Have You Conducted a Data Protection Audit Lately?

Have You Conducted a Data Protection Audit Lately?

Annual reviews of data access and controls can help prevent costly breaches.

Raj Chaudhary, PE, CGEIT, CRISC 
Principal 
Crowe Horwath LLP

Mike Del Giudice, CISSP, CRISC
Crowe Horwath LLP

On April 2, 2011, millions of customers’ names and email addresses were subject to exposure in a data breach involving major banks, retailers, and other companies that outsourced online marketing campaigns to Epsilon, a consulting firm based in Irving, Texas. The Privacy Rights Clearinghouse called the incident “the largest security breach ever.”    

A few weeks later, on April 27, Sony announced that hackers had broken into the company’s popular PlayStation online gaming network. Some reports claim the breach exposed personal data, including up to 12 million unencrypted credit card numbers belonging to more than 100 million users. More recently, Citigroup revealed that an unauthorized user gained access to its credit card system in May and viewed personally identifiable information from some 200,000 accounts.

Data privacy is making headlines — for all the wrong reasons. Data privacy breaches are becoming weekly, if not daily, events, as hackers become more sophisticated in their efforts to penetrate the defenses that organizations mount to protect consumer information. At the same time, federal and state governments are beginning to impose costly penalties when businesses fail to take adequate steps to protect consumer data:

 
  • On Feb. 22, 2011, the Office for Civil Rights of the U.S. Department of Health and Human Services issued the first civil money penalty imposed for violations of the Health Insurance Portability and Accountability Act’s Privacy Rule. The fine totaled US $4.3 million. 
  • On March 28, 2011, a major Boston restaurant group agreed to pay US $110,000 to the Commonwealth of Massachusetts to resolve allegations that the company failed to take reasonable steps to protect its patrons’ personal information in a data breach involving payment card information. This was the first fine imposed under what many people consider to be one of the strictest state data privacy laws in the country.
 

These examples beg the question: How is your organization protecting its sensitive information?

 
PROTECTING SENSITIVE INFORMATION

A comprehensive data privacy program addresses numerous principles. The American Institute of Certified Public Accountants (AICPA) has developed a generally accepted accounting principles (GAAP) framework, which includes guidelines on consent, use, disclosure, individual rights, accountability, data protection, and collection. However, when reviewing the landscape of breaches and fines, data protection appears to be the most challenging principle for organizations to effectively manage.   

A data protection audit is something separate and apart from the annual financial statement audit. It is a process that examines how an organization uses and safeguards sensitive information, ranging from a company’s proprietary intellectual capital to its customers’ Social Security numbers.  

Typically, a data protection audit comprises three steps:

 

1. Identification. The first step is to understand the types of data an organization maintains and where that data resides. Internal auditors may already be conducting activities such as data mapping, risk assessments, and records management inventories to understand what data an organization maintains. Auditors may need to conduct interviews to determine whether data inventories are comprehensive and accurate and whether particular types of information assets, such as electronic files and reports, disks, and paper repositories, are represented accurately in the inventories. 

If there are no data inventories, auditors will need to conduct a baseline risk assessment to establish a starting point for the data audit. Sampling key departments and mapping their data or performing an organizationwide survey often proves helpful with the later phases of the audit.
 
There are two approaches to identifying data. One is to use automated software tools that comb through logical data repositories to find relevant data. The other approach is to discuss data usage and storage with key stakeholders. While tools provide an efficient approach, they also increase the likelihood of false positives, as they may not be able to “see” some data —such as encrypted repositories or physical documentation — and do not allow an understanding of how the organization uses data. Most organizations use a combination of the two approaches to improve the accuracy of the data inventory and to obtain a comprehensive understanding of how personnel are accessing and using data.  


2. Classification.
Focusing on information assets that pose the greatest risk to the organization’s ability to protect data will help focus critical resources. Data classification programs allow companies to set stringent standards of control for data whose breach would pose the greatest risk. If such a program has been established, consider whether it has been fully implemented and used to maximum effect. Do employees understand the standards? Do policies and procedures refer to special protections for data of an elevated risk level?  

Once all the data has been identified and classified, including an understanding of how data is being used, the organization should assess the necessity of that data. Data minimization is the process of eliminating data that is not necessary. This could result in the consolidation of databases, or it could simply lead to the removal of unnecessary sensitive data, such as Social Security numbers, collected on standard forms. 
 

3. Protection. Once auditors understand the scope and relative risk levels of the data the organization is responsible for safeguarding, they must determine if the policies and procedures in place are appropriate.  

Typically, mainstream technologies that store or access data, such as software applications, servers, and databases, have protection policies set by the IT department. However, to protect sensitive data, organizations must consider controls for all technologies and repositories, including paper copies and mobile devices. Auditors should review all repositories where sensitive data resides, as well as technologies that can access that data.

 

When examining the internal controls protecting sensitive data, it is important to understand the data life cycle because different stages may require different types of controls 

  • Data at rest refers to data storage, whether in file cabinets or on a server.
  • Data in motion refers to data transfer, which is primarily used when data is being exchanged electronically, but also when physical files are moved.
  • Data presentation, also known as data in use, refers to data that is being used or accessed, including such outcomes as being displayed on a monitor.
  • Data destruction refers to steps organizations take when they no longer need access to certain data. Controls over shredding paper files, overwriting hard drives, and other tasks come into play.
 

Often, organizations view data protection as an IT function, when they should regard it as an enterprisewide responsibility. Senior management must set the tone at the top so that all staff members understand that data protection is part of everyone’s job, not just the people who run the technological infrastructure.  

In short, the basic structure of data protection can be thought of as the “Four As”:  

  • Authentication – Who is requesting access to data?    
  • Authorization – Do those individuals have permission to access the data?   
  • Audit – How is access to data monitored?   
  • Administration – How is data governance communicated throughout the organization?
 
DATA PROTECTION CHALLENGES

Data protection is a continuous process. An annual data protection audit can help organizations identify and mitigate potential weaknesses before they become major problems, but new threats present themselves without regard to calendar or clock.    

Some key issues that companies should consider as they implement and refine a year-round program to safeguard the data entrusted to them include:

 

Paper documentation – With all the attention given to electronic devices, it is important not to overlook the security risks associated with traditional physical records. Something as simple as having a “clean desk” policy — requiring employees to put all documents away before leaving the office — can help companies reduce the chance of data breaches.  

Mobile devices – As smartphones, tablets, and other portable devices proliferate, so do the risks of data breaches. Organizations need to address emerging technologies in their data protection policies and audits.   

Social media – Like mobile devices, social media is likely present in the workplace. Someone may post a comment on the Internet about seeing a well-known investor in the company hallway, but even an innocent remark could trigger rumors about a corporate takeover. Organizations need to consider how their employees’ use of social media could affect data privacy.   

Third parties – Sharing sensitive information with third parties expands the circle of risk beyond an organization’s walls. Managing this risk is not easy and requires vigilance by all parties involved.  

Breach notification – Alerting the public and regulatory authorities to data breaches is another challenge for organizations, which must balance researching what happened with the timeliness of their notification to impacted individuals. Companies need to have clearly defined procedures in place and rehearse their response so that everyone knows what to do when a breach occurs.

Conducting an annual data protection audit can help organizations not only manage these and other unanticipated challenges but also adapt to new privacy requirements as the regulatory environment continues to evolve.  

 

Raj Chaudhary is a principal with Crowe Horwath LLP in the Chicago office.  

Mike Del Giudice is with Crowe Horwath LLP in the Oak Brook, Ill., office.

To comment on this article, email the editor at shannon.steffee@theiia.org.