Secure communication between accountants and their clients: The role of the client portal



Similar documents
CMP3002 Advanced Web Technology

How to complete the Secure Internet Site Declaration (SISD) form

Move to the cloud without compromising security

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy

A Decision Maker s Guide to Securing an IT Infrastructure

Spreed Keeps Online Meetings Secure. Online meeting controls and security mechanism.

Cloud Software Services for Schools

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

For example some Bookkeepers are using Dropbox to share the accounting files between them and their client.

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments

SNAP WEBHOST SECURITY POLICY

A practical guide to IT security

Five keys to a more secure data environment

Cloud Software Services for Schools

Cloud Software Services for Schools

Transferring data safely

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

EndPoint Device Secures Files Transferring and Sharing

UF IT Risk Assessment Standard

IBX Business Network Platform Information Security Controls Document Classification [Public]

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

White paper. Why Encrypt? Securing without compromising communications

Case Study: Security Implementation for a Non-Profit Hospital

Data Protection Act Guidance on the use of cloud computing

Whitepaper. Security Best Practices for Evaluating Google Apps Marketplace Applications. Introduction. At a Glance

Working Practices for Protecting Electronic Information

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

CyberSecurity & Keeping your data safe. October 20, 2015

Information Security Policy for Associates and Contractors

Our Key Security Features Are:

Adobe Systems Software Ireland Ltd

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Secure Client User Guide Receiving Secure from Mercantile Bank

Security Overview Enterprise-Class Secure Mobile File Sharing

Payment Card Industry Data Security Standard

Internet threats: steps to security for your small business

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

DSHS CA Security For Providers

Security Considerations

A Rackspace White Paper Spring 2010

How To Protect School Data From Harm

Security Policy JUNE 1, SalesNOW. Security Policy v v

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

Secure - Customer User Guide How to receive an encrypted

Research Management System. User Guide Introduction to RMS Target Audience New and Current Users

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Western Australian Auditor General s Report. Information Systems Audit Report

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Chapter 2 Security Table of Contents

Website Security: A good practice guide

RFG Secure FTP. Web Interface

Bank of Hawaii Protecting Confidential

Copyright Telerad Tech RADSpa. HIPAA Compliance

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Cloud Software Services for Schools

Contents. » Introduction to Benchmarking The metrics Data required Key terminology Who can join

Cleveland Police. Data protection audit report. Executive summary November 2014

External Communication to Third Parties

U06 IT Infrastructure Policy

Third party assurance services

Secure User Guide

New Systems and Services Security Guidance

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

developing your potential Cyber Security Training

The Information Security Tool Kit Think secure

STRONGER ONLINE SECURITY

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Introduction to Dropbox. Jim Miller, LCITO Office Mobile

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

PCI DSS 3.1 and the Impact on Wi-Fi Security

BANKING SECURITY and COMPLIANCE

1. Scope of Service. 1.1 About Boxcryptor Classic

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

3 Marketing Security Risks. How to combat the threats to the security of your Marketing Database

PCI DSS and SSC what are these?

Cloud Software Services for Schools

EndPoint Device Secures Cloud Storage

Online Banking Security Guide Internet-based version

account multiple solutions

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

USER GUIDE. General Information The BeAnywhere Service BeAnywhere Server BeAnywhere DRIVE Security... 2

Hosted SharePoint. OneDrive for Business. OneDrive for Business with Hosted SharePoint. Secure UK Cloud Document Management from Your Office Anywhere

Cloud Computing for Education Workshop

HSCIC Audit of Data Sharing Activities:

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Memeo C1 Secure File Transfer and Compliance

MAXIMUM PROTECTION, MINIMUM DOWNTIME

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Research Information Security Guideline

Frequently Asked Questions

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

FileCloud Security FAQ

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

SSL Certificates 101

The Ministry of Information & Communication Technology MICT

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Transcription:

Secure communication between accountants and their clients: The role of the client portal

