February 2012
A Commitment to Security and Data Integrity
State Boards participating in the ALD and CPAverify should and can expect a rigorous commitment by NASBA to the security and integrity of their licensee data that is being shared for these applications. NASBA enforces many industry-standard security measures in order to protect and secure the transmission and storage of State Board data contained within the ALD and CPAverify. NASBA has also recently added several new, on-going audit processes for ensuring and maintaining the quality and integrity of all the data that is included in the systems.
NASBA Network Security
All NASBA production servers operate in a secured environment. Servers are housed at a certified collocation facility where access is restricted to authorized individuals and is physically monitored. All ALD and CPAverify servers are housed in this environment. Server access by NASBA staff is on an as-needed, documented basis. In addition, NASBA utilizes a third party service to scan our network for vulnerabilities weekly, monthly, and/or as needed. Finally, we have recently engaged an outside firm to perform external and internal network penetration testing specifically for the ALD and CPAverify applications. These key controls along with some additional monitoring activities help NASBA maintain a secure network.
Information Exchange
All file transfers are generated by the State Board and transmitted to NASBA via Secure File Transfer Protocol (SFTP), which allows data to be securely transferred from one location to another under strict encryption guidelines. Access control is based either on a password/username combination or by utilizing a private SSL key-share between servers. Such file transfers are based on the secure shell (SSH) protocol (a secure way to access a remote computer) and are widely utilized and accepted as secure means of data transport.
Web Security
The ALD web server is an SSL-based, password protected database intended only for State Board staff. User accounts are administered by authorized NASBA staff with no self-service interface available other than a password changing utility. Password controls are established to help promote strong password creation and provide for a time-out feature which locks the user out if the password is not changed, requiring them to contact NASBA for accessing the system.
CPAverify is a public facing system with a more limited dataset than the ALD. The CPAverify database is separate from ALD and does not physically contain those elements used in the ALD. As a result, CPAverify does not utilize user accounts but employs logical controls to help prevent automated attacks on the web data.
Data Integrity
Daily: Once data has been securely delivered to NASBA’s servers, it is passed to a dedicated ALD processing server. The first stage of processing examines the file and checks each row for physical structure viability, eliminating rows that may be incomplete, have invalid symbols, or may have omitted required fields. After all rows have been structurally analyzed, the error count is checked against a percentage-based threshold. If the threshold is breeched, the entire file is rejected and processing terminates, which triggers an alert to NASBA staff that a file has been rejected so that coordination can begin to address the problem directly with the State Board. NASBA staff also receive processing reports for each file that is successfully processed, that outline the total number of records received versus the number of records processed as well as the total number of processing and structural errors. When the total number of processing and structural errors surpasses a designated threshold, the cause of the errors is investigated and a NASBA staff member works with the respective Board for a resolution.
Weekly: Participating states’ data is cross-checked with the data that is displaying on the ALD, on CPAverify, and on the State Board’s Licensee Look Up tool. This work is performed by cross-checking the data that is displaying on the ALD, CPAverify and on the State Board’s Licensee Look Up tool with five (5) random samples from each Board’s records. As necessary, State Boards are contacted to rectify the issue.
Annually: NASBA processes require that all participating US Jurisdictions’ data is run through the full ALD Integrity Review (AIR) process, at a minimum, annually. The ALD Integrity Review (AIR), developed by the ALD Committee, establishes the procedures necessary to complete an efficient and effective review of the data and processes related to the integrity of the data in ALD and CPAverify. The procedures include a review of the Board’s administration and systems that are relevant to the ALD/CPAverify and require attention, a full records audit by Board Staff and by NASBA staff, and a plan for reporting discrepancies found throughout the year.
NASBA continues to research and learn about emerging technologies and standards in our efforts to help keep our systems secure. NASBA works with each State Board’s team as they are brought on to the ALD system and continues to add new security enhancements as they are developed.