March 8, 2004
(Computerworld)
The American Institute of Certified Public Accountants Inc. (AICPA) has had a strategy for improving national cybersecurity for more than five years. The New York-based organization is now working with the Center for Internet Security on integrating its guidelines with the center's technical benchmarks. The CIS is a Hershey, Pa.-based nonprofit security standards consortium of more than 170 companies.
Known as Trust Services, the AICPA's auditing guidelines were presented to the White House in a briefing prior to last year's release of the National Strategy to Secure Cyberspace. The guidelines, which can be downloaded free of charge , are a central part of the discussions on Capitol Hill surrounding proposed legislation that would require publicly traded companies to conduct independent security audits and detail the results in their annual reports .
Trust Services are "guidelines that came out in 1999 to enable CPAs to assess security, privacy and availability of information systems," said Michael Dickson, a CPA at Columbus, Ohio-based Business Technology Group LLC who also holds the AICPA's coveted Certified Information Technology Professional designation. "The thing that differentiates our standard from others is that we can issue an assurance report, which is like an audit report."
"People may not have been aware that CPAs are in the security space, the privacy space and the confidentiality space," said Karyn Waller, a CPA and senior technical manager at the AICPA. But what really makes the AICPA approach attractive on a national scale is that the guidelines are flexible and scalable over time and the results will be consistent from company to company, she said.
"The idea is that two different CPAs looking at the same set of circumstances have a very good chance of coming up with the same results," said Dickson. "They are generic enough to facilitate the audit process but specific enough to ask questions about firewall settings and if unnecessary services have been disabled."
The problem on a national scale is that there are more than a dozen standards available that companies can follow, but not all of the standards are applicable to all business types or industry sectors, said Dickson.
Alan Paller, director of the Bethesda, Md.-based SANS Institute, sits with representatives of the AICPA on a task force that was formed by Rep. Adam Putnam (R-Fla.) to devise security best practices for the private sector. He said he wasn't happy with the AICPA approach until very recently because of its general, nontechnical focus on security.
However, Paller said the AICPA's recent effort to work with the CIS's benchmark applications "will make the results much more comparable [among companies] and immediately useful."