regulations

Article Dean Dorton

Anyone who hasn’t just arrived from the Stone Age recognizes the importance of maintaining a healthy cybersecurity program. Healthy things grow and so our cybersecurity efforts should be adapting to the ever-changing threats that are trying to push our organizations towards extinction.

Doing cybersecurity right isn’t cheap. Most colleges and universities have a dinoburger budget and can’t afford the brontosaurus ribs. How do you get the resources to protect your systems and data? One way is to communicate that some cybersecurity efforts are required and not doing them can result in loss of grant funding.

The Gramm-Leach-Bliley Act (GLBA) has been around for years, but only had a real impact on colleges and universities for the last 3 to 4 years. Like a cybersecurity program, data security laws have a need to evolve and adapt to changing threats. The standards for the safeguarding components of GLBA have been updated. Some of the updates revise prior rules while others are brand new.

Old Rule New Rule
Designate the employee(s) responsible for coordinating the information security program. A single “qualified individual” (QI) is designated to oversee, implement, and enforce the information security program. The QI may be an employee, affiliate, or service provider.
Perform a Risk Assessment Perform a risk assessment and update it periodically.
Risk assessment should include criteria for the evaluation and categorization of identifying risks. This is the use of a cyber security framework. I.E., NIST, ISO, CIS.
Risk Assessment should include criteria for the assessment of the confidentiality, integrity, and availability of information including adequacy of existing controls.
Risk assessment should include requirements identifying how risks will be mitigated based on the assessment and how the ISP will address risks.
Identify safeguards for each risk identified Identify safeguards for each risk identified.
Safeguards designed should cover – Access controls, Data inventory, Encryption, Secure application development, Multifactor authentication, Secure disposal, Change management and Monitoring and logging user activity
Annual penetration testing and vulnerability scanning*
Policies and procedures addressing – security awareness training and information security personnel are qualified and trained.
Proper oversight of service providers addressing – selevtion process, contract wording and periodic assessment.
Have a written incident response plan.*
QI to prepare and present a written report to the board of directors, at least annually, on the status of the compliance with the information security program. *

There is a new exemption rule for small organizations. If you maintain student financial aid information for less than 5,000 students, some new rules are not required. Rules marked with an asterisk (*) are applicable to the exemption rule.

The date for having these controls in place is December 9, 2022. At a minimum, you should be able to demonstrate the new rules are being met before your next Single Audit is performed in 2023.

Subscribe to Dean Dorton Insights to stay up-to-date with the latest regulatory changes.

Explore IT Audit & Compliance Services

Kevin W. Cornwell, CPA | IT Audit Associate Director
kcornwell@deandorton.com
502.566.1011

Article Dean Dorton

No one wants their data to be hacked and used for nefarious gain. Employees, customers, clients, patients, students, and vendors are depending on your organization to protect their data. You have been entrusted with it and they have a reasonable expectation you are going to take steps necessary to keep it out of the wrong hands.

We all understand there is no such thing as 100% secure, therefore “reasonable” is a much more practical goal. Ideally, every organization would prioritize investing time and resources into having an adequately mature cyber security program. However, there are myriad pressures and objectives facing every organization. Sometimes cyber security does not get the attention it needs.

Numerous regulatory bodies have established requirements with the intent of attempting to ensure organizations are adhering to common measures of cyber standards. These requirements vary based on elements such as industry, type of data and geographic location. Once an organization finds themselves falling under data protection regulations, it is common to have multiple, applicable regulatory requirements. Compliance can get complex and seemingly overwhelming quickly. Below are examples of data protections requirements:

Japan – APPI
Brazil – LGPD
Canada – PIPEDA
China – PIPL
European Union – GDPR

CMMC
GLBA
FFIEC
HIPAA
PCI
SOX

Data Break Notification Laws
Data Privacy Laws
State Grants & Contracts

For organizations that want to comply, there are two paths typically taken when faced with this complexity. The first path involves a process that looks good on paper. All the boxes are checked but no value has been provided to the organization other than dodging the penalty and fine bullet for another year. This approach has been common with credit card compliance requirements.

