//
you're reading...
Information Security, IT & TECHNOLOGY

Auditing Data Privacy Can Bring Major Value to Organizations


As new technologies facilitate innovative uses of data, the corporations, governments and nonprofits using these technologies assume responsibility for ensuring appropriate safeguards over the collection, storage and purging of the data.

Highly publicized data breaches have heightened corporations’ concerns around their abilities to successfully meet this task. The concern is well-founded as the consequences of a data breach extend beyond reputational loss to include regulatory consequences as well as the possibility of class action legal action.

In this landscape, an audit of data privacy is a prime assessment for IT auditors to showcase the value that they bring to their organizations. This opportunity stems from data privacy relating to all areas for which organizations rely on IT auditors for expertise: providing assurance over information systems, ensuring that compliance expectations are met, and consulting on changing and emerging technologies.

In performing an audit of data privacy, inclusion of the following areas in the IT audit program are beneficial:

Data governance and classification
The primary objective of this portion of the audit is to confirm that the organization has identified and classified its data. The IT auditor’s assessment of data classification assures the organization that controls are commensurate with the sensitivity of the data. If the control requires significant resources (either in time or expense), the results of this assessment could allow management to make informed decisions on where to reduce costs or gain efficiency. Similarly, efficiency gains can be made when roles and responsibilities for the people involved in the organization’s management of Data Governance for Privacy, Confidentiality, and Compliance (DGPC) for the enterprise have been clearly defined. Well-defined roles mitigate the potential that responsibilities are duplicated, resulting in inefficiency.

Data security
Two of the essential areas addressed under data security are data loss prevention and authentication/credentialing. Concerns with data security often arise from those new technologies that fuel innovation discussed earlier. For example, as an organization explores and implements tools that enhance communication and collaboration (think instant messaging, removable media and, yes, email), data sharing by those who should have access to the data is enhanced. On the other side, the intentional or unintentional ways that the data can leave the organization (data leakage) also have increased.

Data leakage also can occur if weaknesses in the organization’s authentication and credentialing processes do not adequately limit access to data. However, the IT auditor’s assessment of the controls and vulnerabilities in both these areas (authentication/credentialing and the organization’s data loss prevention program) add a layer of defense to avert data breaches.

Third-party contracts
As organizations partner with vendors for data storage and other needs, it is true that ensuring the vendor’s ability to protect the data is paramount. But, before organizations can conclude one way or the other in that regard, there must be clarity around what data the organization has and the level of protection that is required for the data. During its data privacy audit, the IT auditor can contribute to the success of the organization’s data management partnership by reviewing an inventory of data and the data’s location: this may not be information that the organization has a solid understanding of prior to engaging a third-party provider.

In conclusion, a data privacy audit may appear to be just another instance where the IT auditor wears the hats of assurance, compliance and consulting. Looking deeper, however, a data privacy audit presents an opportunity to contribute to achieving organizational objectives. The likelihood is strong that organizations will continue to look to manage costs and efficiency, to balance implementation of innovative technologies with mitigating the risk of data breaches, and to engage the services of third parties for data management. Given that, a conscious effort by the IT audit team to connect its data privacy audit to these organizational objectives will reinforce the value that IT audit brings to the organization.

Editor’s note: For further guidance on this topic, download ISACA’s data privacy audit program.

Robin Lyons, Technical Research Manager, ISACA

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 119,161 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,247 other followers

Twitter Updates

Archives

July 2017
M T W T F S S
« Jun   Aug »
 12
3456789
10111213141516
17181920212223
24252627282930
31  
%d bloggers like this: