ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Auditing Data Security

Auditing Data Security

Mike Van Stone, CISA, CISSP, CPA, and Ben Halpert
| Published: 1/29/2018 3:08 PM | Category: Audit-Assurance | Permalink | Email this Post | Comments (0)

As auditors and security professionals, much of our focus is spent on the network perimeter. However, with the trifecta of porous perimeters, misconfigured cloud environments, and the enormous amount of compromised and exposed data due to breaches, we must rethink how we scope our audits. Zero-trust concepts must be considered due to the increased likelihood of malicious actors getting past a somewhat hardened exterior to the soft, chewy middle of our corporate networks and virtual private clouds. We must focus our security assessment procedures on data protection. 

The ISACA website contains many useful free resources, such as GDPR Data Protection Impact Assessments, HIPAA Audit/Assurance Program, and ICQ and Audit/Assurance Program for PCI DSS Compliance Program, addressing elements of data protection controls. The following are some questions that can be covered in data protection audit programs:

  • How does the business keep its data inventory complete on an ongoing basis? 
  • Is there visibility into where data originated from and data ownership? (Note ISACA released a Shadow IT Audit/Assurance Program in 2017.)
  • Are data routinely classified in accordance with company policy?
  • Is the data classification policy periodically reviewed for alignment with risk assessment results, laws and the organization’s risk tolerance level?
  • Is there a tool that can block transmission or encrypt data in alignment with data classification and handling policies?
  • Do the tools protect the data at creation, in use, in transit and at rest?
  • Is there visibility to and monitoring of data wherever they may flow?
  • Are there clear roles and responsibilities to manage the (potentially many) different security tools used in access management, security rule management and monitoring?
  • Does management have an access management strategy for data that have left the corporate network’s boarders?
  • Are there clear roles, responsibilities and mechanisms for assessing compliance with laws and regulations for the regions into which sensitive data flow or are stored?
  • Is evidence available demonstrating that management leverages lessons learned from incident postmortems to update data protection policies and procedures?

I wish you the best of luck as you drive your client or organization’s data protection strategy to new levels of maturity.

Read Mike Van Stone and Ben Halpert’s recent Journal article:
Mistakes Happen—Mitigating Unintentional Data Loss,” ISACA Journal, volume 1, 2018.

Comments

There are no comments yet for this post.
Email