Please refer to “GTAG: Auditing Identity and Access Management” for
                                                      additional information regarding access controls, provisioning,
                                                      security administration, and enforcement.

                     5.4  Data privacy should be part of the big   Data is inventoried and classified to ensure the organization’s critical
                       data strategy.                 data, including personal information requiring protection, is
                                                      appropriately safeguarded.

                                                      Personally identifiable information and other sensitive data is
                                                      sanitized or scrambled prior to replication from production to
                                                      development or test environments.

                                                      An incident response process has been documented, approved, and
                                                      implemented to ensure data breaches are handled appropriately.

                                                      Please refer to the IIA Practice Guide “Auditing Privacy Risks, 2nd
                                                      Edition” for information regarding privacy frameworks and principles
                                                      regarding auditing privacy.























































                   38 — theiia.org