top of page

Check out our latest blog post!

Security Policy

HK Advisory Group PLLC and HK Accounting and Bookkeeping Services  LLC Security Policy

1. Purpose

This Security Policy outlines the procedures and controls implemented by HK Accounting & Bookkeeping LLC to protect sensitive client data, financial information, and proprietary firm data from unauthorized access, use, disclosure, disruption, modification, or destruction. This policy is designed to ensure compliance with relevant privacy regulations (e.g., GDPR, CCPA, HIPAA where applicable), maintain client trust, and safeguard the firm's reputation.

2. Scope

This policy applies to all employees, contractors, temporary staff, and any third parties who have access to HK Accounting & Bookkeeping LLC’s information systems, physical premises, or client data. It covers all data, whether stored digitally (on Google Workspace, QuickBooks Online, or local devices) or physically.

3. General Security Principles

We use your information solely for the purpose of providing professional accounting, tax, and advisory services to you, including:

  • Confidentiality: All client and firm data must be kept confidential and accessed only by authorized personnel for legitimate business purposes.

  • Integrity: Data must be accurate, complete, and protected from unauthorized modification.

  • Availability: Authorized users must have reliable and timely access to data and systems.

  • Least Privilege: Users will be granted only the minimum level of access necessary to perform their job functions.

  • Accountability: All actions related to data access and modification will be auditable.

4. Google Workspace Security (Digital Document Storage)

Google Workspace (Google Drive, Gmail, Docs, Sheets, etc.) is the primary platform for digital document storage and collaboration.

4.1. Data Classification

  • Confidential/Sensitive: Client financial records, tax documents, personal identifiable information (PII), payroll data, firm financial statements. This data must be stored in designated, restricted folders.

  • Internal Only: Firm operational documents, internal policies, non-client-specific templates.

  • Public: Marketing materials, publicly available firm information 

4.2. Access Control & Authentication

  • Strong Passwords: All Google Workspace accounts must use strong, unique passwords (minimum 12 characters, mix of upper/lower case, numbers, and symbols). Passwords must be changed every 90 days.

  • Multi-Factor Authentication (MFA): MFA is mandatory for all Google Workspace accounts. Employees must use a secure MFA method (e.g., Google Authenticator, security key).

User Provisioning/Deprovisioning:

  • New users will be granted access only after proper onboarding and security training.

  • Access will be immediately revoked upon an employee's termination or departure.

hared Drives:

  • Client-specific documents will be stored in dedicated Shared Drives with restricted access based on client assignments.

  •  Access to Shared Drives will be managed by IT/Administration and reviewed monthly.

  • Individual user "My Drive" should not be used for client data.

4.3. Sharing Policies

  • Internal Sharing: Sharing within the firm should adhere to the principle of least privilege.

External Sharing:

  • Client documents will only be shared externally via secure Google Workspace sharing features (e.g., password-protected links, restricted to specific email addresses).

  • Sharing links should always have an expiration date where possible.

  • Sensitive data should never be shared via public links.

  • All external sharing must be approved by a management.

4.4. Device Security

  • Managed Devices: Employees are encouraged to use firm-issued devices. Personal devices accessing Google Workspace must adhere to firm security standards (e.g., up-to-date OS, antivirus, screen lock, remote wipe capability).

  • Google Drive Sync: Syncing Google Drive to local devices is discouraged for sensitive client data. If necessary, only specific, approved folders may be synced, and the device must be encrypted.

  • Remote Wipe: The firm reserves the right to remotely wipe firm data from any device (firm-owned or personal) that has been used to access firm data, in cases of loss, theft, or employee departure.

4.5. Google's Underlying Security Infrastructure

HK Accounting & Bookkeeping LLC leverages Google Workspace, a platform built on Google's robust and globally distributed infrastructure. Google employs a multi-layered security approach designed to protect data at every stage. Key aspects of Google's security include:

  • Physical Security: Google data centers are protected by multiple layers of security, including biometric access controls, 24/7 surveillance, and strict access policies.

  • Data Encryption: Data is encrypted both in transit (using HTTPS/TLS) and at rest (using AES256). This means your data is protected whether it's moving between your device and Google's servers or stored on their disks.

  • Network Security: Google's network architecture is designed for security, with multiple layers of firewalls, intrusion detection systems, and denial-of-service (DoS) attack prevention.

  • Operational Security: Google employs a dedicated team of security experts who continuously monitor for threats, conduct penetration testing, and implement security updates. Their security operations are ISO 27001 certified.

  • Compliance and Certifications: Google Workspace adheres to numerous global security and privacy standards and certifications, including:

  1. ISO 27001, ISO 27017, ISO 27018: International standards for information security management systems, cloud security, and protection of personally identifiable information in public clouds.

  2. SOC 1, SOC 2, SOC 3: Reports on controls relevant to security, availability, processing integrity, confidentiality, and privacy.

  3. GDPR Compliance: Google is committed to GDPR compliance across Google Workspace services.

  4. HIPAA Compliance: Google Workspace can be configured to support HIPAA compliance for covered entities.

  • Privacy by Design: Google's services are designed with privacy in mind, giving administrators granular controls over data access and retention. Google does not use your data in Google Workspace for advertising purposes.

4.6. Data Retention and Deletion

  • Client data will be retained according to legal and regulatory requirements (e.g., IRS guidelines).

  • Data no longer required will be securely deleted from Google Workspace in accordance with the firm's data retention policy.

4.7. Regular Audits

  • Access permissions to Google Workspace files and folders will be audited quarterly.

  • Google Workspace activity logs will be reviewed regularly for suspicious activity.

