More than 750 million personally identifiable records in the U.S. have been breached in the last 10 years, with more than 80 million records compromised in 2015 alone, according to the Privacy Rights Clearinghouse, a research and advocacy organization in San Diego. These incidents span a wide range of types, including malicious hacking, payment card fraud, and physical loss of assets. Customer data is defined as any data that contains personally identifiable information about a customer such as medical records, Social Security numbers, bank and credit card information, and driver’s license information.
Organizations have an inherent obligation to protect customer data. Although regulations and guidelines have been established for organizations to follow to mitigate compliance risk, the amount of breaches indicates they need to be doing more (see “Key Regulations and Guidelines” at the end of this article). This is an opportunity for internal auditors to help their organization understand, identify, and mitigate the potential risks from both internal and external sources.
Organizations and their employees store more and more data on a wide range of media, including mobile devices and cloud-based applications. The multiple systems that may be involved increase the risk of a customer data breach. To protect data, controls and other measures need to be in place that address both internal and external threats.
Training and Education Protecting customer data is not just an IT responsibility. Business leaders need to understand the specific business risks and ensure that everyone in the organization is trained to take appropriate actions to protect their customers’ data.
Data Encryption Implementing encryption protocols is fundamental in protecting customer data. Organizations need to define sensitive data and then encrypt it to ensure it is safeguarded. Encryption at the individual user level can ensure that customer data is protected. Periodically, organizations should reevaluate their encryption policies to identify necessary changes timely. Moreover, they should evaluate the type of encryption in place to ensure it still protects against the latest vulnerabilities. For example, the Data Encryption Standard (DES) that was developed in the 1970s is no longer considered secure and has been replaced by Triple DES and the Advanced Encryption Standard.
Data Loss Prevention (DLP) Organizations that house large quantities of customer data need to consider the use of DLP tools. These tools allow the IT function to automate and help prevent data loss that may come from internal and external vulnerabilities. Moreover, the tools can evaluate data in motion and disallow accidental disclosures based on pre-established policies.
Cloud Risk In recent years cloud technologies have become central to many organizations’ operating strategies. The scalability and ease of use of cloud solutions make them an attractive choice to implement. In moving to a cloud-based solution, data security needs to be central to the decision-making process. Organizations must understand the risks that having customer data in the cloud creates and require cloud vendors to adhere to at least the same standards and level of security that are in place for the organization’s own systems. By being involved in the decision-making process from the outset, internal audit can help ensure appropriate controls are in place.
Mobile Devices As businesses and consumers expand their use of smartphones, tablets, and other mobile devices to get work done and stay connected, data security becomes paramount. Organizations that distribute devices to their employees are able to retain control over the data to ensure its security. Organizations that have bring your own device (BYOD) policies can lower their device costs and give employees more flexibility, but ensuring data is secure is a challenge. Without the use of specialized tools, a lost or stolen device could compromise customer data. To mitigate the risk, many organizations with BYOD policies use software that prevents data from being stored on devices.
Data Logs Organizations need to establish data logging policies around key servers and firewalls to have the ability to research security issues that arise. If a breach occurs, they need to understand the source and scale of the incident. Logs are a way to identify the issue quickly and cost-effectively.
Internal Audit’s Role
In addition to attesting that the organization has put these control measures in place, internal audit should review other aspects of data security.
Risk Assessment Performing a risk assessment can help auditors understand the specific risks surrounding customer data and the technology used to access and store it. Management stakeholders within the business and IT organizations often are able to quickly identify the “pain points” in the process, which can enable internal audit to tailor its procedures to focus on the priority areas first.
Governance Strategy One of the first questions internal auditors should ask before proceeding with any project is whether the organization has a governance strategy to support the protection of customer data. This strategy document should outline the key locations where customer data is stored, the nature of the data, and who is responsible for maintaining it.
