Data security.Information security should be a critical concern for tax practitioners whose notebook and desktop computers are connected to internal and external networks. An unsecured system can have a significant impact on the effective operation of a firm. "Security" refers to those systems and procedures that prevent unauthorized access to, use of or modification to a firm's information assets. Such information may be physically stored on the firm's personal computers, file servers and other storage devices, or it may be communicated from one computer to another via a wide area network (WAN), remote dial-up connection or (increasingly) the Internet. There are many reasons why organizations need to keep data private and secure from potential loss due to physical or electronic theft, viruses and hackers: * Practitioners have an affirmative obligation Affirmative Obligation An obligation of NYSE specialists to enter the market on a particular security (either by posting or bidding and ask) when there is not sufficient market demand and supply to efficiently match orders. to protect client information from disclosure to unauthorized parties. * The value of proprietary data is diminished if that data can be transferred to others without proper compensation. * Programs covered by license agreements bind users to a legal obligation not to disclose or transfer information to others. * Unrestricted access may cause disruption and damage to computer systems. This discussion of security is a general one. After reviewing the issues raised here, it is important to continue researching current technology and implement a security plan. The plan should be clearly communicated to all employees; once it is implemented, there should be periodic checks to make sure everyone is following it. Donn G. Parker, a leading security expert based at SRI in Palo Alto Palo Alto, city, California Palo Alto (păl`ō ăl`tō), city (1990 pop. 55,900), Santa Clara co., W Calif.; inc. 1894. Although primarily residential, Palo Alto has aerospace, electronics, and advanced research industries. , Cal., offers six fundamental concepts of information security: * Confidentiality: Control over disclosure of information. * Possession: Control over use of information. * Integrity: Validity, correctness and completeness of information. * Authenticity: Correct attribution at·tri·bu·tion n. 1. The act of attributing, especially the act of establishing a particular person as the creator of a work of art. 2. of the origins or authorship of information. * Availability: Timely access to information. * Utility: Suitability, fitness or value of information for a specific purpose. Information security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security are designed to address one or more of these concepts. Information Security Within an Enterprise Personal computers: The first line of defense is to make sure personal computers (and the information stored on them) are adequately safeguarded against loss, misappropriation misappropriation n. the intentional, illegal use of the property or funds of another person for one's own use or other unauthorized purpose, particularly by a public official, a trustee of a trust, an executor or administrator of a dead person's estate, or by any and viruses. Increasingly, firms are equipping partners and staff with portable notebook computers A laptop computer that weighs in a range from five to seven pounds. The term originated when laptops were routinely more than 10 pounds, and those that became lighter were placed in a special "notebook" category. In practice, notebook computer and laptop computer are synonymous. ; these enable work to be done effectively while users are away from the office at client sites, traveling and at home. Not only is the actual computer more at risk of being lost or damaged, but sensitive or valuable information stored on the notebook while it is out of the (usually more secure) office environment is at greater risk of compromise. A written policy should be implemented on the safeguarding of notebook computers. Inexpensive locking cables can be used to thwart the "casual" theft. Staff should be made aware of the common approaches thieves use to steal computers and of precautionary pre·cau·tion·ar·y also pre·cau·tion·al adj. Of, relating to, or constituting a precaution: taking precautionary measures; gave precautionary advice. Adj. 1. measures that can be taken. Equally important, policy and procedures to prevent unauthorized access to the information on a firm's computers--by theft or by unauthorized individuals who might otherwise have access to the computer--should be established. The are software products available that secure the contents of a computer's hard drive, making it virtually impossible to gain access to the data without entering a password. In effect, the hard drive must be reformatted to remove the protection software, thus eliminating the risk that the information stored on it will be compromised. Viruses on personal computers can damage software by causing the computer to overwrite (1) A data entry mode that writes over existing characters on screen when new characters are typed in. Contrast with insert mode. (2) To record new data on top of existing data such as when a disk record or file is updated. a program's instructions. When an infected program is later run, it will fail. Another virus technique is to fill a fixed disk with characters, overwriting Overwriting An options strategy that involves the sale of call or put options on stocks that are believed to be overpriced or underpriced. The options are not expected to be exercised. Notes: Also referred to as overriding. the good data. In these instances, significant programs and data may be destroyed, and restoring this data may be a long and difficult process. Viruses used to arrive mostly on diskette The official name for the floppy disk. See floppy disk. diskette - floppy disk ; now, they enter systems via the Internet and e-mail. Virus protection software is available for both individual computers and networks. Network security: Today's local area network (LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. ) operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. provide an extensive array of security features designed to restrict information access to authorized network users. Security features often found on LANs include: * Login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. policy and procedures that define who can access networked resources, when and from what computers. * Directory and file access policy and rights, which restrict users or groups of users to specific data directories and files and limit their rights to act on those files. * Password management, which can be set to require passwords of all users and establish and enforce guidelines as to how many