Page 37 - CITP Review
P. 37

  Gender
              Race
              Non-specific age (e.g. 30-40 instead of 30)
              Job position and workplace

            The following are examples of privacy laws and regulations that organizations may have to follow
            depending on the jurisdictions they operate in. Regulations do not define PII in the same way. To
            determine what PII is, organizations have to read each regulation.


              General Data Protection Regulation (GDPR). A regulation in EU law covering data protection and
               privacy for all citizens of the European Union (EU) and the European Economic Area (EEA). It also
               addresses the transfer of personal data outside the EU.
              Children’s Online Privacy Protection Act (COPPA). COPPA protects children’s privacy by giving parents
                                                                                   33
               tools to control what information is collected from their children online.
              Gramm-Leach-Bliley Act. The Gramm-Leach-Bliley Act requires financial institutions — companies that
               offer consumers financial products or services like loans, financial or investment advice, or insurance
               — to explain their information-sharing practices to their customers and to safeguard sensitive data.
              Family Educational Rights and Privacy Act (FERPA). The Family Educational Rights and Privacy Act
               (FERPA) (20 U.S.C. Section 1232g; 34 CFR Part 99) is a federal law that protects the privacy of
               student education records. The law applies to all schools that receive funds under an applicable
               program of the U.S. Department of Education.
              Health Insurance Portability and Accountability Act of 1996 (HIPAA). United States legislation that
               provides data privacy and security provisions for safeguarding medical information.



            Vulnerability management and cybersecurity management services


            CPA firms can offer cybersecurity services to improve an organization’s security posture and enhance
            the CPA’s status as a trusted adviser to clients. The following is a list of cybersecurity services that could
                                               34
            be provided by a CPA firm to a client:
              Gap analysis. The practitioner identifies the gaps between an existing system and a target system or
               set of requirements; assists the organization in obtaining full compliance with the appropriate
               regulations, guidelines, and best practice standards; and provides a summary report of the current
               compliance level and the details for developing appropriate corrective action. When performing this
               type of service, the practitioner will visit the organization; meet with IT and information security
               experts;  identify the security level of the data, IT resources, or IT service; review the required controls
               for the security level; document current practices compared to the required security controls; and
               document plans to meet security control requirements.
              Readiness assessment. A service provided by a CPA firm to help an organization prepare for SOC for
               Cybersecurity examination. The purpose of this engagement is to identify control and process gaps
               and provide corrective actions plans to the organization in order to remediate the gaps prior to the
               commencement of the first examination period. This service is performed in accordance with the
               Statements on Standards for Consulting Services and leverages guidance from the AICPA’s Guide
               “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls.” During a readiness


            33
              See www.ftc.gov/enforcement/statutes/childrens-online-privacy-protection-act, accessed September 7, 2019.
            34  “Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate Course,” AICPA.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-29
   32   33   34   35   36   37   38   39   40   41   42