Page 37 - CITP Review
P. 37
Gender
Race
Non-specific age (e.g. 30-40 instead of 30)
Job position and workplace
The following are examples of privacy laws and regulations that organizations may have to follow
depending on the jurisdictions they operate in. Regulations do not define PII in the same way. To
determine what PII is, organizations have to read each regulation.
General Data Protection Regulation (GDPR). A regulation in EU law covering data protection and
privacy for all citizens of the European Union (EU) and the European Economic Area (EEA). It also
addresses the transfer of personal data outside the EU.
Children’s Online Privacy Protection Act (COPPA). COPPA protects children’s privacy by giving parents
33
tools to control what information is collected from their children online.
Gramm-Leach-Bliley Act. The Gramm-Leach-Bliley Act requires financial institutions — companies that
offer consumers financial products or services like loans, financial or investment advice, or insurance
— to explain their information-sharing practices to their customers and to safeguard sensitive data.
Family Educational Rights and Privacy Act (FERPA). The Family Educational Rights and Privacy Act
(FERPA) (20 U.S.C. Section 1232g; 34 CFR Part 99) is a federal law that protects the privacy of
student education records. The law applies to all schools that receive funds under an applicable
program of the U.S. Department of Education.
Health Insurance Portability and Accountability Act of 1996 (HIPAA). United States legislation that
provides data privacy and security provisions for safeguarding medical information.
Vulnerability management and cybersecurity management services
CPA firms can offer cybersecurity services to improve an organization’s security posture and enhance
the CPA’s status as a trusted adviser to clients. The following is a list of cybersecurity services that could
34
be provided by a CPA firm to a client:
Gap analysis. The practitioner identifies the gaps between an existing system and a target system or
set of requirements; assists the organization in obtaining full compliance with the appropriate
regulations, guidelines, and best practice standards; and provides a summary report of the current
compliance level and the details for developing appropriate corrective action. When performing this
type of service, the practitioner will visit the organization; meet with IT and information security
experts; identify the security level of the data, IT resources, or IT service; review the required controls
for the security level; document current practices compared to the required security controls; and
document plans to meet security control requirements.
Readiness assessment. A service provided by a CPA firm to help an organization prepare for SOC for
Cybersecurity examination. The purpose of this engagement is to identify control and process gaps
and provide corrective actions plans to the organization in order to remediate the gaps prior to the
commencement of the first examination period. This service is performed in accordance with the
Statements on Standards for Consulting Services and leverages guidance from the AICPA’s Guide
“Reporting on an Entity’s Cybersecurity Risk Management Program and Controls.” During a readiness
33
See www.ftc.gov/enforcement/statutes/childrens-online-privacy-protection-act, accessed September 7, 2019.
34 “Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate Course,” AICPA.
© 2019 Association of International Certified Professional Accountants. All rights reserved. 1-29