5. Accounting Software Security

5.1. QuickBooks Online Security (Accounting/Bookkeeping Transactions)

  • QuickBooks Online (QBO) is a primary platform for managing accounting and bookkeeping transactions.

  • Access Control & Authentication:

  • Strong Passwords: All QBO accounts must use strong, unique passwords.

  1. Multi-Factor Authentication (MFA): MFA is mandatory for all QBO accounts.

  2. User Roles and Permissions:

    1. Each employee will be assigned the lowest possible user role in QBO that allows them to perform their job functions (e.g., "Accountant," "Standard User - Limited," "Reports Only").

    2. Administrator access will be restricted to a minimum number of senior personnel.

  3. User Provisioning/Deprovisioning: Access will be immediately revoked upon an employee's termination or departure.

  • Data Backup:

  1. While QuickBooks Online manages its own backups, employees should be aware of QBO's data recovery features and limitations.

  2. The firm will periodically export client data from QBO as an additional backup measure, storing it securely within Google Workspace.

  • Regular Review of Access:

  1. QBO user access and permissions will be reviewed quarterly to ensure they align with current job responsibilities.

  2. Any inactive user accounts will be promptly removed.

5.2. Keeper.app Security (Accounting Portal)

Keeper.app, as an accounting portal, is utilized for specific accounting and bookkeeping functions.

  • Access Control & Authentication:

  1. Strong Passwords: All Keeper.app accounts must use strong, unique passwords.

  2. Multi-Factor Authentication (MFA): MFA is mandatory for all Keeper.app accounts.

  3. User Roles and Permissions:

Access to Keeper.app will be granted based on the principle of least privilege, ensuring employees only have access to the data and functionalities necessary for their roles.

Specific roles and permissions within Keeper.app will be configured and managed by IT/Administration.

  • User Provisioning/Deprovisioning: Access will be immediately revoked upon an employee's termination or departure from the firm or a change in their role that no longer requires Keeper.app access.

  • Data Handling and Confidentiality:

    • All client data accessed or processed through Keeper.app must be handled with the utmost confidentiality.

    • Employees are prohibited from downloading or exporting data from Keeper.app unless explicitly authorized and for legitimate business purposes, with proper secure storage protocols followed.

  • Regular Review of Access:

    • Keeper.app user access and permissions will be reviewed quarterly to ensure they align with current job responsibilities.

    • Any inactive user accounts will be promptly removed.

6. Physical Document Storage Security

Despite digital solutions, some physical documents may be retained.

6.1. Secure Location

  • All physical client documents and sensitive firm records must be stored in a designated, secure area within the office.

  • This area must be accessible only to authorized personnel.

6.2. Access Control

  • Locked Cabinets/Rooms: All physical documents containing sensitive information must be stored in locked filing cabinets or in a secured room with restricted access.

  • Key Management: Keys to secured storage areas will be strictly controlled and logged.

  • Visitor Policy: Visitors must be escorted at all times and not left unattended in areas where sensitive documents are stored.

6.3. Document Disposal

  • All physical documents containing sensitive or confidential information must be shredded using a cross-cut shredder when no longer required, in accordance with the firm's data retention policy.

  • Documents should never be disposed of in regular trash bins.

6.4. Inventory and Logging

  • A log should be maintained for highly sensitive physical documents, detailing their location, access, and disposal.

7. Employee Access & Responsibilities

Employees are the first line of defense in maintaining security.

7.1. Background Checks

  • All new employees will undergo thorough background checks, including criminal history and reference checks, prior to employment.

7.2. Onboarding and Offboarding Procedures

  • Onboarding: New employees will receive comprehensive security awareness training, including this policy, before gaining access to systems or data.

  • Offboarding: Upon an employee's departure, all system access (Google Workspace, QBO, physical keys) will be immediately revoked, and firm-owned devices will be returned and wiped.

7.3. Training and Awareness

  • All employees will undergo mandatory annual security awareness training covering topics such as phishing, social engineering, password hygiene, and data handling best practices.

  • Regular reminders and updates on security threats will be disseminated.

7.4. Acceptable Use Policy

  • Employees must use firm resources (computers, networks, software) only for legitimate business purposes.

  • Prohibited activities include downloading unauthorized software, visiting malicious websites, or attempting to bypass security controls.

7.5. Reporting Incidents

  • Any suspected security incident, data breach, or policy violation must be immediately reported to [Designated Security Contact/Management].

  • Employees should not attempt to investigate or resolve security incidents on their own.

7.6. Remote Work Security

  • Employees working remotely must ensure their home networks are secure (e.g., strong Wi-Fi passwords, up-to-date router firmware).

  • Sensitive data should not be stored on personal devices.

  • Public Wi-Fi networks should be avoided for accessing firm data. If necessary, a Virtual Private Network (VPN) must be used.

8. Incident Response Plan (Overview)

In the event of a security incident (e.g., data breach, unauthorized access, ransomware attack), the firm will follow a predefined incident response plan, which includes:

  • Identification: Detecting and confirming the incident.

  • Containment: Limiting the scope and impact of the incident.

  • Eradication: Removing the cause of the incident.

  • Recovery: Restoring affected systems and data.

  • Post-Incident Analysis: Reviewing the incident to prevent recurrence.

  • Notification: Notifying affected parties and regulatory bodies as required by law.

9. Policy Review and Updates

This Security Policy will be reviewed and updated annually, or more frequently if there are significant changes in technology, regulations, or the firm's operations.

10. Enforcement

Violation of this Security Policy may result in disciplinary action, up to and including termination of employment, and may also lead to legal action.

bottom of page