By: Mitchell H.Levine.CISA
Audit Serve, Inc.
Conducting PII (personally Identifiable Information) audits is one of the most important audits within the Audit Universe. Before setting the overall scope of the audit, a determination needs to be made whether to include the management of PHI (Protected Health Information) and Credit Card data in the review.
Understanding the importance of the PII data is based on the regulatory requirements in which one's organization is bound to protect and secure credit card data. Financial institutions are subject to the Gramm–Leach–Bliley Act (GLB), act to protect PII data. Within the Utility Industry many state regulators have issued directives to protect PII data as part of the Cyber Security control requirements. Government entities are bound by the Privacy Act of 1974 and E-Government Act of 2002. Based upon Massachusetts (MA) law, CMR 17, any company conducting business or having employees/retirees domiciled in the state of MA are subject to specific IT standards for controlling the access to PII data. All other states do not take the proactive approach that MA has in regards to requiring protection of PII data. Other states only have data breach notification requirements.
The timing of the PII audit should be based on whether an organization has established a policy in regards to the management of PII data and whether project initiatives have started to identify the location of PII data. If these first steps relating to policy and PII discovery have not been performed, most auditors would postpone the audit until these initiatives have occurred. In addition, an overall company-wide issue should be raised to the audit committee indicating that PII activities have not occurred which is a failure in the IT Governance of an organization. Alternatively, some auditors would proceed with the PII audit in order to perform automated testing (i.e., using tools to disclose PII data) to prove that PII data is located across the enterprise and not properly controlled. This evidence would further force the organizations to make the PII project to discover and control PII data a much higher priority.
As part of the planning for the PII audit the first thing which needs to be determined is the approach taken for conducting the discovery phase of identifying the location of PII data and determining the tools that were used by the organization. Does an organization have a central group such as the IT Department who are responsible for running tools to scan for the presence of PII data throughout the various types of areas where PII data can be stored (e.g., documents contained within file shares, databases, SharePoint Teamsites)? Alternatively, has an organization taken the weak approach of relying on individual users to identify the location of PII data that they control and apply the appropriate security measures? This approach is referred to as a self-assessment and self-reporting approach. In this case, at a minimum the organization should have supplied the individuals the requires set of tools to allow for their workstations and file share locations to be scanned for PII based on all types of operating systems used at the organization (MAC OS, UNIX, LINUX, Windows etc.). In addition, a responsible party should have been identified for all locations where PII data is potentially stored.
If the organization approach for the discovery of PII data is self-assessment approach then it is unlikely that organization is maintaining a central list of the location of PII data. In addition, the self-assessment process will leave large gaps of storage areas within an organization which will not be scanned for the presence of PII data because ownership of all of the storage locations in most cases has not been assigned.
If the self-assessment discovery approach is being used, then a good portion of the audit will be devoted to proving that this approach is inadequate and should be replaced by a centralized group responsible for scanning for the presence of PII data. To support this contention, the audit will have to conduct compliance testing of the various types of storage locations used to identify instances in which PII data is present and was not accounted for in the self-assessment process.
This article will continue in the next edition of Audit Vision.