Ensuring both the integrity and confidentiality of data as it traverses an organization’s internal network and beyond can be complex, especially when attempting to bridge the gap between the Data Owner and Data Custodian, who typically view the organization from very different angles.
This presents the IT auditor with a great opportunity to act as the liaison between Data Owners and Data Custodians and communicate risk in a digestible format which helps drive smart decision making. But where does an IT auditor begin when performing a risk assessment of data in transit within an organization?
Step 1: Understand the Data Owner’s Concerns, Fears and Trepidations
Oftentimes, auditors likes to rank risks ranging from Process Improvements to Low, Medium and High. Referring to risk in more personal terms allows the IT auditor to discover what is really on the client’s mind. Keep this technique in mind as you embark on your next risk assessment.
During initial conversations with the Data Owners and Custodians, start a conversation with smart questions that will allow you to build a risk register, documenting risks as your client perceives them, ranging from general concerns to what keeps him up at night.
|Key Points of Inquiry with Data Owners and Data Custodians|
|The nature of the data will drive further discussion. Determine if data consists of financial transactions, Personally Identifiable Information, Personal Health Information, or sensitive proprietary information.|
|Both the data owner and the data custodian should be consulted. The Data owner should make final decisions about treatment of data.|
|Determine who is in charge of data classification. The custodian or the client owner? Is data treated differently based on classification? Should it be?|
|Determine whose policies are followed when it comes to data protection. The custodian or the data owner? Are these provisions included in contractual agreements?|
Step 2: Collect and Review Documentation
The next step in completing a success audit of data in transit is to collect relevant documentation from Data Custodians and IT Operations staff for inquiry.
Step 3: Do your Homework, and be prepared to ask Directed Questions
Armed with a deep understanding of the organization’s IT infrastructure, the next task is to research any concepts, protocols or system components you have discovered are in place during the document review.
Finally, schedule interviews with key Data Custodians and begin performing inquiries and observations based on what you have learned.
Technical Inquiry Overview for IT Operations and Data Custodians
|Data at Rest|
|Data in Transit|
|Geographic and Logical Location of Data at Rest|
|Incident Management and Disaster Recovery|
Step 4: Compile, Quantify and Report on your Findings
Once you have completed the inquiry and research phases of the project, the final step is to compile the information, quantify your findings and report them in a format that the Data Owner can easily digest and comprehend.
In this phase, the Internal Audit and Enterprise Risk Management teams should use their familiarity with regulatory and compliance standards to identify potential issues (e.g. Safe Harbor, HIPAA, PCI DSS, GLBA).
The final report should include ranking of risks with a related explanations and potential suggestions on remediation and perhaps even a risk register to start the process of remediation.