Day: July 8, 2017

As new technologies facilitate innovative uses of data, the corporations, governments and nonprofits using these technologies assume responsibility for ensuring appropriate safeguards over the collection, storage and purging of the data.

Highly publicized data breaches have heightened corporations’ concerns around their abilities to successfully meet this task. The concern is well-founded as the consequences of a data breach extend beyond reputational loss to include regulatory consequences as well as the possibility of class action legal action.

In this landscape, an audit of data privacy is a prime assessment for IT auditors to showcase the value that they bring to their organizations. This opportunity stems from data privacy relating to all areas for which organizations rely on IT auditors for expertise: providing assurance over information systems, ensuring that compliance expectations are met, and consulting on changing and emerging technologies.

In performing an audit of data privacy, inclusion of the following areas in the IT audit program are beneficial:

Data governance and classification
The primary objective of this portion of the audit is to confirm that the organization has identified and classified its data. The IT auditor’s assessment of data classification assures the organization that controls are commensurate with the sensitivity of the data. If the control requires significant resources (either in time or expense), the results of this assessment could allow management to make informed decisions on where to reduce costs or gain efficiency. Similarly, efficiency gains can be made when roles and responsibilities for the people involved in the organization’s management of Data Governance for Privacy, Confidentiality, and Compliance (DGPC) for the enterprise have been clearly defined. Well-defined roles mitigate the potential that responsibilities are duplicated, resulting in inefficiency.

Data security
Two of the essential areas addressed under data security are data loss prevention and authentication/credentialing. Concerns with data security often arise from those new technologies that fuel innovation discussed earlier. For example, as an organization explores and implements tools that enhance communication and collaboration (think instant messaging, removable media and, yes, email), data sharing by those who should have access to the data is enhanced. On the other side, the intentional or unintentional ways that the data can leave the organization (data leakage) also have increased.

Data leakage also can occur if weaknesses in the organization’s authentication and credentialing processes do not adequately limit access to data. However, the IT auditor’s assessment of the controls and vulnerabilities in both these areas (authentication/credentialing and the organization’s data loss prevention program) add a layer of defense to avert data breaches.

Third-party contracts
As organizations partner with vendors for data storage and other needs, it is true that ensuring the vendor’s ability to protect the data is paramount. But, before organizations can conclude one way or the other in that regard, there must be clarity around what data the organization has and the level of protection that is required for the data. During its data privacy audit, the IT auditor can contribute to the success of the organization’s data management partnership by reviewing an inventory of data and the data’s location: this may not be information that the organization has a solid understanding of prior to engaging a third-party provider.

In conclusion, a data privacy audit may appear to be just another instance where the IT auditor wears the hats of assurance, compliance and consulting. Looking deeper, however, a data privacy audit presents an opportunity to contribute to achieving organizational objectives. The likelihood is strong that organizations will continue to look to manage costs and efficiency, to balance implementation of innovative technologies with mitigating the risk of data breaches, and to engage the services of third parties for data management. Given that, a conscious effort by the IT audit team to connect its data privacy audit to these organizational objectives will reinforce the value that IT audit brings to the organization.

Editor’s note: For further guidance on this topic, download ISACA’s data privacy audit program.

Robin Lyons, Technical Research Manager, ISACA

[ISACA Now Blog]

Despite the prominence of larger companies, the growth of small businesses and entrepreneurs also is critical to a society’s development. Entrepreneurship can drive the growth of new businesses, provide solutions for various market niches, foster innovation and generate job creation. The entrepreneurial activities of today can impact the Fortune 500 of tomorrow.

Small businesses or start-ups serve as the beginning point for many who are seeking to navigate the complexities of modern enterprise. One of the things that may be overlooked at the beginning are the implications of IT governance and security on an enterprise’s future health. Regardless of the sector, both factors have important roles to play in continued success. Below are some standard considerations for both areas.

General security perspectives needing consideration:

• What industry/market sector is being entered? It helps to understand the product/service to be developed.
• What are the sector’s regulations? It is critical to understand compliance and mandatory obligations.
• What are the risks? Understanding existing constraints and future possibilities provides essential context.
• What is the overall strategy and security strategy? Understand and build the risk appetite at the start.

