Privacy – Our Next Organizational Challenge?
By Dan Swanson
Each month Dan Swanson, a senior security and internal audit professional will provide his list of recommended resources for AuditNet readers. If you have questions about this page or the links, you can reach Dan at www.securitybenchmark.com and dswanson_2008@yahoo.com.
For more IT and Information Security resources check out the latest Taylor and Francis publications.
The reality of business operations today includes an increasing
oversight of data privacy and information protection. Although the
protection of sensitive and personal data has always been good business
strategy, implementation has often been tactical and opaquely managed by
IT departments. New laws, rules, and contractual obligations are
changing all of this. Even as information privacy and protection
objectives grow more critical and complex, they are also increasingly
subject to scrutiny by both internal and external auditors.
Especially given the broad scope of sensitive data, companies need to
take a deep and critical look at the many business needs and legal
requirements that impact the ways they collect, use, transmit, and store
various types of information. Companies should always apply due care
based on business needs and legal requirements.. In general, four basic
categories of control are involved:
1. What data may be collected and under what conditions
2. How data may be stored, managed, used, and transferred
3. How data must be protected from unauthorized and inappropriate access
4. How companies should interact with the individuals whose data they
control
Why should we care if data protection and privacy efforts are working
well?
Its good business practice! Personal identity theft, IP leakage, bank
fraud, and payment-card data theft are serious concerns with significant
financial ramifications.
To respond to the increasing number and level of threats, companies must
provide concrete assurance of strategic and comprehensive privacy
programs that incorporate managerial, operational, and technical
controls. What many think of as information protection—primarily
technical controls such as account access management, encryption, and
secure software development protocols, and antivirus software—is just
one piece of this complex puzzle. Organizations also need to implement
and regularly assess other, generally non-technical controls.
Roles and responsibilities for privacy and data protection must be
assigned
Responsibilities for data protection are as pervasive as data itself and
are part of almost every organizational role. The actions and attitudes
of company directors, managers, office workers, contractors, business
partners, and internal auditors all impact privacy and data protection
control objectives.
The commitment to privacy assurance must start at the top. Executive
management in particular must provide constant, consistent leadership on
privacy and data protection principles and demonstrate by example the
necessity of policy compliance. Executive management must also ensure
that business and IT departments have the resources to effectively enact
controls.
Improve Privacy and Data Protection Through Assurance
Although companies often conceptually and procedurally segregate privacy
and information security, the practices are two sides of the same coin
and neither can be effectively evaluated in a vacuum. Privacy objectives
and obligations provide direction, scope, relevance, and priority for
information security controls. Information security provides the
confidentiality, availability, and integrity of sensitive information
that underpins privacy assurance.
Accordingly, privacy audits tend to focus on organizational processes:
how information is used; whether those uses are legal, ethical, and
supportable from the perspective of the company's relationship with its
customers; and how the organization communicates with customers and
other entities about its privacy practices.
Information security assessments also evaluate managerial oversight and
operational practices; however, they tend to be more technically
intensive than privacy audits. Auditors look at automated processes for
user authentication, systems access, technology configuration, and other
security measures within information systems; and management must
support this evaluation with functional tests, evidence of system
performance, and technical documentation.
Key question #1: Has the organization required personnel to confirm
their understanding of privacy policies and procedures before
authorizing access to sensitive information?
Key question #2: Does the organization periodically perform a risk
analysis to determine the potential material impact and harm that could
result from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information and information systems that
support the operations and assets of the organization? The assessment
should include possible impacts on: 1) brand value; 2) stock value and
investor relationships; 3) legal liability and regulatory sanctions, 4)
customer and class action litigation; 4) customer and employee loyalty
and trust; 5) revenue from customers, business partners, and other
relationships. The assessment considers and documents a worst-case
scenario for the compromise, corruption, or misuse of the entire set of
data subject to the assessment.
Be Proactive – Evaluate Privacy and Security Efforts Now
Some resource to assist your efforts are provided below.
Have another great month!
Dan Swanson
______________________________________
Resources Taking Privacy to the Next Level
IT Audit Checklist: Information Security
IT Audit Checklist: Privacy & Data Protection
AICPA-CICA Privacy Framework, Including the AICPA/CICA Trust Services
Health and Human Services (HHS) Centers for Medicare & Medicaid Services
a)
US HIPAA Security Educational Paper Series
US Financial Modernization Act (Gramm-Leach-Bliley)
Payment Card Industry (PCI) Data Security Standard (DSS)
Information Security Forum Standard of Good Practice for Information
Security
Please provide your feedback on this article
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®