IS Auditing Guideline: G31 Privacy

Knowledge Center

1. BACKGROUND

1.1 Linkage to Standards

1.1.1 Standard S1 Audit Charter states, "The purpose, responsibility, authority and accountability of the information systems audit function or information systems audit assignments should be appropriately documented in an audit charter or engagement letter.”
1.1.2 Standard S5 Planning states, “The IS auditor should plan the information systems audit coverage to address the audit objectives and to comply with applicable laws and professional auditing standards.”
1.1.3 Standard S6 Performance of Audit Work states, “During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.”

1.2 Linkage to COBIT

1.2.1 High-level control objective PO8, Ensure compliance with external requirements, states, “Control over the IT process of ensuring compliance with external requirements that satisfies the business requirement to meet legal, regulatory and contractual obligations is enabled by identifying and analysing external requirements for their impact, and taking appropriate measures to comply with them and takes into consideration:

Laws, regulations and contracts

Monitoring legal and regulatory developments

Regular monitoring for compliance

Safety and ergonomics

Privacy

Intellectual Property”

1.2.2 Detailed control objective PO8.4, Privacy, intellectual property and data flow states, “Management should ensure compliance with privacy, intellectual property, transborder data flow and cryptographic regulations applicable to the IT practices of the organisation.”

1.3 Reference to COBIT

1.3.1 The COBIT reference for the specific objectives or processes of COBIT that should be considered when reviewing the area addressed by this guidance. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IS processes and consideration of COBIT control objectives and associated management practices. In a privacy issue, the processes in COBIT likely the most relevant to be selected and adapted are classified as primary and secondary in the following list. The process and control objectives to be selected and adapted may vary depending on the specific scope and terms of reference of the assignment.
1.3.2 Primary:

PO8—Ensure compliance with external requirements

DS5—Ensure systems security

1.3.3 Secondary:

PO7—Manage Human Resources

DS1—Define and manage service levels

DS2—Manage third-party services.

DS10—Manage problems and incidents

DS11—Manage data

DS13—Manage operations

M1—Monitor The process

M2—Access internal control adequacy

M3—Obtain independent assurance

M4—Provide for independent audit

1.2.4 The information criteria most relevant to a privacy review are:

Primary—Effectiveness, compliance, confidentiality and integrity.

Secondary—Reliability and availability.

1.4 Purpose of the Guideline

1.4.1 The purpose of this guideline is to assist the IS auditor to appreciate privacy and appropriately address the privacy issues in carrying out the IS audit function. This guideline is aimed primarily at the IS audit function; however, aspects could be considered for other circumstances.
1.4.2 This guideline provides guidance in applying IS Auditing Standards. The IS auditor should consider it in determining how to achieve implementation of the above standard, use professional judgment in its application and be prepared to justify any departure.

1.5 Guideline Application

1.5.1 When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA standards and guidelines.

1.6 Definition of Privacy in an IS Auditing Context—Limits and Responsibilities

1.6.1 Privacy means adherence to trust and obligation in relation to any information relating to an identified or identifiable individual (data subject). Management is responsible to comply with privacy in accordance with its privacy policy or applicable privacy laws and regulations.
1.6.2 Personal data is any information relating to an identified or identifiable individual.
1.6.3 The IS auditor is not responsible for what is stored in the personal databases, he/she should check whether personal data are correctly managed with respect to legal prescriptions by adoption of the correct security measures.
1.6.4 The IS auditor should review management’s privacy policy to ascertain that it takes into consideration the requirements of applicable privacy laws and regulations including transborder data flow requirements, such as Safe Harbor and OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (see reference section).
1.6.5 IS auditors should review the privacy impact analysis or assessment carried out by management. Such assessments should:

Identify the nature of personally identifiable information associated with business processes

Document the collection, use, disclosure and destruction of personally identifiable information

Provide management with a tool to make informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk

Provide reasonable assurance that accountability for privacy issues exists

Create a consistent format and structured process for analysing both technical and legal compliance with relevant regulations

Reduce revisions and retrofit the information systems for privacy compliance

Provide a framework to ensure that privacy is considered starting from the conceptual and requirements analysis stage to the final design approval, funding, implementation and communication stage

1.6.6 IS auditors should determine whether these assessments are conducted as part of an initial privacy review and on an ongoing basis for any change management project, such as:

Changes in technology

New programs or major changes in existing programs

Additional system linkages

Enhanced accessibility

Business process reengineering

Data warehousing

New products, services, systems, operations, vendors and business partners

1.6.7 In assessing applicable privacy laws and regulations that need to be complied with by any particular organisation, particularly for organisations operating in different parts of the globe, IS auditors should seek an expert opinion as to the requirement of any laws and regulations and should carry out the necessary compliance and substantive tests to form an opinion and report on the compliance of such laws and regulations.
1.6.8 Data controller is a party who is competent to decide about the contents and use of personal data regardless of whether or not such data are collected, stored, processed or disseminated by that party or by an agent on its behalf.

