Transcript Privacy_of_Data.ppt

Krysti Cox
Dustin Hamilton
Angela Pagenstecher
Jeff Pike
“The security of these systems is vital to the
business, and assurance that these systems
are secure is essential”
Information Systems Control Journal Vol. 5, 2008
2
Topics of Discussion
 Overview
 Data Privacy Hits Home
 Business Risks Illustrated
 Information Accountability
 An IT Auditor’s Role
3
Overview
 Exercising control over data

Owner of data should be entitled to determine the correctness,
applicability, and access rights
 Technology has begun to outpace security
 Importance of assurance has created a demand for
competent IT Auditors
Information Systems Control Journal Vol. 2, 2007
4
Overview
 ISACA was formed, and COBiT established
 IS Audit Guideline – Privacy
 Information Security Accountability and Assurance
becomes paramount
Communications of the ACM, June 2008/Vol. 51, No.6
5
Data Privacy Hits Home
 Where is data privacy seen in day-to-day business
operations?
6
Data Privacy Hits Home
 Where is data privacy seen in day-to-day business
operations?





Passwords
Intranets
Access rights and restrictions
Network Encryption
Physical Security
7
Countrywide Financial Corp.
 An employee gained access to customer data and was able
to store it on a USB drive

What are some controls that could have done the following:

Prevented this occurrence

Directed the control of this risk

Detected this breach of security
ComputerWorld Aug 2008
8
“With access control and encryption no
longer capable of protecting privacy, laws
and systems are needed that hold people
accountable for the misuse of personal
information…”
Communications of the ACM, June 2008/Vol. 51, No.6
9
Information Accountability
 Accountability

The issue is not access of data, but that it is used
inappropriately
 Transparency

Collection and use of information should have a valid
purpose, be clearly disclosed, and within legal compliance
Communications of the ACM, June 2008/Vol. 51, No.6
10
Information Accountability
 Challenges
 Protect privacy but not impede information flow

Reliance on secrecy and up-front control
 Proliferation of personal information on the web

Individuals accidentally or intentionally put information on
web and do not know “end result”
Communications of the ACM, June 2008/Vol. 51, No.6
11
Privacy Issues
 AICPA Privacy Task Force
 Link between individual privacy and organizations

Managers are obligated to institute proper internal controls
aimed at protecting the confidentiality of personal
information
 Bridges the gap between technical issues and audit
objectives
Privacy Issues, Ch. 2, Information Technology Auditing
12
Privacy Issues
 What information is protected?
 Information that is:



Personally identifiable
Factual
 Age, name, income, ethnicity, blood type, biometric images,
DNA, credit card numbers, loan information and medical
records
Subjective
 Opinions, evaluations, comments, disciplinary actions and
disputes
Privacy Issues, Ch. 2, Information Technology Auditing
13
Role of an IT Auditor
 Information Privacy Governance
 Assess the effectiveness of controls and related risks
 Ensure that management:
 Develops and implements sound controls
 Operates and manages the controls on an on-going basis
 Aligns IT goals with Business goals
Information Systems Control Journal Vol 5, 2008
14
Role of an IT Auditor
 Evaluate the quality and integrity of security practices
 Determine whether generally accepted standards are
followed
 Ensure transparency is met and governance is present
 Issue a report/offer recommendations
Conducting a Privacy Audit, Ruth V. Nelson, PwC, Elizabeth B. Carder, Reed Smith LLP
15