Elephant in the Room Series – Part I

November 2012

In order to reach 100% participation among states in the ALD, we know that we need to address your main concern… come on…. It’s the elephant in the room…. Security of data. Some of the data shared for the ALD can be sensitive in nature and NASBA has taken all necessary precautions to safeguard it. Let’s first talk about Security of the ALD and CPAverify systems.

State Boards participating in the ALD and CPAverify should, and can, expect a rigorous commitment from NASBA to the security and integrity of their licensee data being shared for these applications. An indication that we take this commitment seriously is our Data Sharing Agreement available for Boards who require the legal contract before allowing NASBA to use their data.

So, how exactly do we keep your data secure?

As part of our commitment to the security and integrity of licensee data, we enforce many industry-standard security measures to protect and secure the transmission and storage of State Board data contained within the ALD and CPAverify.

In addition, we are continuously researching and learning about emerging technologies and standards in an effort to help keep the systems secure. These processes are detailed within the Security Statement. Email the ALD manager at [email protected] for your own copy. Let’s highlight some of those measures now…

First, all NASBA production servers operate in a secured environment. Servers are housed at a certified collocation facility where access is restricted to authorized individuals and is physically monitored. All ALD and CPAverify servers are housed in this environment. Server access by NASBA staff is on an as-needed, documented basis.

Second, NASBA utilizes a third party service to scan our network for vulnerabilities weekly, monthly and as needed.  Finally, we engaged an outside firm to perform external and internal network penetration testing specifically for the ALD and CPAverify applications. These key controls along with some additional monitoring activities help NASBA maintain a secure network.

How is the data kept secure during the transmission to NASBA?

All file transfers are generated by the State Board and transmitted to NASBA via Secure File Transfer Protocol (SFTP), which allows data to be securely transferred from one location to another under strict encryption guidelines.  Access control is based either on a password/username combination or by utilizing a private SSL key-share between servers. Such file transfers are based on the secure shell (SSH) protocol (a secure way to access a remote computer) and are widely utilized and accepted as secure means of data transport.

We take security of data extremely seriously and hope that what we’ve outlined here makes that clear. Stay tuned for more details about ALD and CPAverify security in the next article in this series in February’s ALD Newsletter. If you have any questions, we’re happy to answer them. Call or email Elizabeth at 615-564-2143 or [email protected].