Recently, The IIA published a practice guide on information privacy and a Global Technology Audit Guide on IT governance (PDF downloads for IIA members). A key component of privacy is for the organization to understand its inventory of data and rank its data based on levels of protection, while a component of IT governance is to ensure communication is occurring among all technology areas. Tying these together are findings from the Ponemon Institute, a not-for-profit information security research firm, which surveyed organizations' use of risk-based security management (RBSM) practices and concluded that organizations should emphasize formal RBSM backed by a strategy that is understood by everyone in the business.
The IIA guidance and Ponemon research point to the need for organizations to establish formal communication among technology areas in tandem with enterprisewide data security and privacy policies within an effective privacy program. This can strengthen IT governance and ensure confidential data is protected.
Does This Seem Familiar?
In organizations with decentralized technology operations, confidential data may reside in multiple locations protected by various levels of security. There could be many reasons for this decentralized approach such as a normal evolution over time, lack of resources in the primary technology department that could not keep pace with the organization's rapid growth, or a management decision that selected departments with different objectives require their own technology areas. For example, in some organizations, the marketing department has a separate technology function to enable rapid development of activities such as the organization's website — the electronic face of the organization. For these marketing functions, a website can be a highly innovative area for new initiatives such as selling a product online or launching a customer rewards program.
Despite its potential value for individual departments, decentralization has a downside from a security and privacy perspective. When each technology department manager reports to a different department line manager, there usually is a lack of communication among the various technology functions. As a result, each group's activities or initiatives can affect the other areas with sometimes unintended consequences. Good governance practices based on ongoing communication among all technology areas would provide a mechanism for cooperation and coordination of activities.
For example, the marketing department may have an initiative to collect consumer data that is used for data analyses and specific target marketing. To perform the analyses, data could be downloaded from a server where the data is fully secured and encrypted to a less protected department folder residing on an administrative server controlled by the primary technology department or the marketing employee's desktop computer. In some cases, employees may download consumer data onto their own personal USB memory stick and work on the data at home on their personal computer. From this aspect, there are limitless ways the consumer data could be proliferated across all technology areas and systems, making it harder to keep track of its location and to protect.
By using an overall RBSM approach with good organizational communication practices, the governance process could decrease such risks and events from occurring in decentralized organizations, making them more proactive than reactive. However, although a Ponemon Institute study of U.S. companies finds that most organizations understand the importance of risk when designing and operating technology and data security programs, many lack a formal approach using key preventive and detective controls and a success matrix. Moreover, Ponemon's RBSM study shows that just 52 percent of respondents' organizations have adopted a formal approach to RBSM despite the perception that the approach could reduce security costs and breaches.
What Can the Auditor Do?
The IIA privacy and IT governance guidance and the results of the Ponemon Institute surveys can give auditors a sufficient start to assist management in resolving their organization's data privacy concerns through the creation of an effective privacy program. In scenarios where there is a clear lack of IT governance within the organization — including poor communications among decentralized technology areas — auditors can advise management on the most practical ways to ensure sound governance practices, including formal communications.
Auditors also could assist management in discussions or training on cause-and-effect scenarios among the technology areas. For example, in the situation where the marketing area would download consumer data to multiple locations, communication between marketing and the primary technology area could ensure appropriate protected folders are created to store data on the organization's administrative servers. Additionally, the primary technology area could acquire disk encryption software to protect consumer data stored on the marketing department's desktop computers. Overall data policies and awareness programs would enhance employees' understanding of the risks of downloading data to their personal USB drives and working with the data at home on their own personal computers. Additionally, the primary technology department could provide encrypted USB drives for transportation of confidential data. The auditors' involvement would ensure all parties are aware of the cause-and-effect relationships and risks requiring mitigating controls.
Additionally, auditors could use the Ponemon Institute survey results to heighten awareness of the organization's data security policies and assist management in creating processes for the RBSM program within its decentralized IT framework. An effective RBSM approach along with a sound governance process and formalized communication channels (e.g., IT steering committees) can ensure the privacy of data.