1 / 15

Privacy of Data

Privacy of Data. Krysti Cox Dustin Hamilton Angela Pagenstecher Jeff Pike. I nformation Systems Control Journal Vol. 5, 2008. “The security of these systems is vital to the business, and assurance that these systems are secure is essential”. Topics of Discussion. Overview

katoka
Télécharger la présentation

Privacy of Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy of Data Krysti Cox Dustin Hamilton Angela Pagenstecher Jeff Pike

  2. Information Systems Control Journal Vol. 5, 2008 “The security of these systems is vital to the business, and assurance that these systems are secure is essential”

  3. Topics of Discussion • Overview • Data Privacy Hits Home • Business Risks Illustrated • Information Accountability • An IT Auditor’s Role

  4. Overview • Exercising control over data • Owner of data should be entitled to determine the correctness, applicability, and access rights • Technology has begun to outpace security • Importance of assurance has created a demand for competent IT Auditors Information Systems Control Journal Vol. 2, 2007

  5. Overview • ISACA was formed, and COBiTestablished • IS Audit Guideline – Privacy • Information Security Accountability and Assurance becomes paramount Communications of the ACM, June 2008/Vol. 51, No.6

  6. Data Privacy Hits Home • Where is data privacy seen in day-to-day business operations?

  7. Data Privacy Hits Home • Where is data privacy seen in day-to-day business operations? • Passwords • Intranets • Access rights and restrictions • Network Encryption • Physical Security

  8. CountrywideFinancial Corp. • An employee gained access to customer data and was able to store it on a USB drive • What are some controls that could have done the following: • Prevented this occurrence • Directed the control of this risk • Detected this breach of security ComputerWorld Aug 2008

  9. “With access control and encryption no longer capable of protecting privacy, laws and systems are needed that hold people accountable for the misuse of personal information…” Communications of the ACM, June 2008/Vol. 51, No.6

  10. Information Accountability • Accountability • The issue is not access of data, but that it is used inappropriately • Transparency • Collection and use of information should have a valid purpose, be clearly disclosed, and within legal compliance Communications of the ACM, June 2008/Vol. 51, No.6

  11. Information Accountability • Challenges • Protect privacy but not impede information flow • Reliance on secrecy and up-front control • Proliferation of personal information on the web • Individuals accidentally or intentionally put information on web and do not know “end result” Communications of the ACM, June 2008/Vol. 51, No.6

  12. Privacy Issues • AICPA Privacy Task Force • Link between individual privacy and organizations • Managers are obligated to institute proper internal controls aimed at protecting the confidentiality of personal information • Bridges the gap between technical issues and audit objectives Privacy Issues, Ch. 2, Information Technology Auditing

  13. Privacy Issues • What information is protected? • Information that is: • Personally identifiable • Factual • Age, name, income, ethnicity, blood type, biometric images, DNA, credit card numbers, loan information and medical records • Subjective • Opinions, evaluations, comments, disciplinary actions and disputes Privacy Issues, Ch. 2, Information Technology Auditing

  14. Role of an IT Auditor • Information Privacy Governance • Assess the effectiveness of controls and related risks • Ensure that management: • Develops and implements sound controls • Operates and manages the controls on an on-going basis • Aligns IT goals with Business goals Information Systems Control Journal Vol 5, 2008

  15. Role of an IT Auditor • Evaluate the quality and integrity of security practices • Determine whether generally accepted standards are followed • Ensure transparency is met and governance is present • Issue a report/offer recommendations Conducting a Privacy Audit, Ruth V. Nelson, PwC, Elizabeth B. Carder, Reed Smith LLP

More Related