2. AUDIT CHARTER

2.1 Privacy in the Connected World

2.1.1 The advancement of communication technology such as the World Wide Web and electronic mail allows the efficient dissemination of information on a global scale. Controls should be in place to ensure the ethical use of this technology and the projection of electronic/digitalised and hard copy personal information. Furthermore, the global promulgation of legislation requires that organisations implement controls to protect individual privacy. This guideline provides a common set of criteria that the IS auditor can apply to assess the effectiveness of security controls designed to ensure personal privacy.

3. INDEPENDENCE

3.1 Sources of Information

3.1.1 The auditor should consider local regulations about privacy and, after that, global regulations that the organisation is adopting. If the organisation is international, it should consider that local regulations take precedent over enterprise policies, but in this case, the organisation additionally must comply with both (i.e., Sarbanes Oxley for EEUU companies).

4. PROFESIONAL ETHICS AND STANDARDS

4.1 Need for Personal Data Protection

4.1.1 An increasing number of connections between internal and external registries/data sources and use of the Internet increases the need for privacy in both public and private enterprises. Information regarding life, health, economy, sexual predilection, religion, political opinion, etc., may, if exposed to unentitled people, cause irretrievable harm for individuals.
4.1.2 Laws and regulations regarding privacy exist in many countries, but these are often not well known or specific enough. Therefore, an IS auditor must have a basic knowledge of privacy matters and, when necessary, be aware of the basic differences between various countries' regulations to evaluate the level of protection regarding personal information in an enterprise.

5. COMPETENCE

5.1 Approach for Personal Data Protection

5.1.1 There must be requirements and rules for treating digitalised and hard copy personal information to secure confidentiality, integrity and availability of personal information. Every organisation must have an approach for protecting all types and forms of personal information and should consider:

Privacy management—The chief executive officer or the person in charge of the organisation should have the primary responsibility for privacy. The objective and superior guidelines for the use of personal information should be described in security objectives/policy and strategy. There should be formalised routines for frequent evaluation to provide reasonable assurance that use of personal information is compliant with the needs of the organisation and public rules and regulations. The results of the evaluation should be documented and used as the basis for possible change in security policy and strategy.

Risk assessment—The organisation should have an overview of the various kinds of personal information in use. The organisation must also determine the criteria for acceptable risk connected to treatment of personal information. The responsibility for personal information should be attached to a “data controller.” The data controller is responsible for execution of risk assessments to identify probability for, and consequences of, security incidents. New risk assessments should be carried out according to changes of significance for information security. The result of the risk assessments should be documented.

Security audit—Security audit regarding use of information systems should be carried out on a regular basis. Security audit should encompass the organisation, security efforts and cooperation with partners and vendors. The results should be documented.

Deviation—Any use of information systems that is not compliant with formalised routines and which may cause security breaches should be treated as a deviation. The objective of deviation treatment is to reestablish normal conditions, remove the cause that lead to the deviation and prevent recurrence. If deviations have caused unauthorised release of confidential information, the local authorities may need to be notified. The results should be documented.

Organisation—Responsibility for use of the information systems should be established and documented. The responsibility should be unchangeable without authorisation from appropriate management. The information system should be configured to achieve satisfactory information security. Configuration should be documented and only changed with authorisation from appropriate management.

Staff—Employees should use personal information according to their tasks and have the necessary authorisation. Furthermore, employees should have the necessary knowledge to use the information system according to formalised routines. Authorised use of information systems should be registered.

Professional secrecy—Employees should sign a formal agreement to not disclose any kind of personal information where confidentiality is necessary. This professional secrecy should also encompass other information of importance for information security.

Physical security—The organisation should implement measures to prevent unauthorised access to technical equipment in use to process personal information. Security measures should also encompass other equipment of importance for information security. Equipment should be installed in a way that does not affect the treatment of personal information.

Confidentiality—The enterprise should take measures to prevent unauthorised access to personal information where confidentiality is necessary. Security measures should also prevent unauthorised access to other information of importance for information security. Confidential personal information that is being transferred electronically to external partners should be encrypted or secured in another manner. Stored information containing confidential personal information should be marked appropriately.

