2.4. GAPP Assessment Procedures
GAPP Approach: Again, the AICPA and CICA claim that each of GAPP’s 10 privacy principles is supported by “relevant, objective, complete, and measurable criteria.”
Critique: While in many cases it is obvious how an auditor should test compliance with a given criterion, in a few cases, especially the security criteria, this is not obvious. For example, when criterion 8.2.1.a states that the entity’s information security program should address “risk assessment and treatment” as it relates to the “security of personal information,” how, precisely, is the auditor supposed to validate that? Must the entity adopt ISO 31000 or ISO 27005? Factor Analysis of Information Risk (FAIR)? OCTAVE? NIST SP 800-30? RiskIT? COSO? Any of the above? Is a home-grown risk management methodology acceptable? The AICPA and CICA do not say.
Solution: The AICPA and CICA should define and publish clear, unambiguous testing or assessment procedures. The Payment Card Industry (PCI) Data Security Standard (DSS) is one example of a standard with clearly defined testing procedures. Another option is NIST SP 800-53A, which arguably provides one of the most well thought out structures for defining assessment procedures. Each assessment procedure includes one or more assessment objectives (the ‘why’), assessment methods (the ‘how’), and assessment objects (the ‘what’). That structure can be applied to be any compliance framework, not just NIST SP 800-53.
2.5. AICPA/CICA’s Comparison of GAPP to Other Privacy Frameworks
In their “Comparison of International Privacy Concepts,” the AICPA and CICA compare GAPP to eight other privacy frameworks: (1) Australia Privacy Act; (2) Canada Personal Information Protection and Electronic Documents Act (PIPEDA); (3) EU Data Protection Directive; (4) OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data; (5) U.S. FTC’s Fair Information Practices in the Electronic Marketplace; (6) U.S.-EU Safe Harbor Framework; (7) U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA); and (8) U.S. Gramm-Leach-Bliley Act (GLBA). The AICPA and CICA caution that their comparison “is for illustrative purposes only and not meant to be comprehensive,” which I interpret to mean that the list of privacy frameworks is not comprehensive.