ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Auditing Data Security

Auditing Data Security

Mike Van Stone, CISA, CISSP, CPA, and Ben Halpert
| Published: 1/29/2018 3:08 PM | Category: Audit-Assurance | Permalink | Email this Post | Comments (2)

As auditors and security professionals, much of our focus is spent on the network perimeter. However, with the trifecta of porous perimeters, misconfigured cloud environments, and the enormous amount of compromised and exposed data due to breaches, we must rethink how we scope our audits. Zero-trust concepts must be considered due to the increased likelihood of malicious actors getting past a somewhat hardened exterior to the soft, chewy middle of our corporate networks and virtual private clouds. We must focus our security assessment procedures on data protection. 

The ISACA website contains many useful free resources, such as GDPR Data Protection Impact Assessments, HIPAA Audit/Assurance Program, and ICQ and Audit/Assurance Program for PCI DSS Compliance Program, addressing elements of data protection controls. The following are some questions that can be covered in data protection audit programs:

  • How does the business keep its data inventory complete on an ongoing basis? 
  • Is there visibility into where data originated from and data ownership? (Note ISACA released a Shadow IT Audit/Assurance Program in 2017.)
  • Are data routinely classified in accordance with company policy?
  • Is the data classification policy periodically reviewed for alignment with risk assessment results, laws and the organization’s risk tolerance level?
  • Is there a tool that can block transmission or encrypt data in alignment with data classification and handling policies?
  • Do the tools protect the data at creation, in use, in transit and at rest?
  • Is there visibility to and monitoring of data wherever they may flow?
  • Are there clear roles and responsibilities to manage the (potentially many) different security tools used in access management, security rule management and monitoring?
  • Does management have an access management strategy for data that have left the corporate network’s boarders?
  • Are there clear roles, responsibilities and mechanisms for assessing compliance with laws and regulations for the regions into which sensitive data flow or are stored?
  • Is evidence available demonstrating that management leverages lessons learned from incident postmortems to update data protection policies and procedures?

I wish you the best of luck as you drive your client or organization’s data protection strategy to new levels of maturity.

Read Mike Van Stone and Ben Halpert’s recent Journal article:
Mistakes Happen—Mitigating Unintentional Data Loss,” ISACA Journal, volume 1, 2018.


Great Questions

Nice post, and I'm not sure sufficient coverage is given to the topic. I just came across this post as it matches closely to an audit I am attempting to conduct. I came up with a similar list of questions and can supplement with these, but the question I am most challenged by is - how to scope such an audit? This can be an overwhelming audit from the perspective of how many groups are involved with answering the questions and gaining cooperation from each group represented to allocate the time needed to go through this. Perhaps not in trying to answer all the questions, but obtaining evidence to support the answers and the controls used.

Has anyone tried to frame this type of audit in the past? Any suggestions on approach are welcome.
HenryB at 7/3/2018 10:51 AM

Excelent Work

The questions are very focused about to audit any company, and i think would be a
good practice to know what is the history of the organization.

For example, what are the situations that have happened in the
long past and the near past?, the information that is known about
the company for the auditor is an extra tool to improve the managment of
risks and to have some solutions previously implemented  that can be improved for good results
or maybe to create new solutions to decrease risks and increase efficiency and of course for saving data.
Santos584 at 3/13/2019 9:46 AM