Integrity—Measures should be taken against unauthorised change of personal information to provide reasonable assurance of integrity. Security measures should also prevent unauthorised changes of other information of importance for information security. Furthermore, measures should be taken against malicious software.

Availability—Measures should be taken to provide reasonable assurance of access to personal information. Security measures should also encompass other information of importance for information security. Backup and recovery routines should be in place to provide reasonable assurance of access to information in situations when normal operations fail. Proper backup routines should be established.

Security measures—Security measures should be in place to prevent unauthorised use of information systems and make it possible to discover unauthorised access attempts. All unauthorised access attempts should be logged. Security measures should encompass efforts that can not be influenced or bypassed by staff, and should not be limited to legal actions taken against individuals. Security measures should be documented.

Security toward external partners—The data controller is responsible for clarifying responsibility and authority toward external partners and vendors. Responsibility and authority should be formalised in a written document. The data controller must have proper knowledge about the security strategy of partners and vendors, and on a regular basis ensure that the strategy gives satisfactory information security.

Documentation—Routines for use of information systems and other information of relevance for information security should be documented. Documentation should be stored according to national laws and regulations. Incident logs from information systems should be stored for at least three months. Policy, standards and procedures should be deployed to specify approved use of personal information.

Awareness and training sessions—These should be implemented to communicate the privacy policy to employees and providers, especially to those persons handling the personal information of customers (i.e., customer service).

6. PLANNING

6.1 Overview of Privacy Laws in Various Countries Principles and Main Differences

6.1.1 Most countries have already issued their own privacy regulations. The principles are basically the same, but with significant differences in terms of definition of personal data, basic security measures to adopt, etc. These differences can affect the IS auditor’s role, especially when the assignment involves more than one country and/or data repositories are located in another area.
6.1.2 Table 1 lists general principles from “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” published by the Organisation for Economic Co-operation and Development (OECD) in 1980 and 2002.

Table 1—GENERAL PRINCIPLES

N*	PRINCIPLE	EXPLANATION
1	Collection limitation	The collection of personal data is possible with the (explicit) consent and knowledge of the data subject.
2	Data quality	Personal data are relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, are accurate, complete and kept up-to-date.
3	Purpose specification	The purposes for which personal data are collected, are specified not later than the time of data collection and the subsequent use is limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
4	Use limitation	Personal data cannot be disclosed, made available or otherwise used for purposes other than those specified above (except with the consent of the data subject or by the authority of law).
5	Security safeguards	Personal data should be protected by reasonable security safeguards against risks, such as loss or unauthorised access, destruction, use, modification or disclosure of data.
6	Openness	There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, the main purposes of their use, and the identity and usual residence of the data controller.
7	Individual participation 1	An individual has the right to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him/her.
8	Individual participation 2	An individual has the right to have communicated to him/her, data relating to him/her: Within a reasonable time At a charge, if any, that is not excessiven In a reasonable manner In a form that is readily intelligible to him/her
9	Individual participation 3	An individual has the right to be given reasons if a request, such as those in principles 7 and 8, is denied, and to challenge such denial.
10	Individual participation 4	An individual has the right to challenge data relating to him/her and, if the challenge is successful, to have the data erased, rectified, completed or amended.
11	Individual participation 5	Specific procedures must be established so that the individual can communicate to the company if he/she changes his/her mind about the use and disposal of his/her personal information, and these changes must be reflected in all systems and platform where his/her data is used.
12	Accountability of data controller	The data controller is accountable for complying with measures that give effect to the principles stated above.

6.1.3 Based on the aforementioned principles, the checklist in table 2 should help to build a comparison between various countries’ regulations and represent a rough indicator of how those principles are actually applied. The “ref” column is the reference number to the principles listed in Table 1.

