Working Effectively in Accounts and Finance Data Protection and Document Security

Previous Lesson Revision AAT ethical principles. Legislation that covers information held about individuals.

Aims of the Session Data protection for hard data. Data protection for soft data. Systems security Physical security Confidentiality as an ethical principle

The Data Protection Act 1998 Covers information about living identifiable persons. All organisations must comply. Covers both manual and computerised information. Data must be obtained fairly. Data must not be held for longer than necessary. Data protection requests However, financial records must be kept for 6 years and must be destroyed by shredding, burning etc... Once not required. Payroll data needs to be kept for 3 years. Even out of date information can be damaging. Individuals have the right to know what is being held about them, the purposes of it being held and the recipient to whom the information has been disclosed to.

Freedom of Information Act 2000 Covers public bodies. Not really relevant, but useful to know of its existence.

ICEPOP Confidentiality as an ethical principle. Not everyone in an organisation needs to access to all information. Confidentiality doesn’t just refer to clients, but to company data too. Documents should be stored securely. Regular backups HR function may have sensitive information which needs to be help securely, locked filing cabinets. Do the sales team need to know or even have access to appraisals, even if it’s just for the maintenance man. Do they need to know cost of a product? Does the HR team need to know the cost of a product and profit margins... Do you want all your customers knowing what you charge them, as prices might vary and you want to making the most profit from them (ethically speaking of course). Financial documents need to be stored for 6 years + the current financial year. Payroll documents for 2 years. There should be regular system backups in order to protect soft-data

When Can You Break Confidentiality? Written permission from the client. Disclosure is required by law. Professional duty to disclose. To a bank, potential investor etc… You suspect a client of bribery, money laundering, funding terrorism. Maybe technical standards, protect your professional interests, responding to the requests of a professional body.

Computer Misuse Act 1990 Makes it a criminal offence to use or alter any computer data, programme or service which you have not been granted authorised access rights. Created 3 new criminal offences: Unauthorised access. Unauthorised access with the intent to commit another offence. Unauthorised modification of data or programmes. Ie hacking, and introduction of viruses and other malicious software. Unauthorised access includes using someone else’s login details laying a trap to gain someone else’s ID, or persistently trying to guess an ID and password. Such as fraud by manipulating information, changing admin records, reading confidential information Introducing viruses, attempting to disrupt or impair the normal operation & processes of the system.

Systems Security Prevent hacking. Prevent viruses and malware. Who might want to hack? What do they hope to achieve? Prevent viruses and malware. Reduce the risk by: Anti-virus software Control use of external hardware & software Passwords and timing out sessions. The North Koreans, rival businesses – industrial espionage, groups with a ‘vested interest’, mischief makers, Might want to get industrial secrets (ie the Coke recipe) for their own means, might want to find out other ‘secrets’ to expose the company (work practises), just cause chaos. Prevent hacking you may wish to think of the physical security of the computer equipment, especially laptops and tablets. They can be easily stolen or forgotten if travelling by public transport. External disk drives, USB sticks etc.... May hold valuable information and these need to be protected too. Back in the old days hard drives were removed from computers and stored in locked cabinets to stop them from being stolen. Should data be encrypted? Depends on where it’s going, might need a risk assessment to decide. Open systems – such as in the library might need to have logs to see what member has logged on, it may even track what websites they’ve visited. Viruses and malware can be prevented by not using external hardware (USB sticks etc...) not downloading software that you haven’t got permission to download, reading emails carefully and not clicking any links that may lead to dodgy downloads. Scanning downloads and external hard ware with virus checkers, there are free ones available such as Avast and AVG. Be prevention is better than cure.

I received this email from Paypal, but is it real I received this email from Paypal, but is it real? What would show that it isn’t real?

I received this email from Paypal, but is it real I received this email from Paypal, but is it real? What would show that it isn’t real? The email isn’t addressed to me, which real Paypal ones are. What would you do to check? Not click on any links, but open a separate window and log into your account, call Paypal or the bank and ask.

Effects of Poor Security Theft, or more targeting. Malicious damage. Loss of confidentiality. Leading to: Damage to a business’ reputation Possible loss of clients

Passwords Passwords should be strong. Frequently changed. Not shared, nor should you allow people to use your login. Not duplicated between accounts. Stored securely (not under the keyboard). Not re-used. Contain a mixture of letters, numbers and symbols. Changed frequently (ie every 90 days) Not shared between users Not shared between accounts so login to the computer should be different to the online resources, don’t have the same password for bank account and email account. Not reused

Physical Security Threats to physical entity of the business such as: Fire Flood Power surges Theft of equipment or belongings How might this be negated? Threats to the physical entity of the business. Includes? Businesses need to have ‘well drilled’ staff for fire alarms, bomb alerts and other civil emergencies (gas leak when the new link road was being put in, 2016 in Liverpool 7 unexploded WW2 bombs were found). Negated by signing in process, burglar alarms, maintained fire alarms, rehearsed fire procedures, staff badges, door locks... This should all be risk assessed by the business, as well as taking into account legal requirements a business might store backups and non-current information off site, they may use an external agency to destroy documents if they don’t have the facility, contingency plans need to be in place for worst case scenarios and communicated where possible.

Scenario Bronn, a client who provides security services, calls you to find out if Tyrion (a local jeweller and customer of you both) has been paying his invoices, as Bronn has struggled to get payment. You know that Tyrion is rather slow paying his invoices. What do you do, you don’t want to upset Bronn?

Questions

Lesson Recap Data and information security is everyone’s responsibility. Physical and cyber security needs to be considered. Keep passwords safe. Think about what information you’re disclosing.

Exercises