Security and Compliance
Security Series Part 1: Take Stock of Your IT Assets
As a CPA, you’re the keeper of vast amounts of sensitive client data—and that’s a big responsibility. The protection of all those social security numbers, bank account numbers, and other personal financial details falls to you. Are you doing all you can to keep this data safe and secure?
Over the next five weeks, we’ll offer actionable guidance on how to better secure your practice’s technology and data assets from hacking and theft threats. At the end of the series, you’ll have a set of practical steps to take to protect your firm against cyber-crime.
First things first: Identify your IT assets
To figure out how to secure your technological infrastructure, you first need to know what you’re working with. This means taking an inventory of your firm’s IT assets, either by yourself or with the help of your IT service or office manager. Use this free template to list all of your technology components, which include the following areas:
To secure the information that’s being shared, communicated, and stored within your practice, start by taking stock of your networking elements. What types of networks do you have in place at your firm—wired (LAN), Wi-Fi, or both? Do you have an internal network as well as a guest network? Make note of which computers and other devices are connected to each network, along with the names of everyone with network passphrases.
Hardware and system components
Make a list of every computer and piece of peripheral hardware in your practice, including PCs, laptops, mobile devices, printers, file servers and other network-attached storage, as well as external hard drives that may not be connected to your network. The graphic below shows a sample office network, which could help you identify all your components.
Data and applications
Much of your clients’ data is housed within software applications you use to manage your practice. List every piece of business software you use and what you use it for. This could include accounting platforms like QuickBooks and practice management tools like CCH Access. Note what type of information is managed in each tool and whether that data is stored on a local computer, in other on-premises storage, or in the cloud. Also record the storage location of any other practice-related data archives or backup files.
Now for the human component. Document the names and system usernames of everyone with an account on your systems, along with the level of access or administrative privileges they’ve been granted. This could include distinctions for users who have access to specific files on your shared server or guest login credentials for your laptop. It’s good practice to audit this list regularly to keep it up to date as employees leave or new staff are hired.
This IT asset inventory is your starting point for strengthened cyber-security in your practice, so the more complete and accurate it is, the better-protected your client data will be. Next week we’ll examine the latest best practices for creating and maintaining strong passwords.
Click here to get our easy-to-use template to get started on your own cyber asset inventory. This free spreadsheet will help you record all the items we’ve discussed above.
If you’d like to learn more about improving security in your firm, download our latest e-book, “Building a Secure Practice: A guide for CPAs,” which offers step-by-step instructions for implementing security best practices.