Security & Privacy

Security and Privacy 

Security and Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information. Security and Privacy is a risk management issue for all organizations, and many are looking to CPA firms for solutions.

CPAs are adept at performing comprehensive risk assessments for businesses and developing risk management solutions that can give companies competitive marketplace advantages.

Security and Privacy is included in these risk assessments, and CPAs use a universal framework of best practices against which the company's privacy policies can be examined. CPAs can provide guidance to the organizations they serve by using the Generally Accepted Privacy Principles (GAPP) to help assess their privacy-related risks as well as to develop sound privacy policies and practices. 

Visit the AICPA TV channel for webcast archives on Security and Privacy.

Generally Accepted Privacy Principles

A man reads over the GAPP documentDISCLAIMER: Recent changes to Trust Services Principles (TSP) section 100, supersede Appendix C - GAPP section 100A. These privacy pages have not been updated to reflect those changes nor the recent changes for privacy in US jurisdictions or in Europe.  Generally Accepted Privacy Principles (GAPP) can be used as a management framework for privacy.

The AICPA and CPA Canada have formed the AICPA/CPA Canada Privacy Task Force, which has developed the Generally Accepted Privacy Principles (GAPP). This document supersedes the AICPA and CPA Canada Privacy Framework. Using GAPP, CPAs can help organizations design and implement sound privacy practices and policies. These principles and criteria were developed and updated by volunteers who considered both current international privacy regulatory requirements and best practices. These principles and criteria were issued following the due process procedures of both institutes, which included exposure for public comment. The adoption of these principles and criteria is voluntary.

Visit the GAPP page for additional information.


A row of computersCybersecurity is the process of applying security measures to ensure confidentiality, integrity, and availability of data. Cybersecurity attempts to assure the protection of assets, which includes data, desktops, servers, buildings, and most importantly, humans. The goal of cybersecurity is to protect data both in transit and at rest.

Countermeasures can be put in place in order to increase the security of data. Some of these measures include, but are not limited to, access control, awareness training, audit and accountability, risk assessment, penetration testing, vulnerability management, and security assessment and authorization.

Visit the Cybersecurity page for more information.

Cloud Computing

Looking at the cloud
With the increasing trend for companies to outsource, cloud computing has increasingly become a solution for organizations. It’s an innovative and increasingly popular model of software deployment that offers enterprise-class software function without traditional up-front infrastructure costs or the unpredictable support and maintenance costs of on-site software and hardware.


Visit the Cloud Computing page for more information.



Additional Resources

A stack of privacy resources

FTC Identity Theft Resources for Businesses
The Federal Trade Commission (FTC) has compiled resources to help organizations secure the personal information they collect and prevent identity theft.








Copyright © 2006-2017 American Institute of CPAs.