Now that you've chosen a password that's difficult to guess, you have to make sure notto leave it someplace for people to find. Writing it down and leaving it in your desk, nextto your computer, or, worse, taped to your computer, is just making it easy for someonewho has physical access to your office. Don't tell anyone your passwords, and watch forattackers trying to trick you through phone calls or email messages requesting that youreveal your passwords (see Avoiding Social Engineering and Phishing Attacks for moreinformation).