negasc-Powerpoint - The New England Graduate Accounting

advertisement
NEGASC
NEW ENGLAND GRADUATE ACCOUNTING STUDY
CONFERENCE
2014
KONRAD M. MARTIN, CPA, CEO
• Konrad Martin is CEO of Tech Advisors, a comprehensive IT support firm that provides
tailored services to manage, protect, and improve business’ unique networks. Konrad drives
Tech Advisors’ development and marketing, and ensures that quality service is delivered to
over 100 clients throughout the Boston area.
• Before founding Tech Advisors with his brother, Konrad was a Senior Accountant,
concentrating in tax and audit. He led over 20 seminars on technology and compliance for the
Massachusetts Society of CPAs. While working at a major accounting firm, Konrad learned
that a strategic, tailored IT support system not only prevents costly breaches—it’s fundamental
for driving growth.
• An entrepreneur through and through, Konrad thrives when growing businesses. He has owned
a hotel and restaurant, and founded several small startups, including KRK Productions. He
enjoys being a frequent guest and contributor to Radio Entrepreneurs, a daily broadcast to
enrich and inspire the entrepreneurial community.
• Konrad grew up in Bangor Maine and attended the University of Maine, where he was a Top
collegiate swimmer. In his spare time, he enjoys playing golf, hiking, cooking, and reading.
ACCOUNTING FIRMS AND TECHNOLOGY
1. Different types of Networks
a. Peer to Peer
b. LAN
c. WAN
2. Security for your network
a) Written Information Security Program
b) Disaster Recovery
c) Business Continuity
3. WISP in detail:
4. Checklist:
5. Microsoft Office 365 and Hosted Exchange
6. Accounting Software
a) CCH Profx
b) Lacert
c) Thomson
d) QuickBooks, Peachtree, Xero, Bill.com Etc.
Peer to Peer
LAN (Local Area Network)
WAN (Wide Area Network)
WISP
Written Information Security Program
• 201-CMR-17 (93H) (personal information security)
• HIPAA (Health Insurance Portability and Accountability Act)
• PCI DSS (Payment Card Industry Data Security Standards)
• Each of these laws and standards require a WISP
• FIREWALLS: YOUR FIRST LINE OF DEFENSE!
A firewall is a network security system that controls the incoming and outgoing network
traffic based on applied rule set. The firewall establishes a barrier between a trusted,
secure internal network and another network (e.g., the Internet) that is not assumed to be
secure and trusted
DATA BACKUP:
DATA BACKUP:
• Backing up your data is necessary.
• Testing that backup is necessary
• What is actually being backed up?
• Data (I know, shocker)
• You pay per GB per Month in most cases
DISASTER RECOVERY PLAN:
DISASTER RECOVERY:
• You should have a written plan
• Data backup is part of Disaster recovery.
• Imaging of the servers should be part of Disaster recovery
• Local device (external hard drives work) piece of software (Symantec
endpoint recovery).
• Why? To recovery from a disaster as quickly as possible, you need to have a written
plan, an image of the servers, and data backup.
BUSINESS CONTINUITY
How do you keep working during a disaster?
BUSINESS CONTINUITY
• Written plan
• Data backup
• Image of servers
• Offsite image of servers.
• This is key. If a disaster happens in your area, the image can be turned on in The Cloud
and accessed from anywhere.
YOUR NETWORK AND BUSINESS CONTINUITY
MICROSOFT 365 (OFFICE AND HOSTED EXCHANGE)
MS Office 365 is more powerful than Google Apps but of course at a cost.
Before choosing google apps, you need to be it will do what you need it to do. In most cases it will,
in larger, more complex organizations, it will not.
MICROSOFT 365 (OFFICE AND HOSTED EXCHANGE)
Bandwidth is a big deal when using Software as a Service.
We have several clients using both products.
If the internet is down, your email is down and maybe your office products.
WISP
• For compliance with 201-CMR-17, HIPPA and PCI, businesses must develop,
implement, maintain and monitor a comprehensive, Written Information
Security Plan (WISP) that is consistent with industry standards.
• Personal Information (201-CMR-17)
• Personal Health Information (HIPPA)
REGULATORY OVERVIEW
The program must be monitored on a regular basis to help ensure that the
program can:
• Prevent unauthorized access to personal information.
• Prevent unauthorized use of personal information and/or Personal Health
Information.
DOES THE LAW APPLY TO YOUR BUSINESS?
1.
If you electronically store a Massachusetts resident’s Last Name and First
Name, or First Initial on a computer.
2.
Plus One of the following (a,b,c or d) (for 201-CMR-17)
a.
b.
c.
d.
Social Security Number
Driver’s License number
Financial Account number (credit card, debit card)
Access code that would allow you access that person’s financial information
HIPAA Requirements are much more extensive and are included at the end of your handout.
Then the law applies to your business!
201-CMR-17 DUTY TO PROTECT
a)
Designating one or more employees to oversee the WISP creation and
maintenance.
b)
Identifying and assessing reasonably foreseeable internal and external
risks. It is important to do some type of Audit of where the PI resides.
c)
Developing security policies for employees to agree to and follow. All
members of the organization are required to signoff on accepting the
WISP.
201-CMR-17 DUTY TO PROTECT
d)
Imposing disciplinary measures for violations that can include termination of
employment.
e)
Preventing terminated employees from getting back into the servers,
workstations etc.
f)
Taking reasonable steps to verify that third-party service provider are in
compliance with the law.
201-CMR-17 DUTY TO PROTECT
g)Limiting the amount of personal information collected.
Don’t ask for
information you don’t need. This is important for your clients especially
h)Identifying paper, electronic and other records…used to store personal
information, to determine what devices must be included.
i) Reasonable restrictions upon physical access to HR records etc.
201-CMR-17 DUTY TO PROTECT
j) Regular monitoring to ensure that you are addressing issues that may have
changed throughout the year
k)Reviewing the scope of the security measures, again, for material changes.
l) Documenting responsive actions taken in connection with any incident involving
a breach of security or a non-compliance of the WISP
TRIGGER EVENT
• Notice is required when data owner knows that there is:
1. Unauthorized acquisition or use of PI
2. Unencrypted personal information, or encrypted personal information and the
confidential process or key that can unlock the personal information
3. That creates a substantial risk of identity theft or fraud against a Massachusetts
resident.
TIMING OF NOTICE
“As soon as practicable and without unreasonable delay.”
Notice may be delayed if a law enforcement agency determines that giving
notice may impede a criminal investigation – AG and data owner must be
notified
HAVE YOU HEARD OF THESE ACCOUNTING
PACKAGES? YOUR CLIENTS HAVE!
QUESTIONS
Download