A friend recently was put at risk of becoming a victim of identity theft. His former employer had a laptop stolen, which had been left at a restaurant. The laptop contained human resources data on past employees that was not secured. The company contacted previous employees and offered them free subscriptions to an agency that would monitor for potential identity theft. My friend asked the company several times why the former employees' data remained on a company laptop when some of those individuals had not worked for the organization for several years. The company provided a vague response at the time but later admitted it did not remove the data when that information was no longer needed.
Situations like this involving employee or customer data occur at organizations with alarming regularity. Sometimes there is publicity and sometimes not. But in all cases, the underlying problem is that the organization either did not have a data management policy or its policy was not followed. A good data management policy would limit such exposures and require outdated information to be removed or archived securely with limited access. Moreover, the policy's data retention rules should specify when archived data must be deleted.
Unfortunately, removing old, unused data on corporate devices — including in-house administrative servers — is not at the top of most organizations' priority lists, but it should be. Data management has always been, at best, a secondary thought for many organizations. For example, before computers, organizations would just file their paperwork in file cabinets, never to be thrown away. The ever-growing amount of paperwork resulted in the purchase of additional file cabinets.
The same thing still occurs today, except now it is cheaper because the paperwork can be stored electronically and downloaded for analysis. In fact, most organizations will not delete old data from portable devices until they run out of disk space. Additionally, even if an appropriate archival policy exists, organizations usually lack a data retention provision for deleting information later. Therefore, these organizations could be susceptible to court requests for information that would necessitate expending resources to review all old archived data — an often costly and labor-intensive process.
In the end, simple actions can limit the exposure. First, executive management needs to be made aware of data management risks and the need for a policy. Internal audit is positioned within an organization's governance structure to identify the risk exposure and most importantly, proactively raise awareness. Second, the organization must assign its legal and technology functions responsibility for creating a data management policy and overseeing its implementation. Throughout the process, internal auditors can assist by being a proactive consultant and performing a post-implementation review to ensure the policy was carried out successfully upon implementation and to monitor the routine continuation of the policy. Also, auditors can identify any remaining gaps.
The auditor can perform activities before and after implementation to provide assurance and add value. Examples of activities the auditor could assist with during the pre-implementation phase include:
Working as a consulting member of the task force.
Reviewing the data policy.
Reviewing the inventory of data for gaps based on the auditors' organizational knowledge, especially at regional or district offices or business segments.
Ensuring responsibility is assigned to appropriate personnel during the pre-implementation phase and determining whether there are plans for post-implementation assignment of responsibility for maintenance and oversight.
A post-implementation review should occur after six months, once monitoring and oversight activities have become established. Some questions the auditor could ask during post-implementation assurance activities include:
Has an oversight and monitoring activity been established? Is it positioned appropriately within the organization?
What procedures are performed to ensure data removal has occurred? What is the process for future periodic reviews and subsequent removal of data?
Has user training and awareness occurred?
Does appropriate commitment exist at the executive management level to continue with this process? For example, auditors should ensure senior management does not believe this was a one-time event but a continuous effort.
Based on responses to these questions, auditors can perform assurance testing, such as validating whether data was truly removed during the implementation phase and that continued removal is occurring based on periodic reviews. Some organizations may establish systems to automate the removal process, which auditors can review to validate appropriate configuration set-up.
The choices seem simple. In one scenario, an organization could face bad publicity, irate customers, and the wrath of former and current employees, as well as incur unforeseen or unbudgeted costs. Alternatively, the organization could enact a cohesive data management process that would lower its risk exposure from potential data loss or theft. Taking simple steps such as creating a data retention policy and removing old, unused data can limit risk upfront.