Ticker

6/recent/ticker-posts

Preparing for a Privacy Audit

byPrivacy Auditor May 28, 2022


 A privacy audit examines the information life cycle pro­cesses organization-wide. This audit focuses on the total information flow: who sees it, handles it, modifies it, or otherwise manipulates the information organization-wide. Performing a privacy audit also requires knowledge of the pri­vacy laws in force for all the geographic areas your institution is in, and knowledge of what information should be private within an enterprise

 The value a privacy audit brings to an organization includes: 

  1. Identifying weaknesses in security and appropriate corrective actions needed to protect sensitive/personal data
  2. Identifying gaps that need to be address by the organization to comply with applicable privacy laws and regulations
  3. Enhancing credibility and promoting confidence and goodwill for being recognized for safeguarding data. (That is, reduce reputational risk.)
  4. Reducing the risk of identity theft

 Auditing for privacy involves the following:

  1. Identifying what data the organization typically collects and generates
  2. Assessing the organization’s maximum legal ‘privacy protec­tion’ requirements for different types of data. Assessing compliance status with the legislative requirement associated with the types of data that is processed stored by the organization.
  3. Assessing the organization’s relevant privacy related policies and procedures.
  4. Assessing the organization’s data classification scheme.
  5. Assessing whether the methods used by the organization to protect the information/data are adequate based on the data type. That is, review existing security policies and procedures to determine effectiveness in protecting confidential data.

Organization preparatory efforts: Identify what data your organization typically collects and generates

Map your organization’s data flows by creating a “Data Map.”  A “Data Map” details how and what type of information is being received, utilized, managed, and passed on by your organization. In conducting this assessment, you should answer the following questions.

  • What information is moving intra-departmentally or intra-personally within your organization?
  • What information is moving from your organization to third parties?
  • What information is your organization receiving from third parties?
  • What relevant information is moving across state/national boundaries?

The answers to these questions will determine your organization’s level of privacy-related exposure which in turn should shape your organizational privacy strategy.

Organization Preparatory Efforts:  Identify the maximum legal privacy protection requirements for different types of data.

Your organization should familiarize itself with applicable privacy laws and regulations and identify regulations that are specific to its industry, customers, country, and state. Armed with this knowledge your organization can design and implement a compliance program that meets different regulatory requirements and point out common requirement areas to maximize and simplify compliance efforts.

Organization preparatory efforts: Identify your organization’s relevant privacy related policies and procedures

Your organization should develop, disseminate, and periodically review/update:

  • A formal, documented privacy policy that addresses purpose, scope, roles, responsibilities, and compliance; and 
  • A formal, documented procedures to facilitate the implementation of the privacy policy and associated controls. The organization should include a requirement that personnel confirm their understanding of privacy policies and procedures before authorizing access to sensitive information.

Organization preparatory efforts:  Identify what information/data should be private, why the information is considered private by the organization and where it is stored

The organization should develop a data classification standard for specifying the sensitivity of personal information. This includes identifying what information your organization has and what should be considered private. This includes Financial Data, Personal Health Information, Employee Data Customer Data and other Personally Identifiable Information, etc. Once understood, you should develop a simple data classification scheme.

Organization preparatory efforts: Identify the methods used to protect (secure) the data/information to determine if the security methods they are adequate

How private information is protected is of concern for legal and practical reasons. Inaccurate data is worthless, corrupted information is useless, and stolen data is embarrassing and costly to the organization.

Protecting Data Involves:

  1. Defining a security policy around identified data.
  2. Implementing the relevant security solution appropriate to the sensitivity level of the data being protected, risk level and organization acceptable level of risk.

 



Tags
Privacy Auditor

Posted by Privacy Auditor

I am solution-oriented IT professional with 20 + years of integrated auditing, IT security knowledge and skills that are used to successfully conduct value added IS/IT audits, data privacy and IT security reviews in a multi-university environment. My professional certifications include: • Certified Information Systems Auditor (CISA) • Certified Internal Auditor (CIA) • Certified Computing Professional (CCP) • Certification in Risk Management Assurance (CRMA) • Certified Information Privacy Manager (CIPM) • Certified Data Privacy Solutions Engineer (CDPSE) I created this blog to serve as a platform to explore approaches to managing and auditing Data Privacy Programs.

Post a Comment

0 Comments