Table 2—CHECKLIST

N*	REF.	Questions
1	1	Is collection of personal data regarding an individual, for any kind of processing, NOT possible without either the unambiguous consent of the individual or for the fulfillment of a contract with the individual or in accordance with other condition explicitly permitted by law? Except for special cases such as public security or national security, which should be done by the authority of law and authorised by an entity different from the collector.
2	1	Is consent to collecting and/or processing personal data necessary for any third party who needs to access/manipulate them (e.g., outsourcing) and must it be exploited by the data subject by written consent, distinct from the one given to the main contractor (in other words, no data controller can give access to any third party to data without unambiguous explicit authorisation of the data subject)?
3	2	Are data controllers compelled to periodically verify the accuracy of data, and to update or delete irrelevant/excessive/outdated (for the scope of processing) information?
4	3	Are data controllers compelled to communicate the scope of collecting data to the data subject(s)?
5	3	Are data controllers compelled to limit the use of data to those communicated to the data subject(s) when the data were collected?
6	3	Are data controllers compelled to communicate any change of purpose of collecting/processing data to the data subject(s) and to obtain his approval?
7	4	Are there limitations to the use of data which forbid any utilisation/disclosure not explicitly authorised by the data subject(s)?
8	5	Are there requirements about minimum security safeguards requested of the data controllers to protect data against unauthorised disclosure/utilisation?
9	5	Must data controllers prepare and periodically update a security plan?
10	5	Must data controllers periodically conduct a risk assessment?
11	5	Are there requirements that make any individual (belonging to data controller’s organisation) uniquely identifiable and accountable for access to any subject(s) data?
12	6	Is the identity of the data controller (as an individual or an organisation) necessarily communicated to the data subject(s) as well as the nature of data collected/processed?
13	6	Are there any training or awareness programs in place to alert staff to the requirements of personal information protection?
14	7	Can a data subject(s) ask the data controller for information regarding the existence or nature of data pertaining him/her?
15	7	Can a data subject(s) obtain his/her data from the data controller and verify them?
16	8	Is there a maximum period of time fixed to answer questions 15 and 16? Yes, the information should be provided in a reasonable manner and ion an intelligible form.
17	9	Can a data subject(s) challenge any denial by the data controller to communicate to him/her the existence of data/processing pertaining to him/her?
18	10	Can a data subject(s) have the data pertaining him/her erased by the data controller? Yes.
19	11	Can a data subject deny at any time to anyone (even if authorised before) the consent to collect data regarding him/her?
20	12	Are there sanctions against data controllers who are not compliant to the above stated principles?
21	12	Are there organisations that have a duty to verify compliance of a data controller to the above stated principles?

7. PERFORMANCE OF AUDIT WORK

7.1 Reviewing an Organisation’s Privacy Practices and Procedures

7.1.1 The IS auditor should have a good understanding of the audit planning process. An audit program should be developed including the scope, objectives and timing of the audit. Reporting arrangements should be clearly documented in the audit program.
7.1.2 Consideration should be given to the nature and size of the organisation and its stakeholders. Knowledge of transborder relationships (both within the country and internationally) is important and will help determine the scope and time required for the audit.
7.1.3 The IS auditor should gain an understanding of the organisation’s mission and business objectives, the types of data collected and used by the organisation and the legislation applicable to the organisation, which may include privacy requirements. Also, an understanding of the organisational structure, including roles and responsibilities of key staff including the information managers and owners is needed.
7.1.4 A primary objective of the audit planning phase is to understand the risks to the organisation in the event of nonadherence to privacy legislation/regulations.

7.2 Steps to Perform

7.2.1 The IS auditor should conduct a preliminary privacy assessment to help determine the impact on the organisation if compliance with the relevant privacy legislation is not achieved. This helps to define the scope of the review and should also take into account factors such as the type of information collected, stored and used for various purposes within the organisation.
7.2.2 The IS auditor should determine whether the organisation has the following in place:

Privacy policy

Privacy officer

Data controller

Training and awareness plan in relation to privacy

Privacy complaint management process

Regime of privacy audits conducted against the privacy legislation

Privacy requirement for outsourced and contractors

These, if available, should be assessed by the IS auditor to ensure they are in line with the relevant privacy legislation and/or regulations.
7.2.3 The IS auditor should conduct a privacy impact analysis. This involves:

Identifying, analysing and prioritising the risks of nonadherence to privacy legislation

Understanding the various privacy measures currently in place in the organisation

Assessing the weaknesses and strengths

Recommending strategies for improvement

7.2.4 A report should be written by the IS auditor that documents the results of the privacy review. The report should include an outline of the objectives and scope and provide a summary of the type of data and information collected, stored and used by the organisation.
7.2.5 The report should include information on the privacy related risks that face the organisation and a summary of the risk reduction measures or privacy protection strategies that exist.
7.2.6 Weaknesses identified in the privacy review either due to an absence of risk reduction measures or inadequate measures should be brought to the attention of the information owners and to the management responsible for the privacy policy.
7.2.7 Where weaknesses identified during the privacy review are considered to be significant or material, the appropriate level of management should be advised to undertake immediate corrective action.
7.2.8 The IS auditor should include appropriate recommendations in the audit report to provide management with opportunities to strengthen the organisation’s privacy controls.

