Page 455 - ITGC_Audit Guides
P. 455

Security and Privacy Risks

                   Security and privacy are the risks most people can easily identify and understand. A person or
                   organization can gain incredible insight into a person’s life by combining personal information with
                   social media commentary and “likes,” publicly posted product and service reviews, and internet
                   browsing history captured through web cookies. Organizations face difficulties ensuring all data
                   collected is used for legitimate purposes and the organization complies with laws and regulations.
                   Customers may feel uneasy about customized marketing campaigns driven by the analysis of
                   personal data, even when the data is used for valid business reasons.

                   Additionally, news stories  about public-  and private-sector data breaches resulting in stolen
                   personal data have become all too common, and costs associated with an organization’s failure
                   to protect the personal information of  its employees, customers, and  vendors are constantly
                   increasing. Regulatory compliance sanctions and fines, which vary by location and jurisdiction, can
                   result  in  significant legal and financial liability  for  the organization. Further, organizations  that
                   experience a data breach may suffer significant brand and reputation damage, leading to declining
                   revenues and increased costs.

                   The threats and vulnerabilities associated  with inappropriate insider access (e.g., employees,
                   consultants, and big data vendors) are often as significant as those associated with external
                   threats,  given  the  inherent knowledge  and privileges  possessed  by  these groups. Such  insider
                   actions may include stealing sensitive and confidential data, obtaining trade secrets, or taking
                   inappropriate actions based on insider knowledge. Knowledge and insights gained from big data
                   systems stolen for personal gain often go undetected because companies focus cybersecurity
                   efforts on external threats and may have inadequate controls to prevent and detect insider
                   activity.  Account privileges should be strictly limited to the access needed  to perform the
                   individual’s job responsibilities, and additional controls should be implemented to monitor and
                   detect suspicious activity.

                   Ensuring all systems are appropriately and consistently secured becomes more challenging as big
                   data systems become more complex and powerful and house larger volumes of disparate data.
                   Inadequate patching or security configurations may open vulnerabilities that can be exploited to
                   view or modify sensitive data. System disruptions may also occur, resulting in unavailable services
                   and lost productivity.

                   Please refer to the IIA Practice Guide  “Auditing Privacy Risks, 2nd Edition” for additional
                   information regarding privacy risks and challenges, as many of these are quite relevant to big data
                   programs and environments. Additionally, please refer to the “GTAG: Assessing Cybersecurity Risk:
                   The Three Lines Model” for additional security-related risks and considerations.












                   36 — theiia.org
   450   451   452   453   454   455   456   457   458   459   460