The importance of security An audience poll conducted at a recent ICAEW event revealed that, when it came to cloud software, security was the number one concern for almost a quarter of respondents (24%). 1 How seriously do you take security? The Information Commissioner s Office advises organisations that they should Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen. 2 Much of the information that accountants hold on their clients would fall into this category, for example details of income received and tax paid; pension arrangements; business turnover, profits and future plans. A lot of this sensitive financial information is not merely held in static systems; it s also continually being transferred and transmitted, whether as a spreadsheet on a laptop, data on a memory stick or a set of accounts emailed to a client for approval. When it comes to email, the Information Commissioner s Office urges organisations to Consider whether the content of the email should be encrypted or password protected. 3 How many accounting practices actually do this? How would clients react to the change? Public document exchange As an alternative to email, many organisations and individuals are now using public file sharing and document exchange websites, such as Dropbox, Google Drive, Sugarsync and Cubby. At their most basic, these services allow you to back up files from a local PC (or Mac) to your personal online storage area. Most of these sites also allow you to share stored files with others, in a private, one to one arrangement. Although some practices use these public websites to share files with their clients, many accountants have raised concerns over security and other matters. 4 These concerns centre around five main issues: The propensity of high-profile, public systems to attract the attention of hackers (the socalled hacker magnet effect). The security of these public systems, bearing in mind that some have already been compromised. 5 The fact that uploaded files are not automatically encrypted. The confidentiality of information, given that some file sharing websites allow their staff to have access to unencrypted data. 6 The US location of the servers hosting the majority of these services. 7

Secure client portals Secure client portals offer an alternative to public file sharing and document exchange websites. Their main point of difference is that, while the likes of Dropbox were designed for file backup and storage and have had file sharing features added as an afterthought, 8 client portals have been designed from the outset to provide an online platform for file sharing and collaboration. A properly designed client portal can therefore offer a lot more than a traditional document exchange system. CCH Portal, for example, allows you to send and receive messages within a totally secure environment a bit like a closed, private email system. Personalised communication In a typical accounting practice, there are a multitude of different relationships between partners, staff and clients. One individual may be a personal tax payer, a director of a company and also a partner in another business. For each kind of work that the practice performs on their behalf, a single client may have multiple contacts within the practice; they may also have a variety of relationships to other clients, for example as a spouse, co-director or business partner. By using the contact and relationship information held in the CCH Central client database, CCH Portal allows you to build on these existing relationships. So, for example, you can send a secure, personal message to all the directors of a company and, when a reply is sent, the recipient will be alerted personally while the remaining members of the designated client team will see the message on the client file in CCH Central. Because CCH Portal also uses existing team security settings, any client files published on the Portal will remain confidential within the appropriate practice team. Keeping your client communication secure Client portals certainly have the potential to be more secure than email. However, in order to fulfil this potential, the portal provider must take steps to ensure data security on a number of levels. Security is vitally important to all parties. In order to feel comfortable using the system, clients need to feel confident that sensitive, private information is safe; practices are acutely aware that data breaches could have a catastrophic impact on their reputation as a trusted adviser. So in the rest of this paper we ll be looking at the ways in which security is addressed in the CCH Portal.

Security in the CCH portal A number of interlocking levels of protection are required to make a system truly secure. On the CCH Portal we ensure security by the following measures: Password complexity Before you even start to invite clients to join, the CCH Portal allows you to set the required level of password complexity, including the overall length of the password, plus: The number of uppercase letters required The number of lowercase letters required The number of numbers required The number (and type) of special characters required, such as %,? and * These can all be set to zero, in which case they will not be required (but are permissible). Password security Importantly, neither the practice nor CCH hold a record of any client s password. If a user forgets their password they can click a forgotten password link to get a new temporary password and trigger a request for them to re-set their permanent password. By allowing clients to self-manage their own access, CCH Portal frees the practice from ongoing admin. Login security When clients have been set up to use the Portal, they are sent an email with a link to the activation page. In order to complete the activation process and create their personal password, clients will need to enter their activation ID which, for security purposes should be sent separately, either by email or post. Physical security of the hosting servers A system cannot be more secure than the physical platform on which it runs. The data centres which run the CCH Portal servers (on which your own individual client portals run) employ a number of measures to protect them from power failure, physical intrusion and network outages. The hosting site has been awarded ISO/IEC 27001 certification, an international information security standard covering policies, controls and processes. 9

