INFORMATION TECHNOLOGY LABORATORY (ITL)
At Integrated Accounting Services, LLC we encourage anyone concerned about the security and privacy of information technology systems to check out the work being done by the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST). The NIST website (http://csrc.nist.gov-computer security division) states; “ITL promotes the U. S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems.”
As such they are in the unique position of being able to advise as well as support standardization of control process for the private sector. ITL has an in depth understanding of the IT control problems needed to integrate the private systems with the existing government system. It is the best interest of the government to be involved in this process to ensure compatibility of systems and to establish confidence in the quality of controls that will be placed on systems with which they are integrating.
Everyone interested in advancing design and planning of IT systems must become knowledgeable of the accomplishments of NIST by reading their Special Publication 800-series reports. The 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and collaborative activities with industry, government, and academic organizations. The NIST Special Publication 800-53 “Recommended Security Controls for Federal Information Systems and Organization” list pages of specific controls that would be considered in the preparation of a standardized list of IT system controls for the private sector.
The American Institute of Certified Public Accounts (AICPA) has developed and adopted a set of guidelines and regulations for CPA audits in response the requirements of the Gramm-Leach-Bliley Act entitled, Service Organization Controls (SOC). SOC is divided into two general types of audits SOC 1 and SOC 2 that are described on this site in detail. SOC is very specific as to the types of assessments that are to be made for each type of audit. SOC guide lines and regulations do not defined the controls to be evaluated as part of an accounting audit to the same depth as controls identified by NIST.
A very large portion of the IT systems data worldwide relates to the actual accounting of the income and expense data. It would substantially improve the confidence in the accuracy of the data and the validity of private, corporate and government audits if the standardized list controls adopted for financial audits were identified and separated into a separated category from other types of controls.
To expedite certification of the adequacy of IT controls on financial systems the accounting category should be further divided and organized according to how CPA’s are required to assess and certify as to the adequacy of the controls by AICPA.
A SOC 1 audit assesses controls under two entirely different sets of circumstances. Under the requirements of SSAE No. 15, the audit is “An Examination of an Entity’s Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements“. These controls would deal with the validity and correctness of the data itself.
SOC 1 audits according to the requirements of SSAE No. 16 reports “On Controls at a Service Organization” that is processing private and nonpublic data that is personal for it’s customers. The controls obviously would vary differently in approach even though there would be some overlap. Standardizing would require developing different categories of controls for each type of audit.
SOC 2 audits deal with five different concerns: security, availability, integrity, confidentiality, and privacy. There are specific controls that come into play for each of these areas include overlap of controls to prevent possible financial theft, timely transmission, intrusion/manipulation, limited access and nondisclosure .
Should those involved in designing and operating IT systems, decide to become knowledgeable about the standards developed by NIST it would provide a common starting point for the first of a series of joint meetings. The fact that the responsibility given ITL is limited to only federal systems that are not security-related means that all other federal IT systems, are designed and implemented to the same security and safety control guidelines and regulations. The federal systems established by ITL are be designed to interface with the private sector as much as possible considering the number of different systems. It would appear that it is a viable approach to solving a major problem.
At Integrated Accounting System LLC, we believe that the establishment of a Standard Federal IT System by ITL provides a tremendous opportunity to begin the process of standardizing all private sector systems. Joint studies have been limited by the lack of agreement on a starting point of reference. Utilizing what ITL has developed would begin the process of developing a compliance standard for controls for each of the standard types IT systems that are emerging in the private sector. Having standardized IT system controls for each type of IT system would obviously create the high level of security and safety now enjoyed when processing private, personal and nonpublic data in the medical industry.
Through coordination meetings with IT system organizations, users, system designers, and equipment vendors in the private sector ITL could provide direction as to how to establish private system controls that would be in compliance with their regulations and guidelines. ITL would also have the opportunity to modify its design to assist in reaching agreement on a universal compliance standard. The meetings would be organized and implemented in the same manner for the industry wide organizational programs and joint meetings that were so successful in the development of the Health Insurance Portability and Accountability Act of 1996 (HIPAA); sixteen years ago.
Please contact Integrated Accounting Services LLC, if you are interested attending and being a part of the a Joint Planning Task Force meeting with NIST by commenting and making suggestions on this post.
