finance 3

Resource3.pdf

Home >Business & Finance homework help >Operations Management homework help >finance 3

fea t u r

e ar

t i c l

by the treasury function. Those challenges and some important information technology (IT) security and compliance con- siderations are presented in this article.

Because smaller organiza- tions may lack the resources for full and complete cybersecurity, the article is written primarily for the treasurers of the small or midsized organizations. But any

John A. Pendley

Information Security and Cloud-Based Computing: Tools for the Corporate

Treasurer

C orporate treasur- ers are responsible for a great variety

of activities. In addi- tion to policymaking roles, treasurers may also be responsible for certain day-to-day activities, particularly those related to cash management and investment policy. For example, some treasur- ers are responsible for the management of customer invoicing, bill payment, cash trans- fers, and securities pur- chases and sales. With such a wide breath of activities, it seems overkill to add informa- tion security to the mix. But, unfortunately, such must be the case in today’s information pro- cessing environment.

This article describes cyber- security issues for the financial treasurer. The treasurer faces some unique challenges because of the low-volume, high-value transactions typically handled

financial manager involved in treasury- related functions should have a work- ing knowledge of data security basics.

ARE YOU PREPARED?

Many types of data routinely handled by treasury departments are vulnerable to data loss or compromise. Cash transfers are routinely made in order to manage

cash balances and ensure the availability of funds across the organizations’ functions. These transfers involve important and sensitive data, including account numbers, passwords, transaction identifiers, and routing numbers.

Many treasurers oversee investments and manage debt. To do so requires the execution of securities transactions that involve accounts, fund

This article describes cybersecurity issues for the financial treasurer. Although job descriptions for corporate treasurers probably don’t mention systems and information security, many treasury services are now digitized, which raises the risk of information being compromised by hackers, malware, or computer viruses. In this information technology (IT) environment, treasury officials are increasingly being asked to justify the steps being taken to secure and control the electronic trans- actions and digitized data under their jurisdiction. This article will help by describing practices and tools available to secure modern financial pro- cessing systems from unauthorized access. © 2015 Wiley Periodicals, Inc.

28 The Journal of Corporate Accounting & Finance / March/April 2015

administration, or control of the web environment. These situations mean that the secu- rity of treasury information may be neglected.

When technical expertise is lacking, as it is in many small organizations, the treasurer can take some basic steps to cre- ate a more secure environment. Exhibit 1 contains some funda- mental best practices for data security.

TOOLS AND SERVICES

Often, more comprehen- sive solutions are needed. The department may engage in complex transactions that are executed across multiple IT environments, or cloud-based systems may be employed. In these situations, a third- party consultant or software services company should be employed.

The list in Exhibit 2 is given as a starting point. These com- panies are vetted for the list as follows:

1. The company is a major sponsor for the informa- tion security conference Black Hat USA 2014. Black Hat (www.blackhat .com) has organized information security conferences in the United States and internationally for 16 years. It is well known in the cybersecurity industry for meetings and information sharing.

2. Products for SMEs are described on the company’s website. This means that the company markets prod- ucts and services specifi- cally for smaller organiza- tions. The company will likely have comprehensive security products created

Treasurers must also be aware of a wide variety of cybersecurity laws and regula- tions that cover the data being processed. Laws such as the Health Insurance Portability and Accountability Act (HIPAA; health information privacy), Dodd-Frank (financial system regulation), Sarbanes-Oxley (financial reporting and internal controls), and industry security standards such as the Payment Card Industry Data Security Standard (PCI-DSS) may apply to data generated or processed by treasury. Privacy laws and cybersecurity regulations cover all sensitive data, but most affect financial systems that use the Internet heavily or are imple- mented in virtual environments (i.e., in the cloud). Compliance issues are complex and should be considered carefully based on the industry and function of the organization and the breadth of the treasurer’s duties.

It must be mentioned that most treasurers do not handle these issues alone. If a company has a dedicated IT security staff, a good system of IT gov- ernance, and an effective IT audit function, the company likely possesses the expertise to protect financial informa- tion assets and comply with applicable regulations. But many treasurers do not enjoy the day-to-day support of sig- nificant information security expertise. In particular, many small and medium sized busi- nesses, governmental units, and nongovernmental organizations (NGOs) cannot afford in-house cybersecurity specialists.

