Accounting Software Advisor's Computer Security Checklist

Presented below is a list of security measures you should consider taking to safeguard your company data and computer systems.

Physical Security Measures
 

• Make sure your building is very secure to prevent intruders and theft.
• Install extra window locks and door locks.
• Consider hiring a building guard.
• Install key entry systems that monitor and record employee access.
• Install door locks on internal doors to prevent access to file servers and systems.
• Make sure appropriate fire prevention measures are taken to prevent fire.
• Install uninterruptible power supply systems to protect against power outages.
• Install surge protectors to protect against power surges.
• Replace surge protectors regularly, and uninterruptible power supply systems as needed.
• Use computer locks to bolt computers to desks and tables.
• Use computer locks to protect laptop computers when traveling.

Password and Encryption Measures
 

• Require all users to password protect their computer systems at the boot level.
• Require all users to password protect their operating system.
• Require all users to obtain digital IDs and send only encrypted e-mail.
• Require all users to password protect sensitive documents.
• Use your accounting system's maximum password capabilities to prevent unauthorized access.
• Require all users to change their passwords periodically.
• Require users to use only large passwords containing a mix of letters and numbers.
• Require users to use a different password for every function.

Backup Measures
 

• Create a recovery diskette for each computer system periodically (monthly).
• Back up all company data to a single source daily, including data files and e-mail.
• Keep a backup of all company data offsite daily.
• Back up each computer system daily.
• Keep a backup of each computer system offsite.
• Run a "System Imaging Program" such as Columbia Data Products.
• Use only current hardware systems and components that can be replaced quickly if necessary.
• Rotate backup media regularly. Retire older media to offsite permanent back up and introduce new media regularly.
• Utilize a father/son/grandson approach to creating multiple backups.
• Backups should be read and verified.

Operating System, System Settings, and Program Updates
 

• Only run operating systems that provide top level security, such as Microsoft Windows® 2000 or Windows XP (Windows 98 does not).
• Update your operating system frequently for the latest security patches. If your operating system supports it, enable the automatic update capabilities.
• Update your e-mail system frequently (monthly) for the latest security patches.
• Update your Internet browser frequently (monthly) for the latest security patches.
• Update your application programs frequently (monthly) for the latest security patches.
• Establish minimum browser setting requirements for all users regarding, for example, downloading files and accepting cookies.
• Configure your browser's content advisor to curtail access to inappropriate websites.
• If you use Windows 2000 or Windows XP Professional, review the Event Log frequently and look for logons at odd times.
• All software products should be registered to receive product alerts.

Anti-Virus Measures
 

• Run live anti-virus software on each computer system.
• Update all anti-virus software regularly.
• Establish a policy that anti-virus software is to remain active at all times.
• Set anti-virus software to scan all incoming mail and attachments automatically.
• Set ant-virus software to download virus signature file updates automatically.
• Set anti-virus software to scan your computer system regularly automatically.

Personnel Policies
 

• Have users sign a letter acknowledging Internet access is restricted to business purposes only.
• Expressly forbid employees from access to pornography sites with company provided computer systems and Internet access.
• Inspect employee computers regularly for evidence of inappropriate internet access or spamming.
• Advise employees the company retains the right to read any and all e-mail.
• Scan all e-mail messages regularly to identify inappropriate communications.
• Advise employees not to install unlicensed software on company computers.
• Advise employees not to install company software on personally-owned computers.
• Advise employees not to allow family members or others access to laptops.
• Advise employees that children and teenagers are forbidden to have unsupervised usage of company provided Internet access at home.
• Make sure to include a securities section in the corporate policies manual.
• Audit employee computers regularly to search for unlicensed software.
• Advise employees to use their business e-mail address for business related purposes only, and to avoid supplying e-mail addresses to potential spammers via instant messaging or chat room registration.
• Advise employees to use credit card numbers only on secure Web sites.
• Advise employees to protect sensitive data concerning online payment accounts and banking identification numbers.
• Advise employees to take reasonable measures to ensure the authenticity of important Web sites and e-mail addresses before using them for company purposes. If necessary, check with eTrust or BBBonline first. The employee may also call the company or person on the phone to help determine legitimacy.
• Advise employees to always read privacy policies before providing information over the Internet.
• Accounting personnel should scan statements for any unrecognized charges, no matter how small. These small charges could be criminal tests for larger charges to come.
• Employees should be advised not to open unrecognized e-mail attachments.
• Advise employees to be wary of attachments forwarded even by names you recognize. They should save attachments to the hard drive first so the anti-virus software can act on it before opening.
• Advise employees not to play games online, especially if they involve downloading a program.
• Advise employees not to download illegal copies of music or movie clips to company computer systems or using company-provided Internet access.
• Advise employees to avoid Internet-based peer-to-peer networking sites (often used for live video chat or file swapping).
• Advise employees not to share diskettes used at school or by other companies.
• Advise employees to immediately report computers that slow down, large amounts of unexplained modem or hard drive activity, or unusual behaviors in their computer system.

Firewall Measures
 

• Install a firewall device in front of your company's Internet connection.
• Install a firewall device in front of all Internet connections located in employee homes.
• Make sure your firewall is designed to detect and prevent denial of service attacks and unauthorized access, and preferably to block viruses and filters pornography.
• Update your firewall software regularly with the latest security patches.
• Review firewall logs regularly to identify or monitor attacks on your system.

Identify Theft
 

• Advise employees to be alert to identity theft by reviewing accounts online frequently to spot unauthorized transactions, and to review all monthly statements for unauthorized activity.
• Advise employees to call an account if they do not receive a monthly statement in the mail.
• Advise employees to obtain credit checks annually to see if anyone has opened a new account in their name.

Contact Collins at Carlton@AccountingSoftwareAdvisor.com with questions or comments.

J. Carlton Collins, CPA, president of ASA Research, LLC, is an independent author, lecturer, and analyst in the accounting systems industry. He has installed more than 200 accounting systems, and delivered 1,800 lectures around the world on the subject of accounting systems and technology. Collins has published extensive accounting system reviews which can be seen at www.accountingsoftwareadvisor.com.