THE PRIVACY AUDIT: A PRIMER
by:
Pamela Jerskey, Ivy Dodge, Sanford Sherizen
INTRODUCTION
Privacy issues are creating an increasing number of problems for organizations, as well
as for IS auditors and information security officials. Dynamic and complex, these issues
do not readily lend themselves to routine internal control reviews, particularly those that
examine segregation of duties, authorization, accounting control practices, conflict of
interest, and security. Moreover, the policies formulated by organizations to deal with
privacy concerns must address the often ambiguous and contradictory issues of moral,
legal, and professional standards. The goal of our paper is to help clarify this situation by
generating a set of ideas to guide auditors as they institute privacy audits in their
organizations.
What is Privacy?
Privacy is the right of an individual or an organization to maintain information that is safe
from examination by others. The right to privacy, while not explicitly mentioned in the
Constitution of the United States, is a very basic one. However, the requirements for
privacy invariably elicit strong and controversial philosophical debate.
Increasingly, privacy has become an issue of organizational and legislative concern. The
privacy audit is a new approach to determining how organizations are responding to
these concerns. Through such an approach, IS auditors can serve central roles in limiting
the misuse of information and protecting organizations from liability and public relations
problems. In so doing, IS auditors must ensure that information processing procedures
are sufficient to meet emerging privacy requirements and standards by reviewing the
ways in which information about clients, customers, and employees is collected,
messaged, stored, and distributed by organizations.
In order to tackle the problems inherent in conducting a privacy audit, the concepts, or
policies, that determine an organization's definition of privacy must be applied to the
examination of the resources that contain private information.
The Policy Statement
The first objective of any audit is to evaluate an organization's existing polices and
procedures. It follows, therefore, that before an organization can conduct a privacy
audit, a policy statement on privacy must be in place. A process that respects the rights
of the individual, as well as those of the organization, would consider the following
questions when formulating a privacy policy:
What are the specific privacy needs of the organization? For example,
manufacturing companies must protect trade secrets and patents, and health care
organizations must emphasize patient confidentiality.
What, if any, are the privacy laws and regulations to which the organization is
subject? For example, federal legislation requires colleges and universities to
protect the privacy of student educational records, and financial organizations
must meet credit protection standards.
How stringent a security policy is the organization willing to implement, and what
risks is the organization willing to take? How are these risk management
decisions formulated and by whom?
At what point do the rights of the individual and the rights of the organization
coincide, and at what point do they conflict?
Who within the organization will institute and promote its policies and procedures
governing privacy?
Who will oversee the organization's effort to enforce these
measures?
How is information used, merged, stored, protected, and distributed inside as well
as outside the organization?
When addressing privacy issues in a policy statement, it is important to be aware of the
laws and regulations to which the organization is subject, and to ensure that responsible
individuals are sufficiently aware of the legal parameters by which they are bound.
Before undertaking the policy formulation process, then, it is advisable to review with
legal counsel the current laws and regulations that pertain to the organization. Various
departments within your organization, including Internal Audit, Policies and Procedures,
MIS, Security Administration, and Human Resources, may also prove helpful in the
policy formulation process.
Private Information
The rapidly growing development of computer technology has made it difficult to monitor
the confidentiality of private information. Distributed networks, as well as fourth
generation languages, report generators, data base query tools, and decision support
systems all present risks to the security of private information. Take, for example,
private information that is stored on a mainframe. This information may also be resident
on a file server that is accessed by many individuals, or it may be transferred from one
system to another through networks. Client/server technology presents risks to the
security of private information for similar reasons. Laptop computers, FAX machines,
cellular telephones, and electronic mail all add to an organization's difficulties in
maintaining the security and confidentiality of private information.
Most users are not aware of the high volume of computer information and the speed
with which it can be manipulated (i.e., disseminated, merged with other data). Consider
the case of an individual who contributes to a charitable or political organization. Soon,
the same individual receives mailings from similar organizations asking for contributions.
This same data may be merged with other information on databases throughout the
country or the world, enabling the compilation of a profile for marketing strategies, voting
patterns, and other uses. Such is the impact of computer technologies on privacy and
security issues.
In many cases, the designation of information as "private" is a subjective one. Privacy
often represents very different, and possibly contradictory, concerns for individuals and
for organizations. What an individual may consider as private, an organization may
consider as information to be sold. However, there are federal privacy laws, and varying
state laws, that affect the confidentiality of the personal information maintained by an
organization. Examples of the types of information and technology subject to legally
mandated privacy restrictions include: arrest records, bank records, cable tv, credit
reporting and investigation, criminal justice records, data banks, employment records,
insurance records, mailing lists, medical records, privileged communications, school
records, social security numbers, tax records, telephone solicitation, and wiretaps.
Detailed information for the various states can be found in Robert Ellis Smith's
compilation of state & federal privacy laws, published by Privacy Journal.
Not all seemingly private information is subject to specific laws. Union/management
agreements, client/customer wishes, and appropriate due diligence, if not observed, may
create negative publicity for an organization should private information fall into the
wrong hands.