characters the password must contain, how often it must be changed, etc. * Physical access to file servers and other common computing resources. * Virus protection software. Security risks increase when a network can be accessed via communication lines (e.g., through a dial-up modem connection or because it is interconnected with other LANs in a firm via a WAN). Dial-up users should be afforded the same level of security as those users directly connected to the network. Additional precautions can also be implemented to provide an extra level of security for dial-up access hot Dial-up access is a form of Internet access via telephone line. The client uses a modem connected to a computer and a telephone line to dial into an Internet service provider's (ISP) node to establish a modem-to-modem link, which is then routed to the Internet. to the network, including call-back procedures (whereby remote access software will call back the user at a predefined phone number) and monitoring software (which monitors and reports on excessive or unusual attempts to access the system). Security precautions are also available for the communications devices Typically refers to a terminal used to send voice, video or text. Mobile phones, wireless PDAs and personal computers equipped with microphones, speakers and cameras are all considered communications devices. See modem. (routers and bridges) used to interconnect LANs to WANs. These devices can he programmed to accept "packets" of data that have originated only from "known" communications devices within an organization. Internet Security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. Early security efforts were directed at ensuring that information within an enterprise (personal computers, LANs and WANs) was adequately secured. Now that companies are increasingly looking to the Internet to allow inter-enterprise connectivity (i.e., to allow employees to tap into a rich source of information and to collaborate with current and prospective clients, vendors and other business partners), they must increase the safeguards at every Internet point of entry. "Firewalls" are a common method of defense against unauthorized access to an organization's network. A firewall examines the source of each "packet" of data coming from the Internet and only allows passage of packets from predetermined pre·de·ter·mine v. pre·de·ter·mined, pre·de·ter·min·ing, pre·de·ter·mines v.tr. 1. To determine, decide, or establish in advance: ("known") sources. Computers on the inside of a firewall are assumed to be trustworthy; computers outside the firewall are assumed not. When properly configured and maintained, firewalls provide a level of protection to an organization's information. Even stronger levels of protection can be provided by additional means, including encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. , digital "certificates" and smart cards Example of widely used contactless smart cards are Hong Kong's Octopus card, Paris' Calypso/Navigo card and Lisbon' LisboaViva card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. . According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Jeffrey Rothfeder, in his article "HACKED! Are Your Company Files Safe?", PC World, Nov. 1996, "Many software packages and network programs--Microsoft Windows NT (Windows New Technology) A 32-bit operating system from Microsoft for Intel x86 CPUs. NT is the core technology in Windows 2000 and Windows XP (see Windows). Available in separate client and server versions, it includes built-in networking and preemptive multitasking. , Novel NetWare, and Lotus Notes Messaging and groupware software from IBM Lotus that was introduced in 1989 for OS/2 and later expanded to Windows, Mac, Unix, NetWare, AS/400 and S/390. Notes provides e-mail, document sharing, workflow, group discussions and calendaring and scheduling. , among others--offer add-on encryption schemes that encode (1) To assign a code to represent data, such as a parts code. Contrast with decode. (2) To convert from one format or signal to another. See codec and D/A converter. (3) The term is sometimes erroneously used for "encrypt. all data sent on the network. In addition, companies can buy stand-alone encryption packages to work with individual applications. Almost every encryption package is based on an approach known as public-private key. Scrambled data is encoded using a secret key unique to that transmission. Receivers use a combination of the sender's public key and their own private encryption key to unlock the secret code for that message and decipher Same as decrypt. it." Digital certificate security requires any person outside an organization to possess an electronic certificate, issued in advance by a "trusted" resource. These certificates include users' names, their public keys and the digital signature of the trusted authority. Smart cards are small a-edit-card-sized devices that contain a microchip (1) Another term for a microminiaturized integrated circuit (a "chip"). (2) To insert an RFID tag beneath the skin of an animal. It is expected that some day, humans will be microchipped. that stores encoded, private keys. The card fits into a smart card reader that can be installed on a user's PC. The system can be used over multiple e-mail systems in an Internet transaction, provided the sender and receiver have access to each other's public keys. Who Should Implement the Data Security Plan? Depending on the talent of a firm's information technology staff and the size of the organization, data security features can he set up internally or outsourced. Good internal staff can control firewalls, passwords and virus protection, but they need additional time to oversee these functions and may need additional staff. Outsourcing data security may be necessary for very small organizations that cannot handle the staffing requirements internally. However, there there is a secondary risk in hiring an outside firm to monitor data security; yet another source will have access to confidential client and employee information. Even with outsourcing, someone on staff will need to oversee the work of the outsourced company. Communicating the Plan Once the security procedures have been developed, communicating them effectively to the firm is critical. Brief explanations of the underlying reasons for the procedure should be included; understanding the reasons gives users a sense of the importance of the procedures and will help them to accept the small barriers that security procedures present to their everyday operations. Conclusion Organizations must address security issues before violations become a critical problem. Information is a major asset of accounting firms and must be protected from misuse or unauthorized access. It is wise to use the tools on the market and implement a security plan to prevent data loss.
