BUSINESS START UP - WORKSHOP - COMPUTERIZED ACCOUNTING

J.c. Security Over Data Access

20. If you are not the only person in your organization, it is imperative for you to have sufficient and effective security against unauthorized access to your programs and data files. It is not necessary for your staff and/or “outsiders” to be able to look at your books and your personal and sensitive information. This can be controlled by means of a password. Just remember that it must be a password that you are not likely to forget as forgetting it will mean that you, too, do not have access to the files and that can present a whole different set of problems all on it’s own. If your books are being done by a bookkeeper/accountant, it might be an idea to ask them about the security that they have on their systems. Your business is your business and has nothing to do with anyone else; therefore no-one else should have access to it without your knowledge and permission.

21. The computer programmers should also not have access to your live data files. So if programmers are doing work on your computer (this is highly unlikely in a small or medium size business, but may well be the case in larger firms), access to your live files should be restricted. This can also be controlled by means of a password.

22. If you have several staff members and access thereto is controlled by means of passwords, the following controls should be implemented:

a. A formal password standard. Staff should be made aware that they should not use passwords such as nicknames, dates of birth, and so on. It is also recommended that passwords be made up of both alpha and numerical digits. This makes it more difficult to break into. A decision should be made as to who (in terms of designation rather than people themselves) has access to what. For example, it is not necessary for an employee in personnel to have access to the banking and financial files. The requirements for each job specification should be documented and staff profiles be set up accordingly.

b. Passwords should be changed on a regular basis – at least once a quarter. In some of the larger companies the computer system can be set to force a password change every so many days. This is crucial in financial institutions where security is very high, but in the normal day to day activities of small businesses, it is not so crucial. However, it is still recommended that the passwords be changed from time to time.

c. Passwords should not be displayed on terminals or reports and appropriate steps should be taken to ensure that this does not occur. It obviously invalidates the whole concept of having a password.

d. In the larger companies, the password works very similarly, to say, a pin number on a bank card. If you enter the pin number incorrectly three times (or however many the bank deems reasonable) then it disables that card from being used again. Similarly, if the password is entered incorrectly after, three tries – the whole profile of the person, is disabled. Again, this is not necessary in a small to medium business, but works very effectively in the larger companies, where stricter measures of control are necessary.

e. Again, in the larger companies, where security is necessary, most terminals and the relevant programs can be set to deactivate after a specific period of inactivity. This also assists in deterring illegal usage of your programs. In the smaller businesses, this would be overkill and are really not necessary.

f. In extreme cases, where there has to be a very high level of security, it may be necessary to introduce dual passwords – this is where two people hold parts of a single password. For example, in order to open up a safe that contains diamonds, or large amounts of cash or even in the financial world, where large international financial transactions are taking place, it may be necessary for one person to hold, say, the first 6 digits of a code and the second person to hold the last 6 digits of a code. In this manner the responsibility of the transaction is held equally by both parties. Again, this would not be necessary for the small business or unit owner – it is a good idea however, to let people know what is available out there.