Technology Issues: Information security still tops AICPA's list

When the American Institute of CPAs' top tech gurus sat down to coordinate its annual top technology initiatives survey for 2007, they decided to broaden its focus to identify technology issues - not just products - in an effort to bring a more practical bent to the project."It's not from a 'gee-whiz-wow' perspective," explained David Cieslak, CPA, CITP and chair of the AICPA's Top 10 Technology Initiatives Task Force for the second year. "Each of these [issues] are framed as an initiative that you could put your arms around and pursue as an organization. We came at it from a fresh angle."

For the fifth consecutive year, information security management topped the list as the most important and influential technology concern among financial professionals. More than 50 percent of the roughly 1,500 IT people involved in the institute's annual technology issues rankings voted for information security management as the top concern, according to task force member Jim Bourke, CPA, CITP, who also serves as partner-in-charge of internal technology at the CPA and business advisory firm of WithumSmith+Brown, in Red Bank, N.J.

The task force defined information security management as a systematic approach that encompasses people, processes and IT systems to safeguard critical systems and information, protecting them from internal and external threats.

"I think in previous years the thought was that [information security management] was the 10,000-pound gorilla," said Cieslak, principal at Arxis Technology in Los Angeles. "I think in many ways people couldn't not vote for it. This year, the thought was some of this was going to be re-oriented with an initiative focus that maybe security would slip out of first place. While information security will always be an area of concern, apparently folks feel there's undone business or enough hasn't been addressed within their own organizations or professions in the financial world. Despite the work we've done, there's still more to be done."

PICKING THE ISSUES

Now in its 18th year, the AICPA survey measures the impact of technology on financial management and fiduciary responsibilities, such as safeguarding business assets, overseeing business performance, and regulatory compliance.

The brainchild of the institute's IT Executive Committee, the annual poll is a collaborative effort between holders of the AICPA's Certified Information Technology Professional credential, the Information Technology Alliance, and the Information Systems Audit and Control Association. Once the bodies decided on a list of 30 initiatives, those were distributed to the more than 1,500 participants who were asked to pinpoint and rank those they felt would have the most significance over the next 12 to 18 months.

Second on the list, up from sixth last year, is the concept of identity and access management, or ensuring that users are who they say they are and then giving them the appropriate access to systems and data based on pre-established agreements.

Other returnees to the Top 10 Tech list were: conforming to assurance and compliance standards at No. 3; privacy management, No. 4; disaster recovery planning and business continuity management at No. 5; and IT governance at No. 6.

In 2007, four new initiatives made the bottom half of the roster: securing and controlling information distribution; mobile and remote computing; electronic archiving and data retention; and document, content and knowledge management.

According to Cieslak, information security can be broken down three ways: threat, vulnerability and risk. Threat is defined as something beyond an end user's control that presents a potential danger to the user's data or infrastructure. Vulnerability is something within an end user's control, and refers to security readiness in light of a general or specific threat. Finally, risk is the culmination of threat and vulnerability.

"A lot of individuals are using Web-based applications and are storing their data outside of their firms and outside of their companies. My client is going to want to make sure that data is secure," said Bourke. "I think what has really driven information security is that our data is out there and you want to make sure it is protected. All you need is one episode to bring it to everyone's attention."

Bourke said that his firm uses an application service provider to store data, and suggests placing information in multiple secure off-site data centers. "Do a site visit," he urged. "Don't just take their word for it. Visually see what kind of building, security and access they provide. You want to feel it, touch it. Don't just buy into it."

The second-ranked tech initiative - identity and access management - encompasses the hardware, software and processes used to authenticate an individual user's identity.

"It is so tight," Bourke said, referring to the close relationship between identity access management and information security management. "It deals with the ways people access their data. Companies are coming up with new and unique ways without having to deal with passwords."

Some of those unique ways include biometric devices triggered by an individual thumbprint, which in turn gives that person access to particular data.

Cieslak said that more companies are moving towards multi-factor authentication, which includes something you know, such as a password, and something you have, like an encrypted token, or something physical like a thumb print or retina.

"It's no surprise at all," Cieslak said of the initiative's jump up the list. "The largest threats out there are people's information getting stolen, getting client data, getting our own personal information. So, what are the steps we can take to protect ourselves? That is absolutely front and center."

Conforming to assurance and compliance standards, an initiative that focuses on creating formalized strategies and systems to address organizational goals and statutory requirements, finished in second place on last year's list, but was bumped down a notch in 2007 - a slip that Cieslak's not too worried about. "I really think it's better to look at this list as a whole," he advised.

Bourke described document, content and knowledge management, No. 10 on the list, as "rolling through the public profession now like wildfire."

"Firms are scanning client data and they are having access to that data 24/7," he added. "The days of storing manual files are gone. Companies are starting to digitalize their files [and] databases, and are now searching through that data electronically. Your old file rooms die an old death because you stop adding to them."

Task force members also offered five "honorable mentions" from the survey: Training and awareness; business process improvement, and workflow and process exception alerts; improved application and data integration; Web-deployed applications; and enterprise-system management.

For more information, visit www.aicpa.org/infotech.

For reprint and licensing requests for this article, click here.
MORE FROM ACCOUNTING TODAY