There will always be continual change and evolution in the field of computer technology.
It is important, then, to re-evaluate periodically an organization's confidentiality
requirements and scope of security in relation to the current computer environment.
THE PRIVACY AUDIT
The first objective of a privacy audit is to evaluate the organization's current policies and
procedures regarding privacy of information. In seeking to ensure that confidential
information is secure, it is important to confirm that policies and procedures are
consistent, regardless of where the information resides or who handles it.
Auditing private information observes the same standards as auditing any other type of
information. However, as noted earlier, it is important to be aware of the various privacy
laws and regulations to which the organization may be subject. Once they have been
reviewed, and the data have been classified to determine the amount of security required
to protect privacy of information in the organization, one can begin to define audit steps
to ensure the continued administration of privacy standards. Some of the areas that
warrant examination in a privacy audit include the following.
Data Security and Access Controls
Access controls protect an organization's confidential data from unauthorized
modification or use, damage, and loss. In examining an organization's access controls,
the auditor should:
Determine if the organization employs an information security administrator who
is responsible for providing guidelines for securing confidential data.
Determine if published policies and procedures exist that address data security.
The policies should clearly define the responsibilities of users, management, and
security administrators.
Review data for compliance with the organization's established policies and
standards.
Determine if data security is in compliance with all applicable privacy laws and
regulations.
Determine if data security operations can interfere with the privacy of individuals
or information.
Password Administration
Effective password administration restricts the use of confidential data. In examining an
organization's procedures for password use, the auditor should:
Review the procedure for adding and deleting individual access on all systems.
Determine if procedures exist to change access capabilities when individuals are
assigned to new positions.
Review password guidelines to determine if they:
are of an appropriate length
are not likely to be easily guessed
are not comprised of repeating characters
are changed periodically
are not reused by the same individual
Determine if dynamic "tokens" or other multifactor authentication measures are
used.
Database Administration
Effective database administration controls the integrity and security of confidential data
that are shared by multiple users. Database management software, which provides
access to and control over shared data, should be installed and maintained to ensure the
integrity of both the data and the software. In examining an organization's procedures
for database administration, the auditor should:
Determine if the organization employs a database administrator.
Determine if published policies and procedures exist that address access to, and
the organization and control of, shared confidential data.
Confirm compliance with published policies and procedures.
Verify that confidential data are identified, and that data ownership within the
organization is clearly defined.
Determine if database software provides appropriate field-level sensitivity.
Personnel Security
Organizations should ensure that all personnel concerns are subject to privacy and
confidentiality controls. In examining an organization's personnel procedures, the auditor
should:
Verify that employment procedures, including application and termination
processes, are performed in a confidential manner.
Confirm that the privacy of employee e-mail is in compliance with company
policy.
Verify the confidentiality of individual job attributes, such as classification
information, salaries, etc.
Wide-Area Network Administration
Organizations should establish and maintain adequate control over the security of the
confidential databases used in their distributed data processing networks. Such control
should be extended to include the use of laptop computers, FAX machines, cellular
telephone transmissions, and electronic mail. In examining the control procedures for an
organization's wide-area network, the auditor should:
Verify that the confidential data elements of the network are identified, and that
procedures exist to ensure their security.
Confirm that encryption techniques are utilized for confidential information that
travels across a network.
Determine if the algorithm used to encrypt data is sufficiently robust.
Local Area Networks and
End User Computing Controls
Organizations should formulate procedures for the creation and maintenance of
confidential data files on local area network file servers and microcomputers. In
examining these procedures, auditors should:
Verify that end-user computing controls exist in the following areas:
access and password administration
backup practices
documentation
virus protection software.
Determine if confidential data files are encrypted.
Physical Security
To help protect an organization's confidential data from unauthorized modification or use,
damage, and loss, computer systems should be physically secured. In examining the
physical security of an organization's computer systems, the auditor should:
Confirm that access to the computer facility (room or installation), and access to
microcomputer workstations and file servers, are restricted to those individuals
specifically authorized to conduct computer operations. These restrictions should
apply to the tape vault as well as any off-site storage facilities.
Determine if proper controls (e.g., key pads, alarms, surveillance equipment) are
in place to prevent the unauthorized access of computer systems that contain
confidential information.
Storage and Disposal of Output
Security breaches are a likely result of the improper storage and disposal of confidential
data output. In examining an organization's procedures for the storage and disposal of
such data output, the auditor should:
Determine those areas where confidential output is generated, distributed, and
stored.
Determine if published procedures exist for the disposal of confidential output,
and confirm compliance with procedures.
Verify that appropriate controls (e.g., required signatures) are in place when
confidential data are disseminated.
CONCLUSION
Clearly, the need for organizations to address the issues of privacy and confidentiality is
undeniable. How effectively they do so is the concern of the auditor. Although we have
offered a few basic ideas for auditors to consider, audit standards need to be developed
within private and government sectors to provide information security professionals with
appropriate guidelines for restricting the use of private information. And, of course, we
all must continue to work to raise everyone's level of security awareness.
REFERENCES and RECOMMENDED READING