control, and governance
Gone in a Flash
A misplaced USB drive prompts internal auditing to rethink its coverage of security risks.
Edited by Timothy R. Holmes
Mike is the chief audit executive of a health-care provider located in the western United States. His company has grown during the past several years, with total assets and revenues now approaching us $1.5 billion and us $1.8 billion, respectively. The organization employs nearly 14,000 people and offers a wide range of health services through its integrated system of hospitals, skilled nursing facilities, medical centers, and other specialized facilities.
Recently, one of Mike’s senior auditors, Eyleen, stopped by his office to discuss a potential risk to the company. While waiting in line at the company cafeteria that day, she had overheard two information technology (IT) system analysts say that one of the company’s employees recently lost a USB flash drive — a removable media device that plugs into a computer’s USB port. The employee was desperately searching for the missing device, as it contained significant quantities of confidential company and patient information.
Because removable media devices have become one of the most popular and widely available types of storage tools, Eyleen wondered if the internal audit department should be specifically addressing risks related to these devices in its audit planning and routine programs. Based on a recent conversation he had with the chief information officer (CIO) about business risks, Mike knows that removable media are, at a minimum, addressed in the company’s security policy. He thanked Eyleen for bringing this concern to his attention and agreed that the audit department should examine removable media risks.
What is the best way for the audit department to approach this important project, and what issues does the company need to consider? How should risks associated with portable storage devices be addressed routinely in operational audits?
Post your own thoughts on this scenario, or see expert commentary in the full version of the article.