One step in the process of getting set up to participate in the ALD is to satisfy the state’s concern related to system security. This article highlights some of the areas discussed recently as we worked with Nebraska Board of Public
Accountancy staff and consultants to evaluate NASBA’s security measures. Early on it was determined that using the social security number as a personal identifier for the ALD was not acceptable. Using a one-way hashing algorithm that uses the date of birth and the last four digits of the SSN a unique identifier is generated at the state board office and then transmitted to the ALD database.

This eliminates the need to store SSN in the ALD database. NASBA has begun implementing controls based on industry standards including, but not limited to, the Federal Information Security Management Act of 2002 (FISMA) and the Open Web Application Security Project (OWASP). Although no security system can ever be guaranteed to be completely secure or prevent all intrusions, these standards help provide a minimum level of security and quality for our operations and to help achieve compliance with various privacy and operational regulations, including state-based privacy laws.

Security measures have been integrated into the design, implementation, and day-to-day practices of NASBA’s operating environment as a part of our continuing commitment to risk management. These measures are designed and intended to prevent corruption of data, block unknown or unauthorized access to our systems and information. We strive to maintain a consistent level of standards and will provide leadership to stakeholders and state boards when
necessary to help meet those aspirations.

As part of this effort, customer information and account data is protected by multiple security protocols: firewalls, data encryption, secure file transfers, and a unique ID and password requirement for system access. NASBA provides end-to- end encryption to help secure transactions while in transit. Encryption technology transmits information sent over the Internet by encoding the transmitted data. Secure File Transfer Protocol (sFTP) and Secure Socket Layer (SSL) are employed in order to protect information exchanged between NASBA and its stakeholders. Additionally, NASBA utilizes firewall technology in order to protect information stored in our computer systems from unauthorized access from external entities. NASBA’s security standards require that all NASBA servers that employ SSL utilize 128-bit encryption.

NASBA continues to research and learn about emerging technologies and standards in our efforts to help keep our systems secure. NASBA staff recently participated in the Black Hat Conference, a premier technical security conference. As we worked with the Nebraska team, we shared ideas that resulted in making changes that strengthened access controls. We look forward to working with your state at any time to review NASBA’s approach to ALD’s system security.

Related News