•   taxsupport@crescenttaxfiling.com |
  •   916-241-4499

Crescent Tax Filing Data Security & Confidentiality Policy

Most of the tax consulting firms, are not equipped with the client’s data security since it is very expensive setup, they say they have all but in reality they have none. Imagine the data threat you have with those tax companies.Much of our revenues go for data security, our aim is to provide accurate tax estimations with high level of tax knowledge with extremely high level of data security.

We respect to protect our clients data, so that thay can be rest assured with our data security measures. We are reliable and trustworthy in all what we do, we are enthusiastic about learning and sharing insights about new developments in latest technology of data security. We actively monitor our security systems 24/7 so that there should not be any data security breach. We deeply think about various aspects of all data security measures.

We are glad to let you know by the below details, what all we have been implementing and how much we are concerned about our precious clients data security. .


Network Security, Router / Firewall

• We have a minimum, sophisticated firewalls which has been deployed at all external connections (Example: Internet)

• Our firewalls configured with a policy that all services are denied unless expressly permitted

• We have a process / criteria to evaluate the risk of protocols / ports before implementing them on the firewalls

• Our outgoing traffic directed to external proxy servers.

• All logging’s enabled on all firewalls, routers, and proxy servers. We have a authenticated process in place to review the logs regularly

• Our firewall(s) and proxy server(s) configured on a hardened platform, with limited functionality (Example: All unnecessary applications removed)

• Access to all firewalls, routers, and proxy servers restricted to only those people who need to manage these the devices

• Our administrators remotely access the routers / firewalls, they are securely authenticated by using one-time passwords or encrypted login sessions

• We have a process in place to ensure that all the routers / firewalls have the latest software and that they are patched regularly with the latest security updates from the respective vendors



VPN – Remote User Connectivity

• Our computers used with VPN remote access, and been implemented with a Personal Firewall

• When we allow VPN access to our computers by Antivirus Software and Personal Firewall

• We do have a process in place, in order to cancel anyone’s VPN access rights as soon as their project is completed, or their reason for having the VPN is invalidated



Application Security – Security in Application Development

• Our system development methodology addresses the information security during discovery and development phase

• We do perform a security code review during each phase of development

• We have separate environments for each customer for development and testing of systems



Data Security

• We keep backups of business critical data done regularly (every day)

• We do have an on-line mechanism to verify that all backups complete successfully

• We periodically restore information from backup tapes to ensure data integrity

• Our backup tapes kept in an environmentally controlled and secured area

• We do not store tapes off-site

• We regularly conduct audit to account for all the backup tapes



System Security – Server Vulnerability & Hardening

• We do follow the process proactively to obtain the latest security patches and updates

• We follow a process to identify network, application and OS based systems vulnerabilities

• We use automated tools to assess system vulnerabilities

• Our internal audit simulate outside attacks

• We do have a security checklist for each OS deployed at our company

• We do regularly perform audits (Internal and External) against our security checklists

• Our system security checklists updated on a regular basis

• We have regulated all applications for running as a super user privilege

• We use logon banners on all systems

• All our users with super user privileges reviewed and revised on a regular basis

• We have Anti-Virus software running on all of our Microsoft Platforms (Servers, Workstations. PC’s and Laptops)

• We have rolled out Anti-Virus Software on all of our email servers

• Our al Email servers configured to check all the incoming and outgoing emails for viruses, spasm, Ransonware and other threats

• We opted a procedure to ensure that all the servers, user machines, laptops are configured to automatically install the latest Virus Definition Files

• We have a mechanism in place to check all FTP inbound and outbound file transfers for viruses



Identity Management – Account Management (User & High Privilege Accounts)

• Each user account prohibit concurrent access (Example: User cannot be logged in from two different machines)

• All our user accounts deleted on the user’s departure date

• Our systems disable user accounts after a period of inactivity

• We periodically reconcile system accounts to existing users

• Our systems lock user accounts after a number of failed attempts to login

• We have a consistent user ID’s for a single person in all platforms & instances

• Our privileged accounts set up for emergency problem, fully logged and subjected to regular reviews

• We do have a policy on privileged accounts

• We do have a compiled list of personal with root or admin privileges

• We disable all the default accounts, in all our server applications (Example: Oracle’s default DBA account and Oracle’s default account, Windows default remote assistant accounts etc)



Password Management and Authentication

• Our users forced to change their passwords at first sign-on

• Used Passwords expire periodically

• Our users prohibited from frequently re-using passwords Like: Password cannot be reused within 1months

• We have a process which notifies our employees with weak passwords and forces a change

• We do conduct internal audits to identify weak passwords, by using social engineering Like: Password of a user is based on his son’s name or the first word of the poster on his desk



Event Management – Event Monitoring & Intrusion Detection

• We frequently initiate security auditing on business critical systems Like: All servers configured to log any unsuccessful login attempt etc

• We do have a process to review security audit logs in a timely, consistent manner and act upon any threats identified by these reviews

• We have a automated alerting / notification process that is initiated when defined security thresholds are exceeded

• We are using network based Intrusion Detection (IDS) products on interconnections Like: Internet, web-hosting platforms, 3rd party connections etc

• We Periodically perform network penetration studies either using internal audits or through external consultants

• We configured our business critical networks with Switches, so that sniffer software is ineffective

• Our intrusion detection system’s network placement frequently reviewed to ensure appropriate coverage



Incident Response

• We have a process for users to report to IT, when they have identified a potential virus on their systems

• We do have a documented Security Incident Response procedure

• We have communicated the Security Incident Response procedure to all employees

• We do conduct drills to verify the readiness of the company to any security incident



