160 likes | 298 Views
Privacy of Data. Krysti Cox Dustin Hamilton Angela Pagenstecher Jeff Pike. I nformation Systems Control Journal Vol. 5, 2008. “The security of these systems is vital to the business, and assurance that these systems are secure is essential”. Topics of Discussion. Overview
E N D
Privacy of Data Krysti Cox Dustin Hamilton Angela Pagenstecher Jeff Pike
Information Systems Control Journal Vol. 5, 2008 “The security of these systems is vital to the business, and assurance that these systems are secure is essential”
Topics of Discussion • Overview • Data Privacy Hits Home • Business Risks Illustrated • Information Accountability • An IT Auditor’s Role
Overview • Exercising control over data • Owner of data should be entitled to determine the correctness, applicability, and access rights • Technology has begun to outpace security • Importance of assurance has created a demand for competent IT Auditors Information Systems Control Journal Vol. 2, 2007
Overview • ISACA was formed, and COBiTestablished • IS Audit Guideline – Privacy • Information Security Accountability and Assurance becomes paramount Communications of the ACM, June 2008/Vol. 51, No.6
Data Privacy Hits Home • Where is data privacy seen in day-to-day business operations?
Data Privacy Hits Home • Where is data privacy seen in day-to-day business operations? • Passwords • Intranets • Access rights and restrictions • Network Encryption • Physical Security
CountrywideFinancial Corp. • An employee gained access to customer data and was able to store it on a USB drive • What are some controls that could have done the following: • Prevented this occurrence • Directed the control of this risk • Detected this breach of security ComputerWorld Aug 2008
“With access control and encryption no longer capable of protecting privacy, laws and systems are needed that hold people accountable for the misuse of personal information…” Communications of the ACM, June 2008/Vol. 51, No.6
Information Accountability • Accountability • The issue is not access of data, but that it is used inappropriately • Transparency • Collection and use of information should have a valid purpose, be clearly disclosed, and within legal compliance Communications of the ACM, June 2008/Vol. 51, No.6
Information Accountability • Challenges • Protect privacy but not impede information flow • Reliance on secrecy and up-front control • Proliferation of personal information on the web • Individuals accidentally or intentionally put information on web and do not know “end result” Communications of the ACM, June 2008/Vol. 51, No.6
Privacy Issues • AICPA Privacy Task Force • Link between individual privacy and organizations • Managers are obligated to institute proper internal controls aimed at protecting the confidentiality of personal information • Bridges the gap between technical issues and audit objectives Privacy Issues, Ch. 2, Information Technology Auditing
Privacy Issues • What information is protected? • Information that is: • Personally identifiable • Factual • Age, name, income, ethnicity, blood type, biometric images, DNA, credit card numbers, loan information and medical records • Subjective • Opinions, evaluations, comments, disciplinary actions and disputes Privacy Issues, Ch. 2, Information Technology Auditing
Role of an IT Auditor • Information Privacy Governance • Assess the effectiveness of controls and related risks • Ensure that management: • Develops and implements sound controls • Operates and manages the controls on an on-going basis • Aligns IT goals with Business goals Information Systems Control Journal Vol 5, 2008
Role of an IT Auditor • Evaluate the quality and integrity of security practices • Determine whether generally accepted standards are followed • Ensure transparency is met and governance is present • Issue a report/offer recommendations Conducting a Privacy Audit, Ruth V. Nelson, PwC, Elizabeth B. Carder, Reed Smith LLP