Security Practices: The AICPA/CICA Privacy Framework
2005 - Protecting customers’ and employees’ personal
information has become a significant risk-management issue
for all organizations. Consumers are increasingly concerned
with how organizations protect and handle their personal information,
and identity theft is on the rise, leading to new regulatory
requirements on business for the protection of personal information.
legislation mandates the protection and privacy of personal
information for customers, clients, and patients. In the
healthcare industry, for example, the Health Insurance Portability
and Accountability Act (HIPAA) requires covered entities
to follow or address certain information security practices.
The financial services industry has standards introduced
by the Gramm-Leach-Bliley Act (GLBA).
some state laws require the protection of personal information,
those laws are often ambiguous as to what type of protection
is necessary. For example, California’s recently enacted
Assembly Bill 1950 (AB 1950) requires a business that owns
personal information about a California resident to “implement
and maintain reasonable security procedures and practices
to protect personal information from unauthorized access,
destruction, use, modification or disclosure.” If
the business discloses personal information to a third party,
AB 1950 requires that the contract contain a reference to
the obligation of the third party to maintain reasonable
security practices and procedures appropriate to the nature
of the information. Although the bill requires “reasonable”
security practices, it does not fully describe what these
practices should be.
of the Framework
organizations that are subject to laws and regulations that
provide limited guidance on appropriate information-security
practices, or organizations that simply want to meet their
customers’ expectations for protecting personal information,
the Privacy Framework developed by the AICPA and the Canadian
Institute of CAs (CICA) forms a comprehensive resource providing
guidance on a number of areas related to privacy. The AICPA/CICA
Privacy Framework (www.aicpa.org/privacy)
offers excellent guidance on defining good privacy and security
practices for personal information, organized into 10 different
Management: Assigns accountability for privacy
policies and procedures.
Notice: Provides notice of privacy policies and
Choice and consent: Describes choices available
to the individual on the collection, use, and disclosure
of personal information.
Collection: Collects personal information only
for the purposes identified.
Use and retention: Limits use of personal information
to the purposes identified.
Access: Provides individuals with access to their
Disclosure: Discloses personal information to
third parties only for the purposes identified.
Protects personal information against unauthorized
Quality: Maintains accurate, complete, and relevant
Monitoring and enforcement: Monitors compliance
with its privacy policies and procedures.
framework’s 10 components are considered a solid benchmark
for good privacy practice. The security component focuses
on the security practices necessary for the protection of
personal information, and aligns with the security principle
of the AICPA/CICA “Trust Services Principles and Criteria.”
Other elements of these criteria include processing integrity,
availability, confidentiality, and privacy.
the structure of the AICPA/CICA Privacy Framework are numerous
criteria, illustrations, and explanations for each component.
Each criterion is measurable, relevant, and objective, and
classified in terms of policies and communications or procedures
criteria require an organization to address the security
of personal information within its privacy policies, and
to ensure that the policies are communicated through a privacy
notice that describes the general types of security measures
used to protect personal information.
organization is considered to have good information-security
practices if a security program was developed, documented,
approved, and implemented that includes administrative,
technical, and physical safeguards to protect personal information
from loss, misuse, unauthorized access, disclosure, alteration,
of items that a security program would address include periodic
risk assessments, assignment of responsibility and accountability
for security, implementing software upgrades and patches,
and allocating training and other resources to support the
organization’s security policies. The framework contains
examples of other features that a security program should
Logical access controls are in place to restrict access
to personal information. These include—
Authorizing and registering personnel.
Identifying and authenticating personnel.
Making changes and updating access profiles.
Granting system-access privileges.
Preventing individuals from accessing others’
Limiting access to personal information to authorized
personnel based upon their assigned roles and responsibilities.
Distributing output only to authorized personnel.
Restricting logical access to offline storage, backup
data, systems, and media.
Restricting access to system configurations, master
passwords, utilities, and security devices.
Preventing the introduction of viruses, malicious
code, and unauthorized software.
Physical access is restricted to personal information
in any form, including the components of the organization’s
system that contain or protect personal information.
Personal information is protected against unlawful destruction,
accidental loss, natural disasters, and environmental
n Personal information is protected when transmitted by
mail and over a network, by deploying industry-standard
of the effectiveness of key administrative, technical,
and physical safeguards protecting personal information
are conducted at least annually (e.g., an independent
audit of security controls).
here to see an Exhibit.
Askelson, CPA, CITP, CIA, is IT audit manager for
JC Penney in Plano, Texas, and vice chair of the AICPA/CICA
Privacy Task Force.