General IT perspectives needing consideration:

• What existing technologies can we leverage at this time? Cloud; small, in-house data centers; and outsourcing options—all are considerations.
• What type of information is needed from customers? Basic information required to create mailing lists, personally identifiable information (PII) and or payment information may be required.
• How can IT work with and support the business plan/strategy? Ensure the correct investment is made based on business requirements.
• How does IT grow with the business? Explore digital avenues that can enhance the customer experience and increase the customer base.

There is a certain excitement for an entrepreneur entering into the market–the joys of prospects unknown and the hope of building a satisfied, stable customer base. However, cash flow can be a major challenge, so many things can be overlooked in order to get the business off the ground. This can be problematic and result in problems down the road, such as regulatory fines, data breaches and compliance issues, just to name a few.

The alignment of the entrepreneurial vision, security and IT can provide a strong foundation to build out the enterprise. GEIT principles can be helpful in the smallest of enterprises since they can be tailored as business expands and provide the necessary checks and balances to mitigate risk. A little time at the start can be helpful in the long run to face the digital disruption roller coaster of the future.

Ammett Williams CCIE, CGEIT, Telecommunication Team Leader – First Citizens, TT

[ISACA Now Blog]

Recently, the (ISC)² ThinkTank tackled the cloud. The webinar, “Security Practices for a More Secure Cloud,” featured panelists Kurt Hagerman, CISO of Armor, Raj Goel, CTO of Brainlink, and Keith Young, Info Security Officer of Montgomery County.

Thank you to our panelists for sharing their expertise – let’s continue the conversation, shall we?

Since cloud is becoming a hot commodity these days, how can a cloud provider assure would be customers that data is 100% secured day-in-and-day-out? I guess there can never be a guarantee. In line with this, how can a cloud provider show that all measures are done to keep data secure?

Kurt Hagerman, CISO, Armor Defense:

No cloud provider can guarantee 100% security of your data. They can only provide assurance to the extent of the security controls they manage and even then, only to the extent the tools they use are able to detect or prevent malicious activity. Remember that there is no such thing as “perfect security,” so there is no way to be 100% assured that your data is secure. The best assurance you can get from your cloud vendor would be their annual audit attestations, such as their PCI Attestation of Compliance, SSAE 16 SOC 2 Type II report.

A key point in today’s discussion was education. Can you identify where to get training to understand the cloud and security-related items that need to be addressed?

Keith Young, Info Security Officer, Montgomery County, MD:

There are several well-known cloud security training and certification programs available. Below is a list of some of the more popular programs available. Note that I do not endorse or recommend any specific program:

• Certificate of Cloud Security Knowledge
• Certified Cloud Security Professional
• Comptia Cloud+

In addition, technical training programs for specific vendor clouds (Amazon, Google, Microsoft, etc.) are available from the vendors and third parties.

How does privacy fit into this shared responsibility? Almost all things are governed by contract itself but privacy has lot of regulations around it. How do you deal in a situation where contract is contradictory to regulation requirement?

Raj Goel, CTO, Brainlink

In almost all cases, safeguarding customer/client data is the responsibility of the entity the consumer does business with – e.g., you or your firm, and not the backend cloud providers.

I would read the appropriate privacy rules & regs, review the cloud vendor EULAs, TOS, contracts and their history. Some vendors have great sounding policies, but in practice have a poor security track record, whereas others are quite competent at it.

Most importantly, I would ensure that my team, staff, developers, etc. are using approved, secure practices. A cloud vendor’s agreements are worthless if your developers leave their databases unsecured (see Mexican voters leak, GOP voter database leak, MongoDB defaults) or if your developers leave their private keys in the code, in configuration files or on GitHub.

At least in the US, regulators hold the data custodian (e.g. you or your firm) and not their backend providers liable for data breaches. And as history has shown, a majority of the time (somewhere between 80-99%), the breach occurs due to internal insecure practices, organizational inertia or bad design.

This is NOT to suggest that cloud vendors are off the hook – I would be leery of jumping on the latest fad, or trusting new, young startups with my most sensitive data. I prefer to work with established vendors who have worked with larger companies, have teams of information security professionals and lawyers who are well versed in compliance.

For more on cloud security, register for (ISC)² Security Congress in Austin, Texas this September. Cloud Security is one of 11 tracks at the annual conference.

[(ISC)² Blog]