control, and governance
Risks Galore: Why Keep All That Data?
Hoarding customer and employee information indefinitely comes with a mountain of risks.
A friend recently was put at risk of becoming a victim of identity theft. His former employer had a laptop stolen, which had been left at a restaurant. The laptop contained human resources data on past employees that was not secured. The company contacted previous employees and offered them free subscriptions to an agency that would monitor for potential identity theft. My friend asked the company several times why the former employees’ data remained on a company laptop when some of those individuals had not worked for the organization for several years. The company provided a vague response at the time but later admitted it did not remove the data when that information was no longer needed.
Situations like this involving employee or customer data occur at organizations with alarming regularity. Sometimes there is publicity and sometimes not. But in all cases, the underlying problem is that the organization either did not have a data management policy or its policy was not followed. A good data management policy would limit such exposures and require outdated information to be removed or archived securely with limited access. Moreover, the policy’s data retention rules should specify when archived data must be deleted.
Unfortunately, removing old, unused data on corporate devices — including in-house administrative servers — is not at the top of most organizations’ priority lists, but it should be. Data management has always been, at best, a secondary thought for many organizations. For example, before computers, organizations would just file their paperwork in file cabinets, never to be thrown away. The ever-growing amount of paperwork resulted in the purchase of additional file cabinets.
The same thing still occurs today, except now it is cheaper because the paperwork can be stored electronically and downloaded for analysis. In fact, most organizations will not delete old data from portable devices until they run out of disk space. Additionally, even if an appropriate archival policy exists, organizations usually lack a data retention provision for deleting information later. Therefore, these organizations could be susceptible to court requests for information that would necessitate expending resources to review all old archived data — an often costly and labor-intensive process.
In the end, simple actions can limit the exposure. First, executive management needs to be made aware of data management risks and the need for a policy. Internal audit is positioned within an organization’s governance structure to identify the risk exposure and most importantly, proactively raise awareness. Second, the organization must assign its legal and technology functions responsibility for creating a data management policy and overseeing its implementation. Throughout the process, internal auditors can assist by being a proactive consultant and performing a post-implementation review to ensure the policy was carried out successfully upon implementation and to monitor the routine continuation of the policy. Also, auditors can identify any remaining gaps.
The auditor can perform activities before and after implementation to provide assurance and add value. Examples of activities the auditor could assist with during the pre-implementation phase include:
A post-implementation review should occur after six months, once monitoring and oversight activities have become established. Some questions the auditor could ask during post-implementation assurance activities include:
Based on responses to these questions, auditors can perform assurance testing, such as validating whether data was truly removed during the implementation phase and that continued removal is occurring based on periodic reviews. Some organizations may establish systems to automate the removal process, which auditors can review to validate appropriate configuration set-up.
The choices seem simple. In one scenario, an organization could face bad publicity, irate customers, and the wrath of former and current employees, as well as incur unforeseen or unbudgeted costs. Alternatively, the organization could enact a cohesive data management process that would lower its risk exposure from potential data loss or theft. Taking simple steps such as creating a data retention policy and removing old, unused data can limit risk upfront.
James Reinhard, CIA, CPA, CISA, is audit director at Simon Property Group in Indianapolis.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.