The second path involves a process not only addressing compliance requirements, but also recognizes there are many other objectives that can be accomplished that bring value to the organization. For example, most data regulatory standards require a risk assessment be performed. However, each standard typically narrows the scope to just the applicable processes, systems and data being regulated. If you are performing a risk assessment, why not make it enterprise-wide? The resulting information not only assists with compliance but helps identify other initiatives that are needed.

As previously mentioned, the phrase adequately mature is intended to recognize that each organization has different cyber security needs. Even though this is the case, there are fundamental steps applicable to all organizations that are beneficial to data protection. These steps will help deal with the complexities and provide a clear path forward. See the demonstration below:

https://deandorton.com/wp-content/uploads/2021/10/Cyber-Pyramid-e1635186352566.jpg

Data Inventory
Determine what data you have, where it resides, and who is interested in the data. The “who” element can include internal stakeholders, but for the purposes of compliance make sure to identify external stakeholders. I.E., regulatory bodies. Relevant information to include in your data inventory:

Application/System Name
Version #
Vendor
System Owner
Data Owner
Function/Purpose
Users of System
Primary/Secondary Locations
Sensitive Data Elements*

Alumni/Students
Applicants/Employees
CUI
DOB/SSN/Passport/Visa
Name/Address/Telephone/ID
Patients/Customers/Vendors

Based on the sensitive data elements, identify the applicable regulatory bodies governing data protection.

Cybersecurity Control Framework
Many regulatory bodies recommend or require specific control frameworks. A control framework helps create a vision of what your organizational security program should look like. It provides a path and eliminates the need to create everything from scratch due to the many resources available. Your data inventory will drive selecting the right framework.

See example of cyber security control frameworks:

https://deandorton.com/wp-content/uploads/2021/10/Screenshot-2021-10-20-151610.png

To summarize, one path does take more work and effort, but the results speak for themselves. Subscribe to Dean Dorton Insights to stay up-to-date with the latest regulatory changes.

Explore IT Audit and Compliance Services

Kevin W. Cornwell | IT Audit Associate Director
kcornwell@ddaftech.com
502.566.1011

Article Dean Dorton

Over time the IRS has struggled with how best to efficiently conduct audits of partnership income tax returns. Various approaches have been tried. Significant changes have now become effective.  Even though the first partnership tax returns for which the new audit rules will apply will be for 2018 tax returns, not due to be filed until 2019, partnerships will need to deal with a couple of important matters before their 2018 returns are filed.

First, the appointment of a Partnership Representative, a new position, is required. The Partnership Representative will serve as the audit contact and will have the authority to bind the partnership and its partners to audit adjustments. Given the power the Partnership Representative will have under the new rules, careful attention needs to be given regarding whom the partnership designates. The partnership may want to include procedures or contractual limitations on the power of the Partnership Representative in its partnership or operating agreement.

Certain partnerships will be able to elect to “opt-out” of the new rules.  A partnership will qualify for this election if the partnership has (1) 100 or fewer partners and (2) only partners who are individuals, corporations (including S corporations), and estates of deceased partners. Partnerships with trusts (even grantor trusts), other partnerships, or disregarded LLC’s as partners will not qualify for this election. The opt-out election out must be made annually on a timely filed tax return.  For partnerships qualifying to opt-out, we believe that will be the preferred course of action in most cases.

A partnership is required to either disclose the Partnership Representative or make the opt-out election on its 2018 partnership tax return. We strongly encourage persons who manage tax partnerships to address the new rules with their tax professionals before the upcoming tax filing season.

For more information on how Dean Dorton can help you with this, visit the link below:

Learn more

Matthew Smith, CPA, CFE
Tax Associate Director
msmith@deandorton.com • 859.425.7774