You want to be healthy, right? Doctors tell us to eat foods that are good for us, so we read the nutritional information on the back of food packaging, and while we may not always choose what is best, it’s hard not to think about our health—at least sometimes.

But what about your computers? How often do you consider their health? Do you know the potential impact your software has on your network’s health? Do they protect client data stored inside your networks or put it at risk?

So many times you look to software to give you the right information at the right time. But do you ask if that same software protects that information?

Go to a typical software vendor’s website and while you might see the equivalent of a dinner menu describing the item and a list of prices, do you see a list of the software’s “ingredients?”

Do you know what language the software is written in? Know if the database is in a proprietary language or a well-known language—and well-supported? And most importantly: Do you know if the personal identity information of your clients included in that software is protected—at all times?

Security Standards
The CalCPA Technology Committee is helping to draft a document to aid software purchasers on how to start asking these hard questions about security.

Recent news reports spotlighting the hundreds of thousands of ChoicePoint and Bank of America customers who suffered potential identity theft make it more critical than ever to know how our software applications affect the security of our data.

And while Congress crafts privacy legislation for the nation, California businesses are bound by the nation’s most stringent privacy protection laws, SB 1386 and AB 1950, which require companies to take reasonable measures to regularly protect the data on computers and networks.

The committee’s draft standards cover the following for software security:

• Protection of private data at all times in the software.
• Supporting the use of restricted user in the operating system.
• Supporting the use of restrictions to users within the software.
• Ensuring that the transmission of personal identity information between sender and receiver is always encrypted using industry standards such as AES.
• Ensuring that every data field that contains personal (or firm) identity information, bank accounts, federal tax identifications or other private information always be encrypted using industry standards such as AES.
• Protection provided by the software shall be documented by the vendor and easily determinable by the CPA to ensure that the client’s personal identity information is continuously protected.
• The software is written in a supported computer language.

Security and CPAs
While you may store your clients’ personal information at other places inside your firms, inside your accounting software is a guaranteed location for this information—and if you’re not careful in selecting software that protects this data, you could be compromising the privacy of your clients’ data.

Yet, if I asked you whether or not the data fields that hold your clients’ Social Security numbers inside your accounting software protect that information with a layer of encryption, could you confidently answer “yes”?

Would you even be able to obtain the answer by visiting the vendor’s website?

If your accounting software’s supporting documentation states that it requires local administrator privileges or power user privileges in the Windows desktop, it is not helping you protect your desktop.

So the next time you buy software, read the ingredient panel. If it’s not there, ask your software vendor for their detailed listing of ingredients of that software. Make sure you are choosing the “healthiest” software possible.

Susan E. Bradley, CPA, CITP, MCP, GSEC is a partner with Tamiyasu, Smith, Horn and Braun and chair of the CalCPA Technology Committee. You can reach her at sbradley@tshb.com.