Data Protection: Guidance on PTP Enhanced Security

Introduction

Tax Platform, CT Platform and Tax Expense incorporates an enhanced security facility to restrict certain users from accessing parts of the system whereby each user requiring access must enter their username and password.

This feature is initially disabled by default but can be activated from the Security screen via the Configuration icon.

For Tax Platform and CT Platform the default username 'PTP' and the Password 'MASTER' must be entered to access the Security screen.

In Tax Expense the default username is 'PTP' and the Password is 'master'.

Within the Security section select the option Enable enhanced security system to activate this feature.

• We strongly recommend that you immediately change the Master Username and Password.

Do this by overwriting the entries in the username and password fields and click Update. Please ensure that you commit the new Username and Password to memory. Once you have closed this screen you will not be able to re-enter it without them.

What is enhanced security in PTP?

The activation of this option enables the User access rights feature in PTP Tax Platform:

This feature allows restrictions to be placed on the areas of the system each user has access to.

To view or change these restrictions:

1. Access the Security screen via the Configuration icon.

2. Click Enable enhanced security system and click on the User Tax Platform access rights [tab].

3. Select an item and right-click and select from the options Allow, Disallow or Cancel, to change the access status.

Considerations for accessibility review in PTP

Implementing security around personal data is essential, and with the implementation of the new data protection regulations it is a perfect opportunity to review your current security for PTP:

1. Enable the Enhanced Security feature.

2. Review the MASTER user.

The MASTER user gives maximum access control over the software, therefore consider:

• Who logs in as MASTER?

• Is access to this account controlled?

• Is there a password set for this account? If not consider setting a password

• If there is a password set for this account, who knows the password?  Consider changing the password to limit access only to those that need full access to all product features.

3. Review passwords for being in alignment with the password policy

Best practice guidance suggests an account password should only ever be known to the user whose account it belongs to. Having the ability for a Practice to set their own password policy means users can take control of their own passwords but the Practice can ensure it is aligned with the security policies they would like to adopt.

Consider:

• Is there a password set for all staff members?
• Have any staff shared their passwords with others? If so, consider changing their password so it is not known by others
• Passwords should be unique and therefore the same password should not be used on multiple clients

Note: To guarantee full enforcement of a password policy change to all staff members, system administrators could set a temporary password for all staff members. Each user can then change their own password using the reset password feature to create a password that will be personal to them. Keeping passwords safe and secure will prevent other users logging in as you and making changes.

4. Review permissions against all staff members.
   
• Are each staff members privileges appropriate for what access they need?
  
5. Disable access or remove old staff members on the system.

          Within the Security section review each staff member for:

• Can log into Tax Platform / Corp Tax Platform. If the staff member no longer works for the practice deselect these options.

          Alternatively, consider if you want to delete the staff member.

6. Review all confidential clients - access to client records may be protected by any user logging into the system and selecting the Protected button in the Client Main Details [tab].

          Clicking the Protected tick box brings up this screen:

Proceed by checking the Protect Client tick box and checking the various tick boxes as required. If the Hide this Client from all other users tick box is checked that client is rendered invisible to everyone except the user protecting the client. Note that the Prevent Access to Tax Returns tab is permanently checked and may not be unchecked.

Confidential clients are managed by specific staff members. Therefore, appeal to all staff to change the passwords on any confidential clients. The new password will need to conform to any new password policy specified.