December 2013

Data Under Siege

Auditors can play consulting and assurance roles in mitigating the risk of information leakage.

Nikolaos P. Dounis

It’s getting harder and harder to keep information under control. Searching the Web for “data leakage” yields more than 6.7 million results. Just this year, a Chinese firm was accused of illegally buying and selling 150 million customer records, while a leak of documents in Canada revealed investment information for more than 100,000 individuals worldwide. Such incidents are increasing, according to the Open Security Foundation’s DataLoss Database, with 57 percent coming from outside the organization versus 36 percent from inside.

Effective information management and security remains an important aspect of every business. Organizations need to protect the data they store in electronic or other formats and manage the risks of data leakage, information loss, and failure to comply with data-related regulations. Internal audit can advise the organization about the creation of a data security framework, and provide assurance about the efficiency and effectiveness of control activities.

Every day, significant amounts of information fuel business processes that involve parties both inside and outside an organization’s network boundaries. This data can travel in many forms, including email, word processing documents, spreadsheets, database files, or paper documents. Over the years, technology has transformed information from a structured, paper-based form that was easy to protect, to an unstructured, digital format encompassing email, mobile devices, and social media.

The key business risks derive from the unstructured nature of the data. These risks include ineffective and inefficient data management, inappropriate data maintenance and storage methods, data duplication, poor information understanding and communication, inappropriate retention schedules and security measures, unauthorized access to sensitive information, and data loss.

As the volume and velocity of data increases, the potential risks and exposures for organizations also are on the rise. That is why organizations need to establish a data security framework to manage and mitigate those risks. The basis of this framework is establishing and communicating a solid set of policies and procedures, including:

  • A code of conduct.
  • An information security policy, comprising electronic communications standards and the use of email, Internet and intranet, personal mobile devices, social media, and company computing assets.
  • A data protection policy.
  • An external communication policy.
  • Physical security.
  • A documents/records policy with retention schedules.

At this stage, internal auditors should consult on the creation, updates to, and communication of these enterprisewide policies and procedures. During the setup and update phases, auditors can review draft policies and procedures to ensure they include necessary steps to mitigate key data risks.
Success factors for establishing policies and procedures are employee communication, awareness, and training. In many cases, data loss results from internal activities and false behaviors by employees. The insider threat is not a result of a rogue employee, but the fact that every employee and device creates and stores information. For example, employees can become an insider threat if they speak loudly about confidential project plans while on the phone at the airport or lose a laptop containing company information. These actions can be attributed to a lack of awareness and diligence.

Organizations can change these behaviors through a comprehensive corporate awareness and training program that embraces different cultures and business practices, and focuses on education and accountability. Program objectives are:

  • Fostering a security-aware culture.
  • Providing data security tools and education to employees.
  • Communicating and enforcing sensible security policies.
  • Providing clear leadership through executive commitment and visibility.
  • Proactively setting security expectations.

Internal auditors can consult on the preparation of the training program, help coordinate the different functions that create the contents, and verify participation in the program by administering follow-up surveys or tests to employees.

Another key role for internal auditors is providing assurance that risk and control processes are operating effectively. To begin, auditors should verify that the risk management process has identified, assessed, and updated the relevant risks and that mitigating actions were documented during the process. They should update their audit plan and audit programs to include all necessary steps and actions for testing the effectiveness of the controls addressing information and data security risks. Key areas for testing IT general controls include:

  • Development and maintenance of applications.
  • Physical and logical security controls.
  • Database management.
  • Access controls, including printer password management.
  • Mobile devices.
  • Disposal of information systems equipment.

Auditors also should perform clean desk reviews and walkthroughs of file and printer rooms to check whether confidential data is left unsecured, as well as whether shredders and waste management practices are in place.

Another area to review is whether the organization has an updated document and record management policy. Document retention schedules should be complete, accurate, and comply with regulatory frameworks. Auditors should test a sample of documents to verify that they are filed according to the retention schedule and ensure all record types are archived in line with legal requirements, retention period, record storage format, storage requirements, and disposal method.

Auditors should ensure that information is categorized appropriately to ensure that suitable security is applied to reduce the risk that trade secrets will be stolen through industrial espionage. They periodically should perform a key and access review for the file and server rooms.

Moreover, auditors should verify that the organization updates the content of training programs to address new exposure areas such as social media and mobile devices. These programs should include requirements for securely disposing of waste material (e.g., documents and hard drives) that is confidential. Additionally, auditors should ensure that all new employees have training in which the code of conduct and information security policy are explained. Auditors should verify that all employees are aware of the code of conduct and information security policy.

Preventing data leakage and managing information security risks are businesswide challenges. Although there is no one right way to protect data, organizations that effectively address the risks and communicate them to employees are better positioned to create and enforce sustainable security strategies. By providing consulting and assurance, internal auditors can address their organization’s data risks and assure that controls are in place and working effectively.

Nikolaos P. Dounis, PHD, CIA, CRMA, is internal control and compliance manager at Imperial Tobacco Hellas S.A. in Athens, Greece.

To comment on this article, email the author at

Share This Article:    


Subscribe_June 2014 



IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO