 |
 |
|
|
On installation of IRIS Accountancy Suite 18.1.2 the Enhanced Security options will be activated by default.
This can be altered within System Maintenance | Practice | Practice Options | Password Policy | Enhanced Security
What is enhanced security in IRIS?
The activation of this option enables the following features:
This is only accessible by MASTER and has the following options:
Any new policy options set in System Maintenance | Practice | Practice Options | Password Policy | Enhanced Security applies to:
new staff members and
password changes to existing staff members.
To guarantee full enforcement of a password policy change to all staff members, system administrators could set a temporary password for all staff members within System Maintenance | Staff | Change User's Password. Each user can then change their own password using the reset password feature to create a password that will be personal to them. Keeping passwords safe and secure will prevent other users logging in as you and making changes.
Changing a staff password is still possible via System Maintenance | Staff | Staff maintenance | View however in the case of forgotten passwords within the Staff Login screen users are now able to Reset Password for their own passwords to be in line with the Practice's password policies.
For the reset process to work the staff member will need:
a valid email address associated with their username within System Maintenance | Staff | Staff maintenance | View | Main tab | E mail
the "Can reset own password" privilege within System Maintenance | Staff | Staff Maintenance | View | Privileges tab set to be able to reset their own password
enhanced security within System Maintenance | Practice | Practice Options | Password Policy must also be enabled
Where a request is made by the staff member to reset their password (via the Staff Login screen), the staff user will be sent an IRIS email which contains a temporary passcode to the email address registered against them in System Maintenance. This passcode must be entered into the Password Reset screen within the expiry time frame, thereby allowing the staff member to continue to setup their new password. The Password Reset may need to be requested again if the passcode has expired.
Previously if the password was forgotten for a confidential client the only way it could be retrieved was by contacting IRIS Support.
Now when selecting a confidential client if the password has been forgotten a user can select Reset password where the staff member can enter a new password for that client adhering to the Practice password policy.
Only staff with the privilege for "Can reset confidential client password" are able to reset confidential client passwords however they can reset for ALL confidential clients without knowledge of the existing password.
If the email subsystem has been configured and an email address is also present for the staff member, the partner responsible assigned to the client will be notified to advise that the confidential client password has been reset.
The staff privilege is turned on by default for MASTER ONLY, therefore currently this is off for all staff members meaning the password can only be reset by MASTER.
For the summer release we are enhancing this feature so that if a partner responsible is assigned to the client ONLY that partner responsible will be able to reset the confidential client. If no partner responsible is set, then all staff with the privilege to reset will be able to reset the password without the need for the existing password.
Deactivating the enhanced security option:
Disables the ability to set the password policy strength within System Maintenance | Practice | Practice Options | Password Policy meaning that a password will be able to be set to any value.
Prevents the ability to reset staff member passwords and confidential client passwords
The reset passwords option will remain on the staff login screen however if selected the following message will display:
Also the 2 privileges for "Can reset own password" and "Can reset confidential client password" will be completely ignored.
Implementing security around personal data is essential, and with the implementation of the new data protection regulations it is a perfect opportunity to review your current security for the IRIS Accountancy Suite:
Set a password policy for accessing IRIS Accountancy Suite within System Maintenance | Practice | Practice Options | Password Policy
Review the MASTER user.
The MASTER user gives maximum access control over the software, therefore consider:
Who logs in as MASTER?
Is access to this account controlled?
Is there a password set for this account? If not consider setting a password
If there is a password set for this account, who knows the password? Consider changing the password to limit access only to those that need full access to all product features.
Review passwords for being in alignment with the password policy
Best practice guidance suggests an account password should only ever be known to the user whose account it belongs to. Having the ability for a Practice to set their own password policy means users can take control of their own passwords but the Practice can ensure it is aligned with the security policies they would like to adopt.
Consider:
Is there a password set for all staff members?
Have any staff shared their passwords with others? If so, consider changing their password so it is not known by others
Passwords should be unique and therefore the same password should not be used on multiple clients
To guarantee full enforcement of a password policy change to all staff members, system administrators could set a temporary password for all staff members within System Maintenance | Staff | Change User's Password. Each user can then change their own password using the reset password feature to create a password that will be personal to them. Keeping passwords safe and secure will prevent other users logging in as you and making changes.
Review permissions against all staff members
Are the System Maintenance | Staff | Group Permissions adequately set for all staff groups?
Are all staff linked to the correct group permission only giving them access to what they need? See System Maintenance | Staff | Staff Maintenance | View | Main tab | Staff Group
Are each staff members privileges appropriate for what access they need? See System Maintenance | Staff | Staff Maintenance | View | Privileges tab.
Consider the 2 new privileges for:
Can reset own password which on installation of 18.1.2 defaults to ticked for MASTER and all staff members and
Can reset confidential client password which on installation of 18.1.2 defaults to ticked for MASTER only and unticked for all other staff members
Disable access or remove old staff members on the system
Within System Maintenance | Staff | Staff Maintenance review each staff member for:
Is allowed to sign on to the system which is on the Main tab. If the staff member no longer works for the practice untick this option.
No longer employed which is on the Rates tab. If the staff member no longer works for the practice untick this option.
Alternatively, consider if you want to delete the staff member. This is only possible if Time and Fees information is not entered for the staff member. If the staff member cannot be deleted, remove or anonymise any personal details and review the two options above.
Review all confidential clients
Confidential clients are managed by specific staff members. Therefore, appeal to all staff to change the passwords on any confidential clients. The new password will need to conform to any new password policy specified.
Also review if the partner responsible is specified for the confidential clients within Client Maintenance | Categories tab. Setting this will ensure a notification email is sent to the partner responsible advising the confidential client password has been reset.