IT Security Benchmarking Assessment Recent high-profile data breaches have led many organizations to implement safeguards to mitigate the risk of suffering the same fate. Internal audit can add value by benchmarking current data security practices against industry standards and an established framework such as the National Institute of Standards and Technology Cybersecurity Framework. This benchmarking can enable auditors to identify gaps where the organization falls short of standards and assist the organization in developing a road map to address risk and improve data security processes.
Data Classification Policy Data classification is the process of identifying and classifying what constitutes sensitive information within an organization and defining requirements for accessing and handling data based on the established classification. Understanding how customer data is classified and restricting access will assist in protecting the data. Internal auditors should assess and test this policy to validate that it is applied uniformly across the organization. Auditors also should ensure that the policy identifies all customer data and aligns with management’s risk tolerance.
Training and Education If the organization does not have a robust training program to educate employees about what customer data is and the steps that need to be taken to safeguard it, internal audit can recommend ways to establish such training. This training can take on many forms, including a traditional classroom setting, a security awareness month contest, and Web-based learning. The topics that should be covered may depend on the organization’s business environment. Some specific topics to consider include physical security, device security, passwords, phishing, hoaxes, and malware.
Key Owners If it has not been spelled out in the organizational governance strategy, internal audit should confirm that the organization has identified its various data owners to establish accountability. Auditors should evaluate the list of owners and validate that all have a sufficient amount of competence and authority. In addition, they should work with management to understand each owner’s role and to validate that owners are periodically performing processes to safeguard their data.
Regulatory Compliance Unless it is addressed by another function within the organization, the annual internal audit program should verify that the organization is in compliance with all regulations, which may vary by industry and country. Regulatory bodies are taking greater interest in data security, which may result in more compliance steps for organizations.
Working Across the Business
Internal audit can make a great contribution to protecting customer data in their organization. By working across the business, internal audit can connect the dots among proposed and current strategies, the fundamental themes of regulation, and what each function must do to comply. It is in this role that internal audit can become a trusted adviser to the business and help safeguard the organization.
A variety of regulations and frameworks are used to govern data protection and privacy. These include industry best practices that organizations should consider in developing their data protection strategy.
Government and Industry Regulations
European Union (EU) Labor and Privacy Regulations While they vary widely in scope, EU labor and privacy rules focus on an organization’s ability to monitor individuals’ information and protect their “right to be forgotten.” Organizations must ensure that data retention policies are in place so that an individual’s information can be removed upon request.
Heath Insurance Portability and Accountability Act (HIPAA) HIPAA defines patient privacy and security in the health-care industry. HIPAA holds health-care providers accountable for protecting specific types of patient data they collect. The HIPAA security rule also establishes specific steps that need to be taken to maintain physical security, technical safeguards, access, and confidentiality for patients.
The Health Information Technology for Economic and Clinical Health Act (HITECH) HITECH was established in 2009 to provide regulation to improve health-care quality, safety, and efficiency. As part of the act, electronic health records are regulated to ensure that electronic data interchanges are secure to protect patient information.
Payment Card Industry Data Security Standard (PCI DSS) PCI DSS is intended to ensure that all organizations that process and store credit card data do so in a secure environment. This standard requires testing and validation to attest to compliance.
U.K. Information Commissioner’s Office Data Protection Principles The U.K. established this independent authority to uphold information privacy rights. The Data Protection Principles ensure that data is processed and stored fairly, for the appropriate purpose, and is retained for the appropriate period of time. Specific attributes give individuals the right to access their information, object to data, and claim compensation for damages.
National Institute of Standards and Technology Cybersecurity Framework This framework lays out key cybersecurity standards that need to be considered by U.S. organizations to anticipate and defend against cyberattacks. The framework has become an important step in standardizing cybersecurity principles in the U.S. and provides best practices globally.
COBIT ISACA established the COBIT framework in 1996 to formalize IT management and governance across organizations. The most recent version, COBIT 5, provides IT control objectives that data security practitioners can use to create and streamline processes and assist in protecting customer data.
In addition to these frameworks, The IIA’s Global Technology Audit Guide 15: Information Security Governance, provides guidance on auditing data security. Additionally, the 2013 update to The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control–Integrated Framework can be applied to data security.