Protecting Private Data From Intrusions

     The private and nonpublic data being processed by information technology systems has become a major financial risk for businesses and governments world wide due to the lack of adequate controls for protection of the data.  As the use of the Internet for the exchanging of correspondence and financial data has increased the increase in the number of unauthorized intrusions into information technology systems has created enormous financial losses.

     The increase in the financial risks of utilizing information technology systems necessitated the passage of the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLB). The act imposed the legal requirement that all financial institutions and organizations that process data utilizing information systems must incorporate adequate controls to identify and prevent intrusions and the theft of private and nonpublic data. The GLB act established the Safeguards Rule of November 12, 1999 that applied to all IT systems.  To meet the intent of the Safeguards Rule the controls must provide for protection of the security, confidentiality, and integrity of private and nonpublic information. The requirements of the Safeguards Rule have become the basis of many additional federal laws intended to clarify standards and guidelines for developing and implementing administrative, technical and physical safeguards. To insure that an organization has adequate IT controls to protect its clients and the IT systems of other companies that are connected has become necessary that IT systems be audited.

      In response to the Safeguard Rule imposed by Federal Trade Commision, Service Organization Controls (SOC) were establish by the American Institute of Certified Public Accountants (AICPA) as a set of standards and guidelines to  be used by auditors of IT systems. The auditors are to evaluate the  adequacy of the controls incorporated as part of information technology (IT) systems in an effort to meet the new regulations.

     SOC consists of three types of auditing procedures to be conducted: SOC 1, SOC 2 and SOC 3 which provide detailed definitions of the different controls that are to be verified as to adequacy. The controls include the management and administrative procedures, and access limitations, for institutions that process, store or collect, private, personal and nonpublic data. The SOC requirements include the requirement for controls that detect and prevent unauthorized intrusion into the IT processing systems.  The intent of the controls is to prevent the theft of the private and nonpublic data of customers and consumers by administrative, electronic and physical means.

    The AICPA  offers a certification  of compliance with the SOC control  requirements upon the successful completion of an audit by a CITP.  A CITP is a CPA that has been evaluated and approved as a Certified Information Technology Professional  by the AICPA. To enable a CITP  to perform an audit of the electronic IT controls it has become necessary that the IT system be electronically tested to determine the adequacy of the controls.  This has resulted in the requirement to develop soft ware systems that can be attached to IT systems to detect unauthorized inquiries and removal of personal data that can be used  for identity theft. Protecting private data is a federal requirement that will soon require compliance to be certified.

Leave a Reply

Your email address will not be published. Required fields are marked *

Go back to top