Privacy_of_Data.ppt
Download
Report
Transcript Privacy_of_Data.ppt
Krysti Cox
Dustin Hamilton
Angela Pagenstecher
Jeff Pike
“The security of these systems is vital to the
business, and assurance that these systems
are secure is essential”
Information Systems Control Journal Vol. 5, 2008
2
Topics of Discussion
Overview
Data Privacy Hits Home
Business Risks Illustrated
Information Accountability
An IT Auditor’s Role
3
Overview
Exercising control over data
Owner of data should be entitled to determine the correctness,
applicability, and access rights
Technology has begun to outpace security
Importance of assurance has created a demand for
competent IT Auditors
Information Systems Control Journal Vol. 2, 2007
4
Overview
ISACA was formed, and COBiT established
IS Audit Guideline – Privacy
Information Security Accountability and Assurance
becomes paramount
Communications of the ACM, June 2008/Vol. 51, No.6
5
Data Privacy Hits Home
Where is data privacy seen in day-to-day business
operations?
6
Data Privacy Hits Home
Where is data privacy seen in day-to-day business
operations?
Passwords
Intranets
Access rights and restrictions
Network Encryption
Physical Security
7
Countrywide Financial Corp.
An employee gained access to customer data and was able
to store it on a USB drive
What are some controls that could have done the following:
Prevented this occurrence
Directed the control of this risk
Detected this breach of security
ComputerWorld Aug 2008
8
“With access control and encryption no
longer capable of protecting privacy, laws
and systems are needed that hold people
accountable for the misuse of personal
information…”
Communications of the ACM, June 2008/Vol. 51, No.6
9
Information Accountability
Accountability
The issue is not access of data, but that it is used
inappropriately
Transparency
Collection and use of information should have a valid
purpose, be clearly disclosed, and within legal compliance
Communications of the ACM, June 2008/Vol. 51, No.6
10
Information Accountability
Challenges
Protect privacy but not impede information flow
Reliance on secrecy and up-front control
Proliferation of personal information on the web
Individuals accidentally or intentionally put information on
web and do not know “end result”
Communications of the ACM, June 2008/Vol. 51, No.6
11
Privacy Issues
AICPA Privacy Task Force
Link between individual privacy and organizations
Managers are obligated to institute proper internal controls
aimed at protecting the confidentiality of personal
information
Bridges the gap between technical issues and audit
objectives
Privacy Issues, Ch. 2, Information Technology Auditing
12
Privacy Issues
What information is protected?
Information that is:
Personally identifiable
Factual
Age, name, income, ethnicity, blood type, biometric images,
DNA, credit card numbers, loan information and medical
records
Subjective
Opinions, evaluations, comments, disciplinary actions and
disputes
Privacy Issues, Ch. 2, Information Technology Auditing
13
Role of an IT Auditor
Information Privacy Governance
Assess the effectiveness of controls and related risks
Ensure that management:
Develops and implements sound controls
Operates and manages the controls on an on-going basis
Aligns IT goals with Business goals
Information Systems Control Journal Vol 5, 2008
14
Role of an IT Auditor
Evaluate the quality and integrity of security practices
Determine whether generally accepted standards are
followed
Ensure transparency is met and governance is present
Issue a report/offer recommendations
Conducting a Privacy Audit, Ruth V. Nelson, PwC, Elizabeth B. Carder, Reed Smith LLP
15