8. REPORTING

8.1 Security Measures Verification Regulations

8.1.1 Local privacy regulations may require that some security measure are in place to ensure personal data are properly protected against risks of unauthorised access, improper disclosure, modification and/or loss.
8.1.2 The following is a list of key controls to help provide reasonable assurance that local privacy requirements are satisfied. Please note that local laws or regulations can impose additional measures. The IS auditor should check the applicability and completeness of this table before starting the audit, as stated in table 2 of section 6.1.3.

8.2 Media Reuse

8.2.1 A formal procedure to provide reasonable assurance that due care is taken by all personnel with custody of media and documentation containing personal data should exist and be verified.
8.2.2 Before reusing media (e.g., electronic/digitalised or paper) that previously contained personal data reasonable assurance should be provided that all information has been deleted. Sometimes, according to data sensitivity or media nature, it is necessary to destroy the media itself.

8.3 Training

8.3.1 Security training should be scheduled regularly for all personnel dealing with personal data.

8.4 Access Control

8.4.1 As a general principle, the “need-to-know” philosophy must be enforced (i.e., any person should be granted access only to the files and archives necessary to perform his/her work).
8.4.2 Access privileges and user IDs should be assigned according to this policy.
8.4.3 A written procedure to immediately update/delete user IDs when an employee leaves or is assigned to another department/function should exist and be verified.
8.4.4 Proper instructions regarding the use of personal computers should be provided and verified. They must include every aspect of individual data security, such as the necessity of performing regular data back-up, that workstations should not be left unattended, etc.
8.4.5 The internal network should be adequately protected by the use of security devices, such as firewalls.
8.4.6 The existence of a contingency plan to restore personal data archives within defined time limits should be verified.

8.5 Maintenance and Support

8.5.1 Every maintenance and support access should be logged and monitored.

8.6 Data Integrity

8.6.1 Reasonable assurance that the antivirus software is installed in every workstation and that it is regularly updated by subscription to the selected antivirus company should be provided.
8.6.2 The operating system and any applicable software vendors should be checked regularly for patches/updates availability.
8.6.3 Data back-up should be scheduled regularly, on servers, mainframes and personal computers.

8.7 Access Control to Facilities

8.7.1 Any person entering the organisation facilities should be registered. Employees coming to work during off-hours should sign a logbook.

8.8 Risk Analysis

8.8.1 A risk analysis aimed to identify personal data risks and exposures should be carried out on a regular basis.

9. EFFECTIVE DATE

9.1 This guideline is effective for all information systems audits beginning 1 June 2005. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary.

APPENDIX

References
“AICPA/CICA Privacy Framework,” American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Certified Accountants (CICA), 2003
“Guidelines for the Regulation of Computerized Personal Data Files,” Office of the United Nations High Commissioner for Human Rights, 1990
“The International E-commerce Standard for Security, Privacy and Service (Business to Business),” International Standards Accreditation Board (ISAB), IES: 2000 (B2B), 2000
“The International E-commerce Standard for Security, Privacy and Service (Business to Consumer),” International Standards Accreditation Board (ISAB), IES: 2000 (B2C), 2000
“OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” Organisation for Economic Co-operation and Development (OECD), 2002, 1980
“Privacy : Assessing the Risk,” The Institute of Internal Auditors (IIA) Research Foundation, April 2003
“Safe Harbor Privacy Principles,” US Department of Commerce, USA, 21 July 2000
“US Department of Commerce Safe Harbor,” US Department of Commerce, USA, www.export.gov/safeharbor

ISACA® 2004-2005 STANDARDS BOARD

Chair, Sergio Fleginsky, CISA	ICI Paints, Uruguay
Svein Aldal Aldal	Consulting, Norway
John Beveridge, CISA, CISM, CFE, CGFM, CQA	Office of the Massachusetts State Auditor, USA
Claudio Cilli, Ph.D., CISA, CISM, CIA, CISSP	Tangerine Consulting, Italy
Christina Ledesma, CISA, CISM	Citibank NA Sucursal, Uruguay
Andrew MacLeod, CISA, CIA, FCPA, MACS, PCP	Brisbane City Council, Australia
V. Meera, CISA, CISM, ACS, CISSP, CWA	Microsoft Corporation, USA
Ravi Muthukrishnan, CISA, CISM, FCA, ISCA	Ikanos Communications, India
Peter Niblett, CISA, CISM, CA, CIA, FCPA	WHK Day Neilson, Australia
John G. Ott, CISA, CPA	AmerisourceBergen, USA
Thomas Thompson, CISA	Ernst & Young, UAE


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC


COBIT 5 Home
Product Family
Education and Training
News
Recognition
Join the Conversation
Looking for COBIT 4.1?