Even in larger companies that employ security special- ists, their time may be devoted to other areas such as overall enterprise security, software change control, network

identifiers, and serial numbers. Payment systems, another trea- sury function in many organiza- tions, can contain credit card numbers, security codes, and customer and vendor data. All of this information is subject to threats, such as malware and data loss, and is affected by com- pliance issues, such as privacy and security laws.

Malware established in treasury systems can quickly compromise significant amounts of high-value information. To protect in-house systems and networks, a firewall is typically created to protect the company’s information assets. However, breaches can occur when unau- thorized software (that can contain malware) is introduced behind the firewall. Thus, when employees download and install personal software, open personal e-mail, click on e-mail attach- ments, surf personal sites at work, or leave applications open, malware can be introduced and gain a footing in the system.

Many companies are lever- aging advanced technologies, such as cloud computing, to cut costs and gain competitive advantage. Considerable strides have been made in the security aspects of cloud-based systems. For example, an industry consortium called the Cloud Security Alliance has organized and published (www.cloudsecurityalliance.org) information about the advance- ments made in cloud-based data security. Challenges continue to exist particularly with respect to sporadic episodes of data loss and the possibility of denial-of- service attacks. However, with a reputable cloud-based provider (and good firm-based enterprise security), cloud computing can be an effective and secure method of processing financial data.

The Journal of Corporate Accounting & Finance / March/April 2015 29

Fundamental Best Practices for Information Security

For in-house systems:

• Install security software that creates a firewall and provides malware protection. Keep the profiles up to date.

• Create a standard security configuration for browsers and e-mail software. Establish a policy to prevent alterations to the standard configuration.

• Establish policies concerning using and configuring other software and installing new programs. • For centralized accounting software, create authorization layers and associated passwords and assign a

responsible employee to review security reports. • Backup files frequently. Consider automating the process. If the organization does not have a business

continuity plan, consider starting one.

For web-based financial systems and cloud-based environments:

• Analyze the data communicated over proprietary systems or stored in cloud-based environments. Con- sider laws and regulations that apply to the information and ensure that you are in compliance with all privacy and security provisions for the data being transmitted or stored.

• In a cloud-based environment, make sure that sensitive data are encrypted using an established and secure algorithm and that proper controls are maintained over the encryption keys.

For any environment:

• If you (or your firm) lack the in-house technological expertise, contact an outside expert to conduct a security review (see Exhibit 2 for some suggestions).

• Learn more. The Department of Homeland Security, for example, maintains web resources that are a good starting point for learning about cybersecurity. See www.dhs.gov.

Exhibit 1

Companies That Can Provide Conventional and Cloud-Based Data Security Solutions

Company Product and Services Site

KPMG LLP Risk management consulting services www.kpmg.com

Mandiant Security consulting and incident response www.mandiant.com

SecureWorks A Dell subsidiary that provides a variety of information security services

www.secureworks.com

Trustwave Comprehensive security, data protection, and risk management services

www.trustwave.com

Verdasys Cloud-based security products www.verdasys.com

Watchguard Integrated information security and threat management solutions for small and medium-sized enterprises (and larger organizations)

www.watchguard.com

Exhibit 2

30 The Journal of Corporate Accounting & Finance / March/April 2015

controls should cover three areas:

• Prevent of data breaches,

• Eliminate data loss, and • Comply with cybersecurity

and privacy laws and regulations.

traditional financial controls over treasury department trans- actions. Physical security of assets, segregation of duties, and cash controls are common and well understood. What is described in this article is add- ing a set of IT and cybersecu- rity controls to the mix. These

for and priced for that market.

CONCLUSION

Because of the nature of treasury operations, most orga- nizations have a strong set of

John A. Pendley is Associate Professor of Accounting at the Sigmund Weis School of Business at Susque- hanna University, in Selinsgrove, Pennsylvania. He can be reached at [email protected] .

Copyright of Journal of Corporate Accounting & Finance (Wiley) is the property of John Wiley & Sons, Inc. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.