In the age of social media, cloud storage, and the Internet of Things, protecting one’s data has become more and more difficult. Although these technologies create valuable conveniences in people’s everyday lives, they also leave a digital footprint of our identities. With each click or swipe, we voluntarily expose our personally identifiable information and increase the risk of sensitive information loss, or worse, identify theft.
These same risks, of course, exist for the organizations we serve in the form of data theft, unauthorized access to systems, network attacks or intrusions, and misuse of services, information, or assets. Unfortunately, many organizations overlook these risks when performing IT assessments and remain complacent rather than taking proactive steps to protect their sensitive information. As such, internal auditors must ensure an incident management program exists as a portion of the organization’s overall information security strategy.
Effective incident management assigns personnel responsibility; details and defines requirements for identifying, investigating, and documenting an incident; and establishes escalation triggers and notification procedures. An incomplete process could hinder timely investigation into a potentially damaging incident and diminish an organization’s resilience in the wake of a threat. Accordingly, internal auditors should verify that incident management policies clearly define who needs to be notified when an incident occurs, based on the incident classification and the affected business units and systems.
The methodology should also include procedures for the collection of data, prioritization of incidents by risk severity, and preservation of compromised systems. Insufficient or incomplete procedures in these areas could exclude critical forensic data and impact the organization’s ability to recover quickly from an incident. Therefore, an effective incident management infrastructure should also follow industry standards for collection, preservation, analysis, and reporting of forensic evidence. Specifically, internal auditors should encourage organizations to use products and services that meet legal rules of evidence, such as those validated by the U.S. National Institute of Standards and Technology, the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute, or the SANS Institute.
With more digital and technological vulnerabilities facing organizations than ever, internal auditors should ensure adequate security, privacy, and safeguards of customer and company data, while adapting to ever-changing advances in technology. As the world continues to become more interconnected in both our personal and professional lives, have we conditioned ourselves to accept that our data and personal information are no longer our own? Are internal auditors doing enough to adapt to this reality and protect ourselves and our organizations against the inherent vulnerabilities associated with the digital age? If not, now is the time to act.