Are controls put in place as stated in the IT security policy framework? Control frameworks such as those from COBIT, NIST, and the International Organization for Standardization (ISO) are useful here. They provide an effective means to assess and document an organization’s implementation of controls. This process is quite effective, especially when the organization’s framework is based on a well-known external framework.
The organization might have mappings of its controls to well-known frameworks. If available, auditors may use these mappings but should verify them first. This should be included in the final report. In addition, it provides the method for conducting the analysis of any gaps. These gaps should also be documented. Documenting the gap analysis is discussed in the next section.
Frameworks mentioned earlier include controls. These controls are essential to protecting privacy data. An audit may be concerned with assessing the protection of privacy data. Alternatively, it may be concerned with compliance with privacy laws. In both cases, the audit should report specifically on established privacy principles. Refer to the Generally Accepted Privacy Principles (GAPP) if necessary. Also noteworthy are the organization’s current implementation, related controls, and associated risks. Table 7-6 provides examples of related risks relevant to each privacy principle.
TABLE 7-6 Generally Accepted Privacy Principles and associated risks.
Privacy Principle | Risk |
---|---|
Management | Lack of accountability can result in inadequate privacy protection as well as noncompliance with legislation. |
Notice | If individuals cannot obtain the privacy policies, they may deny consent to use personal information. |
Choice and consent | If consent is not obtained prior to collecting personal information, the organization can suffer reputational risk and loss of customer trust. |
Collection | Collecting more information than is needed can result in increased retention and security costs and introduce additional liability. |
Use and retention | Personal information could be prematurely destroyed, resulting in information not being available to make important decisions. |
Access | Individuals unable to access their information might not be able to correct inaccurate information. This could result in a negative decision being made about the individual, resulting in legal liability. |
Disclosure to third parties | Providing data to third parties with inadequate controls could affect customer retention and result in identity theft. |
Security for privacy | Inadequate security controls could result in the unauthorized use of privacy data, causing harm to individuals. |
Quality | Basing business decisions on inaccurate personal information could result in lost profits. |
Monitoring and enforcement | Customer satisfaction and retention might be jeopardized if customer inquiries or complaints are not adequately addressed as a result of an ineffective monitoring process. |
The risks to the organization for each of the privacy principles should be clearly documented in the audit report. In recent years, IT security personnel have had to be more aware of privacy implications. The implications are due to the growing number of privacy regulations. IT controls for privacy go beyond just securing data to prevent improper use. Most IT frameworks address privacy to a certain extent. In addition, both the IIA and ISACA publish guidelines. These guidelines establish common privacy controls and audit processes.