October 2009

Data on the Move

Internal auditors should look closely at the controls their organization uses to safeguard personally identifiable information.

Christine Chaney, CISM
Director, Ethics and Compliance Program
Continental Airlines

Regulations over personally identifiable information (PII), such as credit card numbers, financial account numbers, Social Security numbers, and other government issued IDs, are on the rise. Payment Card Industry standard reviews, penetration attack reviews, and U.S. Sarbanes-Oxley Act of 2002 audits over IT controls are designed to attest to the competency of IT controls over access, storage, and transmission of data. IT security policies and controls are needed to protect data and avoid a major security breach.

The lesson learned from the Heartland security breach in January, which exposed the PII of more than 100 million credit card customers, is that management cannot rely wholly on the results of third-party assessments performed to comply with government or industry regulations. To help secure PII, organizations need valuable assessments by internal auditors who understand regulations, security requirements, and good mitigating controls.

WHERE TO BEGIN?
Employee access, including remote access, to PII has increased the responsibility to safeguard that information. IT audits typically focus on ensuring system access is limited to only those with a legitimate need to know, but the real danger is how legitimate users access and manage PII.

The first step in securing PII is to create company classification definitions that include the data elements that are subject to regulations as well as confidential company information. Each classification definition should include appropriate security restrictions and consider its place in the data life cycle stage. Because organizations acquire massive amounts of data every day, the task of classifying each piece of information is generally the responsibility of the business owners of that information. One approach is to have three simple classifications:

  • Restricted. Personal data such as credit card and financial account number, Social Security number, state ID number, biometric data, health data, and date of birth. This classification also includes data types that are protected by laws or regulations that require certain protocols and security measures be applied when storing, using, and transmitting information.
  • Confidential. Data such as corporate strategic plans, financial results prior to release, and pricing, payroll, and marketing strategies that are nonpublic and would adversely impact the organization if disclosed to unauthorized individuals.
  • Public. Data that is readily available to the public and may require little or no security.

Although some organizations may require more classification types for their business, maintaining too many types can be confusing. In organizations with many classification types, all business owners involved must be trained for a consistent approach. Keeping classifications simple and clearly defined can help avoid any confusion and misclassification.

Data acquisition, storage, use, sharing, and disposal are critical steps in the data life cycle process that should be considered when assigning security controls (see “Applying Controls at Each Life Cycle Stage”). Internal auditing must agree from the onset on the types of security controls to be applied to each classification type according to its place in the life cycle stage. Security comprises the combination of controls that are used to protect data such as security software, user IDs and passwords, biometrics, encryption, and anti-virus software. Auditors should ensure those controls are in place and include procedures in their audit programs to catch data that may not have been included in the classification project.

USING THE LIFE CYCLE MODEL
Securing restricted and confidential data can be challenging. A simple, but expensive, systemic solution is using monitoring tools to flag data with certain characteristics and apply predetermined security controls. An alternative is to create a committee of key business unit and IT managers, train its members, and task them with spreading the message to their units and applying classification techniques. Because change requests usually come from business units, each business owner of data must know the implications of adding and sharing restricted and confidential data, as well as the security requirements. If PII cannot be secure according to policy, compensating and mitigating controls should be identified and discussed with internal auditing before implementation.

The IT function and internal auditing must also consider end-user security. Commonly used portable devices extend the risk of lost data that could result in a PII breach to every user with access to restricted data. It is important to know the regulations over PII, apply the appropriate classification and security, educate employees, and empower work flexibility securely.

A variety of controls can be implemented to secure PII. The most commonly used, and recommended by state regulations and industry requirements, is encryption for data on the move and at rest. The types of controls auditors recommend should consider the type of PII stored, which may be state regulated, and the combination of other PII data types, which may not be regulated. The controls should be commensurate with the type of business and the amount of access to PII.

A mobile workforce means data on the move, both inside and outside the organization. Auditors should ensure that everyone who can move data knows the organization’s policies and understands what high risk data is, what security is needed, and where to go to ask questions.

To comment on this article, e-mail the author at christine.chaney@theiia.org.

 

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

 

 Write for Gaming Auditorium

Write for FSA Times

 

 Twitter

facebook IAO 

IA APP