In 2012 it also achieved SSAE16/ISAE3402 attestation. This required an audit conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) 16, laid out by the Auditing Standards Board of the American Institute of Certified Public Accountants, and the International Standard on Assurance Engagements (ISAE) 3402, laid out by the International Auditing and Assurance Standards Board. 10 Encryption CCH Portal uses 256-bit Advanced Encryption Standard, the highest available military grade encryption. Asymmetric key encryption is undertaken using two encryption keys held in separate locations to maximise security. Certification The site is then secured with an independent Secure Sockets Layer (SSL) certificate provided by security specialists, Symantec. SSL provides your clients with the visible reassurance of the familiar closed padlock and https website address, and is the same kind of security used by banks and other financial institutions. Independent security testing The security measures used to protect the CCH Portal servers have been penetration tested by a third-party specialist to probe for security vulnerabilities and ensure robustness and resistance to malicious attack. While no serious vulnerabilities were discovered during this process, further security enhancements were added following the testing to ensure we meet the highest standards of security. Audit trail A full audit trail is retained in CCH Central showing every transaction on the Portal, including date and time and the IP address of anyone accessing the Portal or reviewing and approving documents. To prevent the risk of compromise, some security details have been omitted from this document. If you have specific questions about security, in the first instance please contact Christa Spencer at christa.spencer@wolterkluwer.co.uk.

Conclusion A properly designed client portal offers a viable alternative to insecure email and public file sharing websites for the exchange of sensitive financial information. The CCH Portal was designed specifically for accounting practices and offers secure two-way communication between members of a practice and their clients. Because it uses existing information about clients and the teams that support them, CCH Portal helps to support good client relationships. CCH Portal ensures the security of data and documents through a series of interlocking measures, from the physical security of servers and the encryption of data to private passwords and full audit trails.

References 1. ICAEW IT Faculty Cloud Event, 17 April 2013 Results reported on the ICAEW website at http://www.ion.icaew.com/itcounts/26699 2. See the ICO website at http://www.ico.org.uk/for_organisations/data_protection/security_measures 3. As above 4 See, for example, the discussion at http://www.accountingweb.co.uk/anyanswers/question/does-anyone-use-dropbox 5. As reported in http://www.accountingweb.co.uk/article/dropbox-users-reset-yourpasswords/530292 and http://techcrunch.com/2011/06/20/dropbox-security-bugmade-passwords-optional-for-four-hours/ See also the official Dropbox account of this incident at https://blog.dropbox.com/2011/06/yesterdays-authentication-bug/ 6. Reported in http://www.wired.com/threatlevel/2011/05/dropbox-ftc/ 7. For a discussion of the USA PATRIOT Act, see http://www.zdnet.com/blog/igeneration/case-study-how-the-usa-patriot-act-can-beused-to-access-eu-data/8805 8. See, for example http://en.wikipedia.org/wiki/dropbox_(service)#history 9. See http://www.27000.org/iso-27001.htm 10. See http://www.ssae-16.com/category/isae-3402/

Keep informed CCH Insight CCH Insight provides free, topical information about the challenges and opportunities facing accountants, tax practitioners and finance professionals. It brings together research, commentary and news collected by technical specialists who work across the CCH business on our books, magazines, online reference, software, training and fee protection services. Articles, white papers, surveys and business tools are available in the following topic areas: Tax Insight Our tax specialists write on a wide range of topics such as changes to tax regulations, dealing with HMRC enquiries and plans for tax simplification. Accounting Insight Recent topics have included IFRS and mandatory online ixbrl filing. Audit Insight Our specialists provide information and commentary on matters of topical interest to auditors such as Clarified ISAs. Practice Development Insight Experts from across CCH use their knowledge and experience of accountancy, business and marketing to identify emerging opportunities for practice efficiency, business development and new services. Bookmark CCH Insight at www.cch.co.uk/insight

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information