As new technologies facilitate innovative uses of data, the corporations, governments and nonprofits using these technologies assume responsibility for ensuring appropriate safeguards over the collection, storage and purging of the data.
Highly publicized data breaches have heightened corporations’ concerns around their abilities to successfully meet this task. The concern is well-founded as the consequences of a data breach extend beyond reputational loss to include regulatory consequences as well as the possibility of class action legal action.
In this landscape, an audit of data privacy is a prime assessment for IT auditors to showcase the value that they bring to their organizations. This opportunity stems from data privacy relating to all areas for which organizations rely on IT auditors for expertise: providing assurance over information systems, ensuring that compliance expectations are met, and consulting on changing and emerging technologies.
IT Audit Program Requirements
In performing an audit of data privacy, inclusion of the following areas in the IT audit program are beneficial:
Data governance and classification
The primary objective of this portion of the audit is to confirm that the organization has identified and classified its data. The IT auditor’s assessment of data classification assures the organization that controls are commensurate with the sensitivity of the data. If the control requires significant resources (either in time or expense), the results of this assessment could allow management to make informed decisions on where to reduce costs or gain efficiency. Similarly, efficiency gains can be made when roles and responsibilities for the people involved in the organization’s management of Data Governance for Privacy, Confidentiality, and Compliance (DGPC) for the enterprise have been clearly defined. Well-defined roles mitigate the potential that responsibilities are duplicated, resulting in inefficiency.
Data security
Two of the essential areas addressed under data security are data loss prevention and authentication/credentialing. Concerns with data security often arise from those new technologies that fuel innovation discussed earlier. For example, as an organization explores and implements tools that enhance communication and collaboration (think instant messaging, removable media and, yes, email), data sharing by those who should have access to the data is enhanced. On the other side, the intentional or unintentional ways that the data can leave the organization (data leakage) also have increased.
Data leakage also can occur if weaknesses in the organization’s authentication and credentialing processes do not adequately limit access to data. However, the IT auditor’s assessment of the controls and vulnerabilities in both these areas (authentication/credentialing and the organization’s data loss prevention program) add a layer of defense to avert data breaches.
Third-party contracts
As organizations partner with vendors for data storage and other needs, it is true that ensuring the vendor’s ability to protect the data is paramount. But, before organizations can conclude one way or the other in that regard, there must be clarity around what data the organization has and the level of protection that is required for the data. During its data privacy audit, the IT auditor can contribute to the success of the organization’s data management partnership by reviewing an inventory of data and the data’s location: this may not be information that the organization has a solid understanding of prior to engaging a third-party provider.
The Bottom Line
In conclusion, a data privacy audit may appear to be just another instance where the IT auditor wears the hats of assurance, compliance and consulting. Looking deeper, however, a data privacy audit presents an opportunity to contribute to achieving organizational objectives. The likelihood is strong that organizations will continue to look to manage costs and efficiency, to balance implementation of innovative technologies with mitigating the risk of data breaches, and to engage the services of third parties for data management. Given that, a conscious effort by the IT audit team to connect its data privacy audit to these organizational objectives will reinforce the value that IT audit brings to the organization.
Editor’s note: For further guidance on this topic, download ISACA’s data privacy audit program.
Robin Lyons is technical research manager at ISACA. Read more ISACA blogs here.