Scoping Out an Audit of Privacy Programs

Any corporation of any size today must worry about privacy and information security. Protecting sensitive information has always made good sense, but most developed nations now have laws that restrict some uses of at least some types of data.

European countries have regulated personal data protection since the mid-1990s. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been on the books since 2001. Asian and Latin America countries have also passed privacy laws. While the U.S. has not implemented a national privacy law, 44 states have their own such laws on the books. The consequences for infractions can be draconian.

In short, ensuring that sensitive information is secure is one of the most important jobs internal auditors have.

Information Security Supports Privacy

Put simply, privacy is the confidential preservation of personal and proprietary information that shouldn’t be available without the data subject’s explicit permission or entitlement. Although companies often limit privacy practices to customer data, the same protection principles can—and usually should—also apply to other kinds of sensitive information, such as employee and business-partner information, proprietary business data, intellectual property, and many other types of information.

Since sensitive data crops up in virtually every corporate function a business has, companies need to take a deep, critical look at the many business needs and legal requirements that affect the ways they collect, use, transmit, and store various types of information. The fundamental restrictions on consumer-oriented information can usually be considered a good “baseline control” for all the other privacy and security considerations a company has. That said, a company’s specific policies and procedures for data breach notifications, collection limitations, consumer control over data, and other controls will depend on the industry, business practices, customer expectations, and other factors.

To respond to the increasing number and level of threats, companies must provide concrete assurance of strategic and comprehensive privacy programs that incorporate managerial, operational, and technical controls. What many think of as information protection—primarily technical controls such as account access management, encryption, and secure software development protocols, and anti-virus software—is just one piece of this complex puzzle. Organizations also need to implement and regularly assess other, generally non-technical controls.

Getting Started on an Audit

Although companies often conceptually and procedurally segregate privacy and information security, the practices are two sides of the same coin and neither can be effectively evaluated in a vacuum.

Privacy objectives and obligations provide direction, scope, relevance, and priority for information security controls. Information security provides the confidentiality, availability, and integrity of sensitive information that underpins privacy assurance.

WHAT AUDITORS WANT TO SEE

Sound, proactive managerial practices, including planning, direction, frequent operational monitoring, and regular reporting

A good balance between strategic and tactical goals for both control objectives and operational results

Decisions and actions based on facts, not assumptions or habits

Well-documented policies, standards, and procedures

Documented roles, responsibilities, accountability, and command chains; workforce development; assurance that staff cuts and that absences will not compromise controls; and policies for secure staff turnover

Staff awareness, training, and professional development

Consistent compliance with policy and procedures by both staff and managers

Functional, reliable technical controls

Management and staff can recognize and respond to emerging threats and changing risk factors

Accordingly, privacy audits tend to focus on organizational processes: how information is used; whether those uses are legal, ethical, and supportable from the perspective of the company’s relationship with its customers; and how the organization communicates with customers and other entities about its privacy practices.

Information security assessments also evaluate managerial oversight and operational practices, but they tend to be more technically intensive than privacy audits. Auditors look at automated processes for user authentication, systems access, technology configuration, and other security measures within information systems; and management must support this evaluation with functional tests, evidence of system performance, and technical documentation.

A typical privacy audit scope includes an evaluation of policies, standards, procedures, and plans for data protection; incident response, and customer consent management; roles, responsibilities, and accountability related to privacy and data protection; data collection and use in relation to intended purposes, legal constraints, and customer consent; employee awareness and education programs as well as employee hiring, transfer, and termination controls; control monitoring and reporting; and existing practices benchmarked against good practices for information security.

Privacy and security audits should generally be performed annually, and sometimes more frequently. Within the scope mentioned above, auditors will generally evaluate controls under three major groupings.

Auditing management controls encompass the managerial programs, support, and foundations for effective, efficient privacy and data protection programs. In general, management control audits assess whether: privacy and security policies and procedures have been implemented, performance metrics are documented and performance is measured, controls are supported by adequate budgets, staff, and other resources, and a continuous improvement program is in place and operates effectively. Has the organization required personnel to confirm their understanding of privacy policies and procedures before authorizing access to sensitive information?

Auditing operational controls encompass operational processes in which privacy and data protection are a factor, how the organization oversees privacy and data protection, and the measurement and improvement of control effectiveness. In general operational control audits assess whether: rules and requirements exist and are documented; controls operate well; employee and managerial actions are in alignment with regulatory requirements; operational processes support privacy and security objectives; and appropriate managers regularly review key performance reports and operating results.

One key question to ask: Does the organization periodically perform a risk analysis to determine the potential material harm that could result from the unauthorized manipulation of information and IT systems that support the operations and assets of the organization? That assessment should include potential impacts on:

brand value;

stock value and investor relationships;

legal liability and regulatory sanctions;

customer and class-action litigation;

customer and employee loyalty and trust;

revenue from customers, business partners, and other relationships.

The assessment should consider and document a worst-case scenario for the compromise, corruption, or misuse of the entire set of data subject to the assessment.

Audits of technical controls encompass systems and automated functions that support privacy and data protection goals. Technical controls address risk inherent in system design, access, and operation, as well as risks inherent in the business processes facilitated by organizational technologies. (For more information refer to my May 2007 column “Auditing Information Security: Are You Protected?”)

Be Proactive

As in all audits, it cannot be overstressed that managers, not auditors, are responsible for defining and implementing solutions to issues found in the audit. Auditors can help management to understand identified risks, best practices, and common privacy and data protection frameworks. Auditors cannot—and should not attempt to—dictate management’s response to known deficiencies. Such an effort would undermine auditor independence and degrade the value of the audit process itself.

I recommend you study the two comprehensive IT Audit guides cited in this month’s resource sidebar and would welcome hearing about your experiences and successes in improving your organization’s privacy and security practices.