Disaster Recovery

• We have a business mandated formal written Disaster Recovery Plans (DRPs), covering the partial or full loss of Services, Critical Applications, Physical facilities

• We have a disaster recovery facilities for critical systems located in a geographically independent area

• Our employees have been trained on DRPs, and updated on at least once in 3 months

• We gave designated a team, who are responsible for devising and maintaining the DRPs

• DRPs have been reviewed and approved at the managerial level (Example: CIO)

• We have identified and documented our business critical applications, and applied Business Impact Analysis

• Regular training sessions are conducted for all relevant personnel on backup, recovery, and contingency operating procedures



Asset Security – Laptop Security

• All laptops of our business is physically secured, at all times

• Our users instructed to perform backups on a regular basis, on all laptops containing business and customer critical data

• We have a process to ensure that business and customer critical data is encrypted



Physical Security (Building & Client Machines)

• ID badges are issued to all working personnel (Permanent, Contractor, Agency temps

• All our personnel required to display their ID badges

• We review all ID badges periodically (once in two months)

• We do have a visitor control procedures

• Our buildings are protected by fire detection / suppression systems

• Our premises are protected by intrusion detection systems with CCTVs etc

• We do have A class security guards on all of our sites, keeping business and customer critical data

• We do have a guards at entrances and exits, randomly conduct spot checks to prevent unauthorized items from entering or leaving the buildings

• All physical security breaches are and logged and investigated

• We do conduct random out of hours security inspections of the work place

• All results of security inspections of the work place is reported to senior management

• We do have a preventive maintenance program in effect for all environmental and protection of systems



Physical Security (Server Rooms)

• Firewalls are kept in physically secure areas

• We have a process to restrict the access, to computer centers only to people who have a business need

• We do not keep outside signs and building directories, to avoid making reference to computer centers or their locations

• All servers are kept in protected areas with restricted access, and are ministered 24/7

• We have established guidelines detailing, what security is needed in areas where servers are located.



Security Officers & Organization

• We employed full-time Information Security Officers, working in rotational shifts

• Have roles and responsibilities for protecting assets and implementing security measures been explicitly defined and communicated to all the department / groups

• We have a formal risk analysis process, which has been implemented to assist management in identifying security threats

• All Security Policies have been issued to all employees, including third party personnel and contractors

• All employees formally been acknowledged to adherence to the Information Security Policies

• We often audits to measure compliance with the information Security Policies

• Our employees are required to re-acknowledge compliance with the Information Security Policies every quarterly

• We often perform internal audits to measure compliance with the Information Security Policies

• We frequently perform periodic reviews to update security policies and guidelines for relevancy and emerging topics

• We have initiated strict controls in place, to restrict the ability to transmit customer’s data to unauthorized personnel outside our company

• We have an organizational policy on copyright compliance which been implemented and communicated to all users

• We have a policy to prohibit generic logon account and strictly follow the policy

• Our Permanent employees, Contractors / Temporary Staff, 3rd Party service providers

• We have a E-mail usage policy, which we strictly follow

• We do take action against users who use E-mail in contradiction to the E-mail usage policy

• We have issued internet policy to all our employees like: Only access the Internet for the legitimate work-related purposes, no downloading of games, etc.

• All our employees required to sign an Internet usage and responsibility agreement that acknowledges compliance with the stated Internet Policy.

• We follow comprehensive documentation standards for IT development and operational controls

• We have clear desk policy



Employee Security Focus

• We have a formal, on-going Security training program

• We have implemented a process to measure the Effectiveness of Security Training

• Our on-going Security Awareness program include instructing users, on how to detect and avoid ‘social engineering’ attacks as well as competitive intelligence probes

• Our users been educated on how to report suspected security violations or vulnerabilities

• We send regular bulletins to our employees, alerting them to risks and vulnerabilities involved in computing, including basic tasks such as backup, anti-virus scanning and choosing strong passwords

• We have initiated a process to communicate security policy and guideline changes to employees

• We give importance to Information Security which is visible throughout the organization like: Example: security discussions in company meetings, security award, posters etc.

• We notify our employees that customer sensitive data cannot be loaded on personal PC’s

• All users of our systems containing sensitive information made aware of legal and company obligations associated with the use of the application.

• Our employees been instructed to challenge strangers or unescorted visitors in non-public areas

• We do periodic spot-checks of our users workspaces to monitor compliance with the information protection program



Recruitment Process / New Employee Orientation

• Our Newly hired workers (including contractors & third party personnel) subjected to a history and background checks Like: References, Police records, etc.

• Our employees receive introductory awareness security training



Employee Exit / Transfer

• Our Human Resources (HR) department provides system administrators with a list of workers transferring departments and workers leaving the company.

• We have a process to notify system administrators when workers leave the business

• We conduct exit interviews to recover property given to workers like: (a) Company property (badges, company credit cards etc). (b) Tools of the jobs (laptops, mobile phones, remote dial-in access cards, modems etc.).

• We strictly follow emergency program for immediate removal of employee’s system access when the departing employee is identified a disgruntled or high risk

• We have up and running access / exit controls employed in our facility

• When our employees leave, we do (1) check to see if they have sponsored accounts or badges for guests, (2) We question them on continued need, and (3) Assign new sponsors



Change Management

• We do have documented change control procedures to manage all modification to the development environment (software, hardware, network)

• We regularly upgrade and perform change control regularly

• Our Physical Security (Example: power control, locks, entrance cards) is part of our change control process

• We have a documented procedure for performing emergency changes outside the change control process.


© 2017 Crescent. All rights reserved.