October 2011


People tend to share too much information in the social media era, but auditors can help their organization make sure they aren’t sharing any sensitive business information.

Rick Roybal, CISA
Internal Audit Manager
The Bass Companies

The online magazine Network World recently posted a quiz on data breaches. After I took the quiz and did modestly well, it got me thinking. When it comes to your personal information and your organization’s data (sensitive or public) being compromised, do you blame hackers, your vendors’ carelessness, technology, or your IT department?

Don’t answer that question just yet. The June 2011 Perceptions of Network Security study (PDF) conducted by the Ponemon Institute LLC and sponsored by Juniper Networks polled 583 IT practitioners in the United States, UK, France, and Germany on what they thought of “the current threat landscape and what are the most effective strategies to keep networks secure.” There were some interesting findings:

  • “Organizations are experiencing multiple breaches. More than half of respondents (59 percent) say they have had two or more breaches in the past 12 months and 10 percent do not know [whether they have had a breach]. Ninety percent of organizations in our study have had at least one breach.”
  • “As a result of these multiple breaches, more than one-third (34 percent) of respondents say they have low confidence in the ability of their organization’s IT infrastructure to prevent a network security breach.”
  • “Insufficient budgets are an issue for many organizations in our study. Fifty-two percent of respondents say 10 percent or less of their IT budget is dedicated to security alone.”

When the respondents were asked where the attacks were coming from, 40 percent answered that they didn’t know. Of the attacks in which the source could be traced, 52 percent were due to insider abuse.

You can try to blame technology or the help desk employee who accidentally provisioned you with admin access, but I place the blame squarely on you and me — the users. It doesn’t take a genius to figure out that in our society people share too much information with the world. You’ve heard the term “TMI” (too much information) before, right? Whenever a person shares too much personal information about himself or herself, you may gasp or even blush — because of the information’s sensitivity — and say, “TMI.”

Okay, admit it: You might share your favorite night-on-the-town story with a stranger on the bus, and you are aghast when someone tells you what happened after a long night of imbibing cocktails and gorging on Indian food. But when it comes to sensitive and personal electronic information, the question is, why don’t we heed our own advice? Take, for instance, social media sites such as Facebook or LinkedIn: How much of ourselves do we share on these sites? “I’m in a relationship, I work for JPMorgan Chase, I’m a Republican, I love The Beatles, I vacationed in Florida last year, I live at 505 Main Street.” And if that’s not enough, what about Facebook’s newest metamorphosis, Timeline? Mark Zuckerberg’s latest will feature “You” from beginning to the present, all your tidbits of personal information: where you went to elementary school, when you first learned to swim, your first girlfriend, the touchdown you scored in 1982. The information is out there, and it’s all courtesy of you.

What about financial data we “share” with online sites? Consider how many times you have clicked “Save my credit card” data on vendor sites such as Amazon, iTunes, or Barnes & Noble: What about online banking, your broker, or your credit card company? Companies with an online presence have come a long way during the past decade in providing secure transactional services and data storage. Still, when it comes to populating these companies with such data, the blame falls on us.

Finally, consider how people store personal data on their organization’s desktops, laptops, and servers. We spend most of our day at work, so we naturally transact a great deal of our personal life’s dealings while on the clock. For example, when the Dow Jones Index is down 300 points, people check their stock portfolios on Merrill Lynch, eTrade, and Scott Trade. They just can’t keep up with those ever-changing, alphanumeric passwords. So, what do they do? They save the passwords in what they think is an innocuous file called PWDS.doc. At first, they save the file on their local hard drive, but then they think, “If I save it on my company’s shared drive, it’ll get backed up, and I’ll never lose it.” So, they copy and paste, and voila, PWDS.doc, with all their pertinent data, is now sitting on a shared drive that also is accessed by the rest of accounts payables and the mailroom personnel. Their data is ripe for compromise. 

Internal auditors who are reading these examples may be telling themselves, “That’s not me. I’m savvy. I don’t keep data like that out there.” But what about Joe the CEO, Susan in payables, or Mike in the mailroom? How do auditors get them to be smarter about what kind of data they place in public, semi-private, or even seemingly private locations?

For More Information

Computer Economics
Understanding and Implementing Data Classification
April 2006

Privacy Rights Clearinghouse
Database of Data Breaches

A great starting point for organizations is to define the data that actually resides or could potentially reside on servers, local hard drives, and other assets. The process of data classification is no simple feat. Executive management must drive the process, while operations and IT must work together to define it — that is the tricky part. But organizations can start by asking:

  • What kind of data does the organization create, receive, and maintain?
  • Are there various sensitivity levels to the data?
  • Where is data stored?
  • How is it used?
  • Who has access to data?
  • Is data ever moved?
  • How is it moved?
  • Who can move it?
  • Can data be modified?
  • Is data ever deleted?
  • Who can delete it?
  • How long is data stored?
  • Is the organization liable for losing information?
  • Does the organization allow employees to maintain personal data to be stored?
  • Are there any policies addressing any of these issues?

There are many questions because there are many risks. Once management defines the data and begins addressing these questions, the organization must begin the process of training employees on data classification. This time, take the questions and turn them into policy statements and enterprisewide practices.

Don’t balk at this either. Organizations must have these policies and processes in place. They can no longer sit around and hope employees don’t share sensitive data. This is the Facebook era — people love to share data. See, even I do it — I’m going to share this article with my friends on Twitter (@lilronwash) and Facebook.

To comment on this article, email the author at rick.roybal@theiia.org.


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO