How Bruce Schneier secures his laptop

On the heels of this recent story out of the UK about the government losing 25 million citizens’ personal data, IT security guru Bruce Schneier provides his tips on securing your laptop, especially critical for those us with client data on our drives:

Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do.

Strong passwords are the first step to protecting your firm’s and your clients’ information assets. Assigning a strong password using a combination of lower and uppercase letters, numbers and special characters is far more important than changing your password frequently. It has been my experience, however, that strong passwords just aren’t being enforced as well as they should be.

There are several whole-disk encryption products on the market. […] The reason you encrypt your entire disk, and not just key files, is so you don’t have to worry about swap files, temp files, hibernation files, erased files, browser cookies or whatever. You don’t need to enforce a complex policy about which files are important enough to be encrypted. And you have an easy answer to your boss or to the press if the computer is stolen: no problem; the laptop is encrypted.

I love the idea of simplying this process in the way described above. Making it easy for non-technical users to implement security measures makes it more likely they will get implemented effectively. And being able to tell your manager or the partner that the client data has not been compromised would help me sleep at night.

Bruce also mentions that the product he uses can encrypt USB drives, which are an essential tool for the modern auditor. I keep mine secure by wiping data from it immediately after transferring to the laptop, but that may not always be immediately possible.

Whole-disk encryption means that anyone at your computer has access to everything. […] I recommend a two-tier encryption strategy. Encrypt anything you don’t need access to regularly — archived documents, old e-mail, whatever — separately, with a different password.

This is a sound strategy for older files, although I prefer his final point:

Minimize the amount of data on your laptop. Do you really need 10 years of old e-mails [sic]? Does everyone in the company really need to carry around the entire customer database?

This is a better strategy for me as an auditor. The only files I need on my laptop is the client I’m working on at the moment. That audit that wrapped up last week? It’s on the network, where security isn’t my responsibility! As for email, I try to clear out old stuff annually to keep the hard drive usage up but also to remove potentially sensitive information.

Follow those simple tips and your portable client, employer and personal data will have a much greater chance of remaining out of the wrong hands.


IT audit training for me this week

This week I have a small reprieve from my duties as auditor, as I’m taking part in a training course put on by the firm at the Hilton. The training is related to the internal Information Systems specialization the firm offers, which will allow me to get more experience working with IS at clients and hopefully provide a jumping off point to the CISA designation next year.

I’m pretty excited about the opportunity, since training like this doesn’t come around too frequently. I had to pester a few key people at the office to get into the course, but it’ll be worth it. I think it will be perfect for someone with my interests and aptitude!

Not only that but the past couple weeks have been two of the busiest I’ll have all year. It’s no surprise then that blog post frequency has suffered as a result. But the end is in sight and things should ease up soon.


Audit committees recognize IT risks should be a focus

Dan Meyer at Tick Marks has brought my attention to a KPMG survey that reports audit committees are becoming more concerned about IT risks on financial reporting.

90% believed that IT oversight deserved more time at audit committee meetings. By constrast, 80% of committee members were satisfied with audit committee oversight of management judgments and estimates and 60% felt that committees were spending sufficient time on these issues.

Good to see audit committees are looking into this area with greater scrutiny. IT is often an area where firms of all sizes could benefit from increased focus and constantly thinking of ways to improve their controls and processes.

But what about the 20% that is satisfied with audit committee oversight of management judgments and estimates, but do not believe sufficient time is being spent on the issue? How can you feel an area needs more time and yet be satisfied with the oversight? This is why looking at surveys is fun.

“The ACI survey findings demonstrate a huge gap between the importance that audit committees place on IT risk and how much time they spend focused on it during their already busy meetings,” Smith said. “Since audit committees generally have only basic IT experience, there may be a reluctance to invite chief information officers and chief technology officers to their meetings, in part, because there is a lack of common vocabulary.”

Audit committees need to have at least one member who has a high level of knowledge in IT as it relates to financial reporting. There is no excuse for lacking someone with a good grasp on the IT risks the organization faces. And CIOs and CTOs aren’t enough – CFOs need to have a more than basic understanding, and even lower down in the accounting department.

I’m really pleased that the CICA has been so proactive towards training CAs on this topic. IT is one of the six topics covered in the professional exam process. (The others are audit/assurance, performance measurement, tax, finance, and organizational effectiveness, control and risk management.) Clearly there is some overlap between the last competency and IT.

An in-depth discussion of the six CA competencies is published by the Institute and available here (pdf).


Your business needs a Backbone

Backbone magazine is a Canadian bi-monthly focusing on business and technology issues. In their own words:

Our primary focus has been on how technology enhances business processes, markets, profitability and productivity. Backbone magazine’s aim is to provide business people with a tangible tool to enhance the way they do business in Canada’s New Economy.

Compare this to the short bullet describing this blog and its focus:

I’m interested in the future of the profession and how technology is changing the way accountants do their job.

Seems like there might be some overlap there. Perhaps an opportunity to work together and learn a thing or two about how technology is changing the way business is being done here and abroad, not just by accountants, accounting firms, but by any and every company.

So I was thrilled to see they picked up a recent post I made about Facebook and LinkedIn for their blog, Backblog.

I found out about Backbone when I strolled through the lobby of my firm’s office and lo and behold, we have a subscription. Naturally, since I was at work, I sat down on the plush sofa and dove right in. Professional development, I figured!

I hope to contribute more of my writing to their fledgling blog in the future. Check it out:


Cell phones become mobile

I’ve been waiting for tomorrow for a long time. The rest of the country has been waiting for tomorrow for a long time. And that time has finally arrived.

Wireless number portability is now here.

Canada is finally catching up with the rest of the world and unshackling phone numbers from phone companies. My number is mine alone, and I’ll be taking it wherever I want!

I’ve already decided to switch. I’ve been with Bell for a couple years now, and although the plan I’m on is pretty good, the reception is often deplorable.

When I’m sitting at my desk at the office, on the 17th floor of a 17-storey building surrounded by no other taller or as-tall buildings, I lose calls within a few seconds of answering them every time. So I’m anxious to try another provider to see if their towers are more advantageously located.

Tomorrow will mark a momentous day for consumers in Canada. It has been a long time coming.