NEGASC NEW ENGLAND GRADUATE ACCOUNTING STUDY CONFERENCE 2014 KONRAD M. MARTIN, CPA, CEO • Konrad Martin is CEO of Tech Advisors, a comprehensive IT support firm that provides tailored services to manage, protect, and improve business’ unique networks. Konrad drives Tech Advisors’ development and marketing, and ensures that quality service is delivered to over 100 clients throughout the Boston area. • Before founding Tech Advisors with his brother, Konrad was a Senior Accountant, concentrating in tax and audit. He led over 20 seminars on technology and compliance for the Massachusetts Society of CPAs. While working at a major accounting firm, Konrad learned that a strategic, tailored IT support system not only prevents costly breaches—it’s fundamental for driving growth. • An entrepreneur through and through, Konrad thrives when growing businesses. He has owned a hotel and restaurant, and founded several small startups, including KRK Productions. He enjoys being a frequent guest and contributor to Radio Entrepreneurs, a daily broadcast to enrich and inspire the entrepreneurial community. • Konrad grew up in Bangor Maine and attended the University of Maine, where he was a Top collegiate swimmer. In his spare time, he enjoys playing golf, hiking, cooking, and reading. ACCOUNTING FIRMS AND TECHNOLOGY 1. Different types of Networks a. Peer to Peer b. LAN c. WAN 2. Security for your network a) Written Information Security Program b) Disaster Recovery c) Business Continuity 3. WISP in detail: 4. Checklist: 5. Microsoft Office 365 and Hosted Exchange 6. Accounting Software a) CCH Profx b) Lacert c) Thomson d) QuickBooks, Peachtree, Xero, Bill.com Etc. Peer to Peer LAN (Local Area Network) WAN (Wide Area Network) WISP Written Information Security Program • 201-CMR-17 (93H) (personal information security) • HIPAA (Health Insurance Portability and Accountability Act) • PCI DSS (Payment Card Industry Data Security Standards) • Each of these laws and standards require a WISP • FIREWALLS: YOUR FIRST LINE OF DEFENSE! A firewall is a network security system that controls the incoming and outgoing network traffic based on applied rule set. The firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted DATA BACKUP: DATA BACKUP: • Backing up your data is necessary. • Testing that backup is necessary • What is actually being backed up? • Data (I know, shocker) • You pay per GB per Month in most cases DISASTER RECOVERY PLAN: DISASTER RECOVERY: • You should have a written plan • Data backup is part of Disaster recovery. • Imaging of the servers should be part of Disaster recovery • Local device (external hard drives work) piece of software (Symantec endpoint recovery). • Why? To recovery from a disaster as quickly as possible, you need to have a written plan, an image of the servers, and data backup. BUSINESS CONTINUITY How do you keep working during a disaster? BUSINESS CONTINUITY • Written plan • Data backup • Image of servers • Offsite image of servers. • This is key. If a disaster happens in your area, the image can be turned on in The Cloud and accessed from anywhere. YOUR NETWORK AND BUSINESS CONTINUITY MICROSOFT 365 (OFFICE AND HOSTED EXCHANGE) MS Office 365 is more powerful than Google Apps but of course at a cost. Before choosing google apps, you need to be it will do what you need it to do. In most cases it will, in larger, more complex organizations, it will not. MICROSOFT 365 (OFFICE AND HOSTED EXCHANGE) Bandwidth is a big deal when using Software as a Service. We have several clients using both products. If the internet is down, your email is down and maybe your office products. WISP • For compliance with 201-CMR-17, HIPPA and PCI, businesses must develop, implement, maintain and monitor a comprehensive, Written Information Security Plan (WISP) that is consistent with industry standards. • Personal Information (201-CMR-17) • Personal Health Information (HIPPA) REGULATORY OVERVIEW The program must be monitored on a regular basis to help ensure that the program can: • Prevent unauthorized access to personal information. • Prevent unauthorized use of personal information and/or Personal Health Information. DOES THE LAW APPLY TO YOUR BUSINESS? 1. If you electronically store a Massachusetts resident’s Last Name and First Name, or First Initial on a computer. 2. Plus One of the following (a,b,c or d) (for 201-CMR-17) a. b. c. d. Social Security Number Driver’s License number Financial Account number (credit card, debit card) Access code that would allow you access that person’s financial information HIPAA Requirements are much more extensive and are included at the end of your handout. Then the law applies to your business! 201-CMR-17 DUTY TO PROTECT a) Designating one or more employees to oversee the WISP creation and maintenance. b) Identifying and assessing reasonably foreseeable internal and external risks. It is important to do some type of Audit of where the PI resides. c) Developing security policies for employees to agree to and follow. All members of the organization are required to signoff on accepting the WISP. 201-CMR-17 DUTY TO PROTECT d) Imposing disciplinary measures for violations that can include termination of employment. e) Preventing terminated employees from getting back into the servers, workstations etc. f) Taking reasonable steps to verify that third-party service provider are in compliance with the law. 201-CMR-17 DUTY TO PROTECT g)Limiting the amount of personal information collected. Don’t ask for information you don’t need. This is important for your clients especially h)Identifying paper, electronic and other records…used to store personal information, to determine what devices must be included. i) Reasonable restrictions upon physical access to HR records etc. 201-CMR-17 DUTY TO PROTECT j) Regular monitoring to ensure that you are addressing issues that may have changed throughout the year k)Reviewing the scope of the security measures, again, for material changes. l) Documenting responsive actions taken in connection with any incident involving a breach of security or a non-compliance of the WISP TRIGGER EVENT • Notice is required when data owner knows that there is: 1. Unauthorized acquisition or use of PI 2. Unencrypted personal information, or encrypted personal information and the confidential process or key that can unlock the personal information 3. That creates a substantial risk of identity theft or fraud against a Massachusetts resident. TIMING OF NOTICE “As soon as practicable and without unreasonable delay.” Notice may be delayed if a law enforcement agency determines that giving notice may impede a criminal investigation – AG and data owner must be notified HAVE YOU HEARD OF THESE ACCOUNTING PACKAGES? YOUR CLIENTS HAVE! QUESTIONS