Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

Data at Risk

Protecting sensitive data should be a priority for every organization.​

Comments Views

In the age of social media, cloud storage, and the Internet of Things, protecting one’s data has become more and more difficult. Although these technologies create valuable conveniences in people’s everyday lives, they also leave a digital footprint of our identities. With each click or swipe, we voluntarily expose our personally identifiable information and increase the risk of sensitive information loss, or wors​e, identify theft.

 These same risks, of course, exist for the organizations we serve in the form of data theft, unauthorized access to systems, network attacks or intrusions, and misuse of services, information, or assets. Unfortunately, many organizations overlook these risks when performing IT assessments and remain complacent rather than taking proactive steps to protect their sensitive information. As such, internal auditors must ensure an incident management program exists as a portion of the organization’s overall information security strategy. 

Effective incident management assigns personnel responsibility; details and defines requirements for identifying, investigating, and documenting an incident; and establishes escalation triggers and notification procedures. An incomplete process could hinder timely investigation into a potentially damaging incident and diminish an organization’s resilience in the wake of a threat. Accordingly, internal auditors should verify that incident management policies clearly define who needs to be notified when an incident occurs, based on the incident classification and the affected business units and systems. 

The methodology should also include procedures for the collection of data, prioritization of incidents by risk severity, and preservation of compromised systems. Insufficient or incomplete procedures in these areas could exclude critical forensic data and impact the organization’s ability to recover quickly from an incident. Therefore, an effective incident management infrastructure should also follow industry standards for collection, preservation, analysis, and reporting of forensic evidence. Specifically, internal auditors should encourage organizations to use products and services that meet legal rules of evidence, such as those validated by the U.S. National Institute of Standards and Technology, the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute, or the SANS Institute.

With more digital and technological vulnerabilities facing organizations than ever, internal auditors should ensure adequate security, privacy, and safeguards of customer and company data, while adapting to ever-changing advances in technology. As the world continues to become more interconnected in both our personal and professional lives, have we conditioned ourselves to accept that our data and personal information are no longer our own? Are internal auditors doing enough to adapt to this reality and protect ourselves and our organizations against the inherent vulnerabilities associated with the digital age? If not, now is the time to act. 

Robin Brown
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Robin BrownRobin Brown<p>​Robin Brown is manager, Risk Advisory Services, at Dixon Hughes Goodman LLP in Atlanta.​</p><style> p.p1 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { font:8.0px Interstate; letter-spacing:0.1px; } span.s2 { letter-spacing:0.1px; } </style>


Comment on this article

comments powered by Disqus
  • IIA Training_May 2019_Blog 1
  • IIA CIA_May2019_Blog 2
  • IIA CIA LS_May 2019_Blog 3