DMS Security Flaw - Can I get some help?

Thanks for the suggestions taxguy21.

We do force logouts overnight which does prevent the cleaning crew issue. Part of my objective in the post was highlighting the security issues to people who had not yet considered them and to also solicit ideas regarding possible methods for minimizing the risks. So again thanks for your suggestions.
Monitoring the system event log on the server is a good idea. I am not sure how much of the transfer out of the DMS and onto a USB drive or Dropbox account activity would be logged but I will check into this.

Setting the rights on individual pdf files seems too cumbersome and unworkable.

Although there is an activity log feature that appears to allow tracking of “Saving out of DMS” activity, as of version 8.0.5 it doesn’t appear to track dragging and dropping items to your desktop or elsewhere. If I drag and drop a client folder, file, etc. out of DMS and then go to the activity report and check to look for “Saving out of DMS” activity, nothing shows up. Please give it a try and let me know if any “Saving out of DMS” activity shows up under your activity log.

In any event, all of the solutions I have found so far provide for the possible tracking of the activity but don't allow for the prevention of the activity. This is analogous to a solution that says to just leave the door open and set up a camera to see who is walking out the door with your valuables.

It appears to me that DMS should allow for security rights that prohibit moving items out of the DMS system while still allowing the ability to move files and folders within the DMS system. In other words, once data is in the DMS system a user should be able to do anything they want to the data including deleting the data (since a recovery of deleted data option is available) with the exception of moving data out of the DMS system. If data is moved out of the system then at a minimum the activity should be recorded.

Although this post shows as “answered” I do not consider this security hole to be fixed.

By the way taxguy21, yes Go Broncos, but let's keep it on the low for our Idaho Vandal friends who are having a hard time this year.
 

A somewhat simple solution is to any client in DMS, right-click on the client & it gives you the option to select all clients which you can do.  Then, to the right comes up some choices with one of the choices being password protect.  We can then assign an overall password to all of the clients.  For those clients who you want to have a different password, we simply put them in a separate database with their own specific password.  Hope this helps alleviate some of your security concern. 

Last night I thought of one other possible solution for your USB issue. In Windows, there are security policies that can be be created to prevent the use of local USB drives.  I am a self taught Windows guy, so I can't really be more specific on this, but the idea is to restrict the use of resources available. In a windows domain, you should be able to create the security policy and push it out to all users logged into the network resources.  If you restrict all usb activity and then use an exception based office policy with only certain users able to create files on a USB drive, again, some compensating controls are possible.  A headache maybe, but if the need is sufficient to justify the security restriction, do it.

In any data system limiting physical access to the devices or storage location is a key component of security procedures.

Even with full disk encryption, once a device is removed from the premises risks rise dramatically.

But within the walls of the castle, smooth functioning often requires that restrictions to access be as unobtrusive as possible.

You have looked at restricting the things you mention I imagine, disabling external storage devices on workstations - USB ports and CD writers? Software firewalls can block access to DropBox or similar sites. Email controls can prevent sending of attachments except for those who are authorized.

Scott

http://www.bankinfosecurity.eu/articles.php?art_id=556

This isn't necessarily a response to the issues you raise, but I want to throw this in the mix to add an additional resource for anyone that sees this:

http://www.techrepublic.com/blog/10things/10-security-problems-you-might-not-realize-you-have/2768?tag=nl.e042

Scott

I will provide an update with an answer to the original question - Can I get some help? And the answer is still NO.  Not at least at this time from Lacerte in their most recent version 9.0.

I never dreamed that fixing the lack of an audit trail (activity log) for client documents leaving the document management system would take so long and that this would not be addressed in a new version release.

Came across an article this morning that reminds me of your question -

http://www.healthleadersmedia.com/content/MAG-275301/Dealing-with-Data-Breaches

The print edition of the article mentions a proposed HIPAA rule that would require that if a patient asked for a report disclosing who had looked at their PHI the provider will be required to provide it.

http://www.hhs.gov/ocr/privacy/hipaa/news/hitechnewsonaccountingdisclosure.html

Considering that many tax firms also sell investments and insurance, and therefore fall under HIPAA and HITECH, I wonder how strong the linkage to the tax practice is or will be?

In any case, if a tax firm has celebrity clients or other high visibility clients then what the clients want is probably more than any government agency would require.

Scott

(PS - looked at www.waytogoidaho.com and have a question - which is better Vodka from potatos or Vodka from grain?)