Updating Computer Policies
By Roman H. Kepczyk, CPA.CITP (October 20, 2006) 

As the accounting profession transitioned to using personal computers in the 90’s, virtually every CPA firm developed a computer usage policy.  Most firms required that all employees at that time sign a document that the employee understood and would abide by the computer policies, and new hires signed the same form when they joined the firm.  Unfortunately, many firms have not updated these policies to take into account new technologies that did not exist when the rules were originally written.  While some policies were written intentionally vague so that the firm could assume that they were covered for every improper personal computer issue, these policies have little practical value unless the firm provides training on what is, and is not, acceptable use.  To compensate for this, firms should either update their policies and have all employees re-confirm they have received and understand them, or provide annual training on today’s interpretations of acceptable use.  Below are ten items that firms might consider including in their updated policies and in firmwide training: 

1.       Password Rules: Today’s rules for hardened passwords point to having at least eight characters with both upper and lower case, a number, and at least one punctuation character, without being able to use the last five passwords.  Passwords should be changed at least twice per year and automated such that individuals get five grace logins and know who to contact it they are locked out. Firms should also consider the needs for passwords on any PDA devices that would contain firm data such as email or contact information.

2.       Screensaver Passwords: When people walk away from their computers, they should be taught how to lock down their workstation with the Ctrl-Alt-Del or Microsoft Start keys.  Firms might also consider setting up standard screensavers that lock the user out after 60 minutes of non-use, which would then require that they re-enter their passwords to continue access. For laptops that are used outside of the office firms should consider a shorter period of time (15-20 minutes) as they may not have the ability to control who can access the workstations.

3.       Approved Applications: Firms should have a list of approved applications and procedures in place for employees requesting other applications to be loaded.  No personal programs or data for accounting, email, or other media such as MP3 or iTunes, should be loaded on the firm’s computers.  Personal music has become an issue in many firms not only for the amount of disk space they take up, but also with conflicts with other applications and the issue of music copy writes. 

4.       Streaming Music: Internet radio and other continuous streaming media to an employee’s workstation can easily consume 56Kbps and sometimes even 256Kbps of Internet bandwidth per connection, so a handful of users could monopolize a major portion of the firm’s Internet bandwidth connection having a negative impact on available bandwidth and reducing Internet performance for every person in the firm.

5.       Instant Messaging/Personal Email: While the firm’s email system is critical for communications and a firm-only IM system can be a very useful tool, personal email and outside IM can be a major source of viruses and introduction of other malware, as well as a significant distraction to firm personnel.  Many of today’s firewalls can be set up to monitor what sites are being accessed and some can block these email and IM sites.

6.       Physical Security: With the rash of laptop thefts in the past year and many states having harsher reporting requirements in the event of a theft, it is recommended that all laptops be physically locked when not in transit.  Laptop users should be provided with cable locks and training on how to use them.  Some firms provide two locks; one in the office and the other within the laptop bag, which are keyed the same way.

7.       Physical Care: Firms should also remind employees about the proper care of their equipment in that laptops and PDAs should never be left in a car or location where they could be exposed to extreme cold or heat.  In addition, their work area should be set up to minimize the possibility of spills from drinks to pour into computer equipment.

8.       Home Usage: Many employees take their laptops home and hook them up to their personnel broadband Internet connections at home.  Firms should consider policies to mandate that home networks have a firewall installed, automatically updated anti-virus applications, and that any WiFi access points utilize encryption to minimize the risk of others accessing the laptop.

9.       Updated Retention Policy: As more firms go to document management systems where all files are stored digitally, it is important to update the firm’s rules on where different versions of documents can reside and procedures to clean working copies off of any mobile workstations.

10.   Security Awareness: New threats to information systems pop up daily and the firm should discuss the process to have software automatically updated, as well as have awareness of evolving threats.  For instance in regards to phishing or pharming, employees must be taught never to utilize links from emails that require them to divulge passwords or login names. 

Firm computer policies and procedures should be reviewed annually and discussed with all personnel to ensure that they truly understand what constitutes acceptable use of firm equipment.  In addition to the firm’s technology committee considering these items, it can also be helpful to review them with the firm’s external consulting group, as well as the firm’s attorneys, to ensure the firm is covered from both a technical and legislative angle. 

Roman H. Kepczyk, CPA.CITP is President of InfoTech Partners North America, Inc. and works exclusively with CPA firms to assist them in implementing today’s best practices in regards to tax, audit, client service and administrative production.   

<Back to Home Page    ^Back to Vision Alert Index

 © 2006 InfoTech Partners North America, Inc....your technology partner  (480) 706-1728