Data Protection: Guidance on PTP Accounts Production Enhanced Security

On installation of PTP Accounts Production 18.1.2 the Enhanced Security options will be activated by default.

This can be altered within Setup | Practice Options | Password Policy | Enhanced Security

What is enhanced security in IRIS?

The activation of this option enables the following features:

Set password policies for staff login and confidential client passwords

This is only accessible by MASTER and has the following options:

Any new policy options set in Setup | Practice Options | Password Policy | Enhanced Security applies to:

new staff members and
password changes to existing staff members

To guarantee full enforcement of a password policy change to all staff members, system administrators could set a temporary password for all staff members within Setup | Change User's Password. Each user can then change their own password using the reset password feature to create a password that will be personal to them. Keeping passwords safe and secure will prevent other users logging in as you and making changes.

Reset option of staff passwords

Changing a staff password is still possible via Setup | Change Own Password however in the case of forgotten passwords within the Staff Login screen users are now able to Reset Password for their own passwords to be in line with the Practice's password policies.

For the reset process to work the staff member will need:

a valid email address associated with their username within Setup | Staff maintenance | View | Main tab | E mail
the Can reset own password privilege within Setup | Staff maintenance | View | Privileges tab set to be able to reset their own password
enhanced security within Setup | Practice Options | Password Policy must also be enabled

Where a request is made by the staff member to reset their password (via the Staff Login screen), the staff user will be sent an email which contains a temporary passcode to the email address registered against them in Staff Maintenance. This passcode must be entered into the Password Reset screen within the expiry time frame, thereby allowing the staff member to continue to setup their new password. The Password Reset may need to be requested again if the passcode has expired.

Reset option of client confidential passwords

Previously if the password was forgotten for a confidential client the only way it could be retrieved was by contacting PTP Support.

Now when selecting a confidential client if the password has been forgotten a user can select Reset password where the staff member can enter a new password for that client adhering to the Practice password policy.

Only staff with the privilege for "Can reset confidential client password" are able to reset confidential client passwords however they can reset for ALL confidential clients without knowledge of the existing password.

If the email subsystem has been configured and an email address is also present for the staff member, the partner responsible assigned to the client will be notified to advise that the confidential client password has been reset.

The staff privilege is turned on by default for MASTER ONLY, therefore currently this is off for all staff members meaning the password can only be reset by MASTER.

The feature has been enhanced so that if a partner responsible is assigned to the client ONLY that partner responsible will be able to reset the confidential client. If no partner responsible is set then all staff with the privilege to reset will be able to reset the password without the need for the existing password.

Deactivating the enhanced security option:

Disables the ability to set the password policy strength within Setup | Practice Options | Password Policy meaning that a password will be able to be set to any value.
prevents the ability to reset staff member passwords and confidential client passwords

The reset passwords option will remain on the staff login screen however if selected the following message displays:

Also the 2 privileges for Can reset own password and Can reset confidential client password will be completely ignored.

Considerations for accessibility review in IRIS

Implementing security around personal data is essential, and with the implementation of the new data protection regulations it is a perfect opportunity to review your current security for the PTP Accountancy Suite:

Set a password policy for accessing PTP Accounts Production within Setup | Practice Options | Password Policy
Review the MASTER user.

The MASTER user gives maximum access control over the software, therefore consider:

Who logs in as MASTER?
Is access to this account controlled?
Is there a password set for this account? If not consider setting a password
If there is a password set for this account, who knows the password? Consider changing the password to limit access only to those that need full access to all product features

Review passwords for being in alignment with the password policy

Best practice guidance suggests an account password should only ever be known to the user whose account it belongs to. Having the ability for a Practice to set their own password policy means users can take control of their own passwords but the Practice can ensure it is aligned with the security policies they would like to adopt.

Consider:

Is there a password set for all staff members?
Have any staff shared their passwords with others? If so, consider changing their password so it is not known by others
Passwords should be unique and therefore the same password should not be used on multiple clients

To guarantee full enforcement of a password policy change to all staff members, system administrators could set a temporary password for all staff members within Setup | Change User's Password. Each user can then change their own password using the reset password feature to create a password that will be personal to them. Keeping passwords safe and secure will prevent other users logging in as you and making changes.

Review permissions against all staff members

Are each staff members privileges appropriate for what access they need? See Setup | Staff Maintenance | View | Privileges tab.

Consider the 2 new privileges for:

Can reset own password which on installation of 18.1.2 defaults to ticked for MASTER and all staff members and
Can reset confidential client password which on installation of 18.1.2 defaults to ticked for MASTER only and unticked for all other staff members

Disable access or remove old staff members on the system.

Within Setup | Staff Maintenance review each staff member for:

Is allowed to sign on to the system which is on the Main tab. If the staff member no longer works for the practice deselect this option.
No longer employed which is on the Rates tab. If the staff member no longer works for the practice deselect this option.

Alternatively, consider if you want to delete the staff member. This is only possible if Time and Fees information is not entered for the staff member. If the staff member cannot be deleted, remove or anonymise any personal details and review the two options above.

Review all confidential clients.

Confidential clients are managed by specific staff members. Therefore, appeal to all staff to change the passwords on any confidential clients. The new password will need to conform to any new password policy specified.

Also review if the partner responsible is specified for the confidential clients within Client Maintenance | Categories tab. Setting this will ensure a notification email is sent to the partner responsible advising the confidential client password has been reset.