Data in Transit- Bridging the Gap between Data Owners and Custodians

Ensuring both the integrity and confidentiality of data as it traverses an organization’s internal network and beyond can be complex, especially when attempting to bridge the gap between the Data Owner and Data Custodian, who typically view the organization from very different angles.

This presents the IT auditor with a great opportunity to act as the liaison between Data Owners and Data Custodians and communicate risk in a digestible format which helps drive smart decision making. But where does an IT auditor begin when performing a risk assessment of data in transit within an organization?

Step 1: Understand the Data Owner’s Concerns, Fears and Trepidations

Oftentimes, auditors likes to rank risks ranging from Process Improvements to Low, Medium and High. Referring to risk in more personal terms allows the IT auditor to discover what is really on the client’s mind. Keep this technique in mind as you embark on your next risk assessment.

During initial conversations with the Data Owners and Custodians, start a conversation with smart questions that will allow you to build a risk register, documenting risks as your client perceives them, ranging from general concerns to what keeps him up at night.

Key Points of Inquiry with Data Owners and Data Custodians
What is the nature of the traffic and does data need to be retained or maintained for legal or regulatory purposes?	The nature of the data will drive further discussion. Determine if data consists of financial transactions, Personally Identifiable Information, Personal Health Information, or sensitive proprietary information.
What are the data owner and data custodian’s perceived key risks?	Both the data owner and the data custodian should be consulted. The Data owner should make final decisions about treatment of data.
How is data classified?	Determine who is in charge of data classification. The custodian or the client owner? Is data treated differently based on classification? Should it be?
Identify key corporate policies	Determine whose policies are followed when it comes to data protection. The custodian or the data owner? Are these provisions included in contractual agreements?

Step 2: Collect and Review Documentation

The next step in completing a success audit of data in transit is to collect relevant documentation from Data Custodians and IT Operations staff for inquiry.

PBC Requests:

Network Topology and Systems Diagrams
Listing of Vendor/3rd Party Service Providers (e.g. Datacenter colocations) and relevant compliance reports (e.g. SOC Reports, PCI Compliance Reports)
Technical descriptions of in-scope systems and any internal security briefings.

Step 3: Do your Homework, and be prepared to ask Directed Questions

Armed with a deep understanding of the organization’s IT infrastructure, the next task is to research any concepts, protocols or system components you have discovered are in place during the document review.

Finally, schedule interviews with key Data Custodians and begin performing inquiries and observations based on what you have learned.

Technical Inquiry Overview for IT Operations and Data Custodians
Data at Rest	Is user inputted data retained by the organization? If yes, how is data managed and stored (e.g. within a database or a network storage device)? Is data encrypted at rest? What type of encryption is employed if applicable? How are encryption keys and certificates managed?
Data in Transit	Is data encrypted in transit? If no, is data transmitted only over the private network (i.e. via VPN or MPLS). Where does data travel in transit (through which countries and through which vendors)? What protocol is used to transmit the data (e.g. TCP/IP, UDP, FTP, RTP/RTSP)? What mechanisms are used to ensure data integrity of transmitted data (e.g. via Checksum verification, error logging)?
Vendor Management	Is there a vendor management system? Which vendors come in contact with data in transit? Is there a periodic review process in place to verify that all vendors who touch data in transit have met all regulatory and contractual requirements?
Geographic and Logical Location of Data at Rest	Where does data reside? (e.g. within the corporate network, within a DMZ, on a public facing/edge server)? Where is data geographically located when at rest (including backups and redundancy)?
Network Security	What network security safeguards are in place (i.e. Firewall, Intrusion Detection Systems, Web Proxy devices) Is the network logically or physically segregated in any way? Has a network risk or penetration test been performed within the last year? Do all systems with sensitive data follow a standard hardening process implementing industry best practices for that particular environment?
Logical Access	Who has access to data (both internal and external to the organization)? Who has access to backups and logs? Is access periodically reviewed? How is access granted or denied?
Incident Management and Disaster Recovery	Does the data transfer/storage process to redundant and backup sites undergo the same scrutiny as production environments? How do you know if data is intercepted, corrupted, or otherwise compromised? How is this information communicated to the data owner?

Step 4: Compile, Quantify and Report on your Findings

Once you have completed the inquiry and research phases of the project, the final step is to compile the information, quantify your findings and report them in a format that the Data Owner can easily digest and comprehend.

In this phase, the Internal Audit and Enterprise Risk Management teams should use their familiarity with regulatory and compliance standards to identify potential issues (e.g. Safe Harbor, HIPAA, PCI DSS, GLBA).

The final report should include ranking of risks with a related explanations and potential suggestions on remediation and perhaps even a risk register to start the process of remediation.