« Got GIF? Financial Literacy in 140 Characters or Less | Main | Strategic Business Skills Are Not Just for the CFO Anymore »

Make it or Break it with IT Policies and Procedures

SecurityOpen the newspaper, and you’ll find no shortage of stories about sensitive corporate information getting into the wrong hands. How can you ensure this doesn’t happen to your organization? Solid IT policies and procedures. They are critical components of an organization’s umbrella IT strategic plan and are designed to prevent serious operational problems. In general, security policy and procedures include assessing your organization’s assets and holdings, evaluating them against threats or risks for exposure and having the right tools and techniques in place to manage those threats and risks.

A security policy doesn’t need to be set in stone, but rather, should act as a living document that must adapt as new challenges arise. Even with the proper tools, techniques and clear objectives in place, the policy is only as effective as the staff that implements it. Solid communication, as well as a robust IT and security team, is key. It is only through communicating the purpose and objectives of your policy that your staff can understand how to carry it out and act when threats or risks come about.

Why You Need a Policy

The two main goals of any security policy are to define controls across the organization, and then effectively communicate the goals and beliefs throughout the company or firm to ensure compliance. “Policies are the basis of any security program,” said Don West, CPA,CITP, owner of his own firm. “You have to establish the tone at the top, get senior-level management on board and be ready to carry out high-level information security principles.”

Your policy should be designed to:

  • Protect people and company assets.
  • Set baseline expectations for behavior by all personnel.
  • Give security personnel access to audit, monitor and investigate incidents.
  • Define, determine and deliver consequences for infractions and violations.
  • Illustrate the company's baseline security stance.
  • Minimize risk whenever, wherever possible.
  • Show compliance with governance principles and regulatory mandates.

Policy Objectives

A policy’s objectives outline a plan for giving your employees the knowledge and understanding to take action when a security threat arises. Security is a moving target; the strategy for protecting your most sensitive information varies by organization, access control and the technology used to secure it. Make sure you assess your own firm or organization’s situation and make decisions accordingly.

Securing Infrastructure and Information

“With more and more criminal breaches, valuable information and data is placed in the wrong hands, making a solid infrastructure a must,” said West. “This involves a cycle of auditing, monitoring and reviewing to ward off the attackers that come from so many different angles and mediums.”

In this case, the “InfoSec Triangle” is especially vital. The triangle has three parts: confidentiality, integrity and availability.

  1. Confidentiality: restricting access of private communications and messages to only those authorized
  2. Integrity: ensuring those communications and messages come from honest, reliable sources providing authentic and accurate information
  3. Availability: providing authorized sources availability to that information at any time.

“The first step is identifying and assessing the risk through routine checks, which is a formal, rigorous process,” said West. “Then, you must weigh that risk across four primary strategies: risk avoidance (elimination), risk reduction (mitigation), risk retention (accepting) or risk transference (outsourcing). Choosing the correct strategy depends on the severity of the risk at hand, and which solution or outlet you need to handle that risk.”

Who Can You Rely On?

While it may seem that IT policies and procedures are difficult to create and implement, an organization doing business needs to have a plan with measurable goals and objectives. A good first step is to seek out the best people for your team to guide you throughout the process. Those should include subject matter experts, security consultants and experienced specialists, including those with a CPA.CITP credential. Specialists with this AICPA credential demonstrate advanced knowledge of IT and can provide you with the advice you need to select the right tools, technology, techniques and strategies for thwarting off attackers.

For more information about security and privacy, visit the AICPA Information Management and Technology Assurance (IMTA) Section’s webpage. And for a live, interactive security and privacy discussion, join the AICPA and top cyber security experts in a live Twitter chat on June 5th at 4pm EST. Follow the AICPA Twitter account and include #AICPAimta in your replies.

Susan Pierce, CPA, CITP, CGMA, Senior Technical Manager – IMTA, American Institute of CPAs. Susan drives the strategic mission of providing value to the IMTA professional, the CITP credential holder and the technology engaged CPA. 

Lock courtesy of Shutterstock.


Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily