TJSDD Security Procedure for Client Information
September 30, 2016 | Symphona
You may have seen in the news over past few years hundreds of stories regarding security and information breaches concerning company and customer data. Some of the more publicized breaches involved companies like Target, Home Depot and Wendy’s. What you may have not seen were breaches where accounting firms were the intended target. The Internal Revenue Service recently published a warning to all accounting firms regarding the risk of hackers accessing client data and specifically tax return information. At TJS Deemer Dana, we make the security and confidentiality of our clients’ information a top priority. Not only do we have safeguards and policies in place, we are constantly monitoring and updating those policies and procedures as technology changes. The following is just a few of the steps we have taken to make sure your information is secure.
Storage of Client Information
Client information is stored in many different ways. This includes paper documents, standard electronic files and various applications and databases.
Paper documents are stored in file rooms or filing cabinets in non-public areas of our offices. Staff are instructed to adhere to clean desk policies with all client sensitive information stored away daily.
Electronic information is stored on file servers or inside databases. Our servers that house this information are located in a SSAE16 certified data center. What does SSAE16 certified data center mean? It means that the data center is subject to, and adheres to, strict guidelines with regards to the physical and logical security of the equipment housed in the facility. The best comparison for a SSAE16 certified data center is a “bomb shelter”!
Additionally, all the programs used to access client information are not run directly from the staff’s workstations. The programs are run remotely from secure Citrix servers to each staff person’s computer in such a way to make the transfer of information less susceptible to being intercepted. Personnel not in the office are to connect to the servers located behind the firm firewalls using end-to-end encryption.
Although client data is only stored on the secured servers, there are some occasions that information may need to be temporarily stored on laptops while staff are working outside the office. In these situations, all firm laptop hard drives are encrypted using 256-bit AES encryption. In the event the laptops are misplaced or stolen, the laptop would be inaccessible unless the encryption password is known.
Transmission of client information
Policies in place prohibit employees from transmitting client information using insecure methods. Any sensitive information that needs to be transmitted to or from a client is sent using utilizing 256-bit AES encryption via various software programs. All emails containing sensitive client information are also encrypted using software with industry standard 256-bit encryption protocols.
Disposal of client information
Paper documents to be disposed are stored in locked shred bins and are shredded onsite by a bonded shredding company. All computer disks and harddrives to be disposed of are securely deleted and/or physically destroyed prior to disposal.
Protection from Hackers
Servers are critical to the day-to-day operations of the firm and are subject to outside intrusion monitoring by using software specifically designed to test the security of the servers and the applications running on them. At any point that our firm’s network comes in contact with the internet, a firewall is put in place that will both document and prevent any malicious traffic. All incoming and outgoing data is filtered to only allow specific network traffic that adheres to specific rules. A constantly updated database is utilized to keep records of any network traffic that is known to be malicious (Blacklisting). As part of our blacklisting protocol, any incoming traffic from IP address ranging outside of the United States is blocked from accessing our servers. IPS (Intrusion Protection System) modules are used to automatically disconnect or drop traffic which violates the security rules put in place. Additionally, our staff are trained on what to look for in suspicious email traffic and unknown download requests.
Workstation and Mobile Access Controls
All workstations and servers are part of a Microsoft Windows / Active Directory domain environment and subject to security policies which include industry standard password and lockout policies, as well as system security configuration parameters. Workstations and servers are also configured with antivirus software which is updated frequently.
Only approved mobile devices are permitted to communicate with our email systems using Microsoft Exchange Active Sync protocol. Such communications are encrypted using SSL encryption between our server and the mobile device. As part of the configuration, the end user must agree to accept our security policies which include allowing our server to remotely wipe the device if a breach has been detected.
We will continue to be diligent in our quest to make sure your information is safe. We have onsite staff that are dedicated to making this priority. If you have any questions about our procedures or how you can make your own company secure, don’t hesitate to reach out to us at any of the TJS Deemer Dana LLP locations.
Written by: Guy Mullis collaborated with Matt Jones