Abbreviations Commonly Used in The Tax Adviser
TTA The Tax Adviser
aff'g affirming
AFTR2d American Federal Tax Reports, second series (RIA)
Ann. IRS Announcement
CB Cumulative Bulletin
Cir. Court of Appeals
Cl. Ct. Claims Court
COBRA Consolidated Omnibus Budget
Reconciliation Act of 1985
Ct. Fed. Cls. Court of Federal Claims
DC District Court
ERISA Employee Retirement Income
Security Act of 1974
ERTA Economic Recovery Tax Act of 1981
Fed. Cir. Court of Appeals for the Federal Circuit
Fed. Reg. Federal Register
F2d Federal Reports, second series
F3d Federal Reports, third series
F Supp Federal Supplement
GCM General Counsel Memorandum
HIPAA Health Insurance Portability and
Accountability Act of 1996
H.Rep. House Ways and Means Committee Report
IR Internal Revenue News Release
IRB Internal Revenue Bulletin
Regs. Sec. Treasury Regulation
Rev. Proc. Revenue Procedure
Rev. Rul. Revenue Ruling
rev'g reversing
RRA Revenue Reconciliation Act of 1993
SBJPA Small Business Job Protection Act of 1996
Sec. Section (refers to the Internal Revenue Code of
1986 unless otherwise indicated)
S. Rep. Senate Finance Committee Report
Sup. Ct. Supreme Court
TAM Technical Advice Memorandum
TBOR2 Taxpayer Bill of Rights 2
TC Tax Court (regular decision)
TC Memo Tax Court (memorandum decision)
TD Treasury Decision
TRA '86 Tax Reform Act of 1986
TRA '87 Taxpayer Relief Act of 1987
USTC United States Tax Cases (Commerce Clearing House)
RELATED ARTICLE: Internet Security Sites Internet resources for network security information, security management software and services include: * Check Point Software Technologies Ltd.: www.checkpoint.com. * Computer Security Information (a division of Computer Research and Technology, National Institutes of Health): www.alw.nih.gov/Security/ security.html. * En Garde en garde interj. Used to warn a fencer to assume the position preparatory to a match. [French : en, on + garde, guard.] Adj. 1. Systems, Inc: www.engarde.com * Entrust Technologies: www.entrust.rom. * NetworkWorld Fusion: www.nwfusion.com. * Raptor Systems, Inc.: www.raptor.com. * Trusted Information Systems Trusted Information Systems (TIS) was a computer security research and development organization during the 1980s and 1990s, performing computer security research for organizations such as NSA, DARPA, ARL, AFRL, SPAWAR, and others. , Inc.: www.tis.com. Editor's note Editor's Note (foaled in 1993 in Kentucky) is an American thoroughbred Stallion racehorse. He was sired by 1992 U.S. Champion 2 YO Colt Forty Niner, who in turn was a son of Champion sire Mr. Prospector and out of the mare, Beware Of The Cat. Trained by D. : Mr. Maida, Mr. Rubenstein and Ms. Strahs are members of the AICPA AICPA See American Institute of Certified Public Accountants (AICPA). Tax Division's Tax Technology Committee. If you would like additional information about this article, contact Mr. Maida at (609) 882-6874 or wvhw76a@prodigy.com, Mr. Rubenstein at (202) 736-8411 or rrubenst@sidley.com, or Ms. Strahs at (202) 822-4000 or Roanne.Strahs@us.coopers.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion