IS Auditing Guidelines G1 Using the Work of Other Experts
N° PRINCIPLE EXPLANATION
1 Collection limitation The collection of personal data is possible with the (explicit) consent and knowledge of the data subject.
2 Data quality Personal data are relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, are accurate, complete and kept up-to-date.
3 Purpose specification The purposes for which personal data are collected, are specified not later than the time of data collection and the subsequent use is limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
4 Use limitation Personal data cannot be disclosed, made available or otherwise used for purposes other than those specified above (except with the consent of the data subject or by the authority of law).
5 Security safeguards Personal data should be protected by reasonable security safeguards against risks, such as loss or unauthorised access, destruction, use, modification or disclosure of data.
6 Openness There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, the main purposes of their use, and the identity and usual residence of the data controller.
7 Individual participation 1 An individual has the right to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him/her.
8 Individual participation 2 An individual has the right to have communicated to him/her, data relating to him/her: Within a reasonable time
At a charge, if any, that is not excessive In a reasonable manner
In a form that is readily intelligible to him/her
9 Individual participation 3 An individual has the right to be given reasons if a request, such as those in principles 7 and 8, is denied, and to challenge such denial.
10 Individual participation 4 An individual has the right to challenge data relating to him/her and, if the challenge is successful, to have the data erased, rectified, completed or amended.
11 Individual participation 5 Specific procedures must be established so that the individual can communicate to the company if he/she changes his/her mind about the use and disposal of his/her personal information, and these changes must be reflected in all systems and platform where his/her data is used.
12 Accountability of data controller
The data controller is accountable for complying with measures that give effect to the principles stated above.
6.1.3 Based on the aforementioned principles, the checklist in table 2 should help to build a comparison between various countries’ regulations and represent a rough indicator of how those principles are actually applied. The “ref” column is the reference number to the principles listed in Table 1.
Table 2—CHECKLIST N° REF. Questions
1 1 Is collection of personal data regarding an individual, for any kind of processing, NOT possible without either the unambiguous consent of the individual or for the fulfillment of a contract with the individual or in accordance with other condition explicitly permitted by law? Except for special cases such as public security or national security, which should be done by the authority of law and authorised by an entity different from the collector.
2 1 Is consent to collecting and/or processing personal data necessary for any third party who needs to access/manipulate them (e.g., outsourcing) and must it be exploited by the data subject by written consent, distinct from the one given to the main contractor (in other words, no data controller can give access to any third party to data without unambiguous explicit authorisation of the data subject)?
3 2 Are data controllers compelled to periodically verify the accuracy of data, and to update or delete irrelevant/excessive/outdated (for the scope of processing) information?
4 3 Are data controllers compelled to communicate the scope of collecting data to the data subject(s)?
5 3 Are data controllers compelled to limit the use of data to those communicated to the data subject(s) when the data were collected?
6 3 Are data controllers compelled to communicate any change of purpose of collecting/processing data to the data subject(s) and to obtain his approval?
7 4 Are there limitations to the use of data which forbid any utilisation/disclosure not explicitly authorised by the data subject(s)?
8 5 Are there requirements about minimum security safeguards requested of the data controllers to protect data against unauthorised disclosure/utilisation?
9 5 Must data controllers prepare and periodically update a security plan? 10 5 Must data controllers periodically conduct a risk assessment?
11 5 Are there requirements that make any individual (belonging to data controller’s organisation) uniquely identifiable and accountable for access to any subject(s) data?
12 6 Is the identity of the data controller (as an individual or an organisation) necessarily communicated to the data subject(s) as well as the nature of data collected/processed?
13 6 Are there any training or awareness programs in place to alert staff to the requirements of personal information protection?
14 7 Can a data subject(s) ask the data controller for information regarding the existence or nature of data pertaining him/her?
15 7 Can a data subject(s) obtain his/her data from the data controller and verify them?
16 8 Is there a maximum period of time fixed to answer questions 15 and 16? Yes, the information should be provided in a reasonable manner and ion an intelligible form.
17 9 Can a data subject(s) challenge any denial by the data controller to communicate to him/her the existence of data/processing pertaining to him/her?
18 10 Can a data subject(s) have the data pertaining him/her erased by the data controller? Yes.
19 11 Can a data subject deny at any time to anyone (even if authorised before) the consent to collect data regarding him/her? 20 12 Are there sanctions against data controllers who are not compliant to the above stated principles?
21 12 Are there organisations that have a duty to verify compliance of a data controller to the above stated principles?
7. PERFORMANCE OF AUDIT WORK
7.1 Reviewing an Organisation’s Privacy Practices and Procedures
7.1.1 The IS auditor should have a good understanding of the audit planning process. An audit program should be developed including the scope, objectives and timing of the audit. Reporting arrangements should be clearly documented in the audit program.
7.1.2 Consideration should be given to the nature and size of the organisation and its stakeholders. Knowledge of transborder relationships (both within the country and internationally) is important and will help determine the scope and time required for the audit.
7.1.3 The IS auditor should gain an understanding of the organisation’s mission and business objectives, the types of data collected and used by the organisation and the legislation applicable to the organisation, which may include privacy
requirements. Also, an understanding of the organisational structure, including roles and responsibilities of key staff including the information managers and owners is needed.
7.1.4 A primary objective of the audit planning phase is to understand the risks to the organisation in the event of nonadherence to privacy legislation/regulations.
7.2 Steps to Perform
7.2.1 The IS auditor should conduct a preliminary privacy assessment to help determine the impact on the organisation if compliance with the relevant privacy legislation is not achieved. This helps to define the scope of the review and should also take into account factors such as the type of information collected, stored and used for various purposes within the
organisation.
7.2.2 The IS auditor should determine whether the organisation has the following in place:
Privacy policy
Privacy officer
Data controllerG31 Privacy cont.
Training and awareness plan in relation to privacy
Privacy complaint management process
Regime of privacy audits conducted against the privacy legislation
Privacy requirement for outsourced and contractorsThese, if available, should be assessed by the IS auditor to ensure they are in line with the relevant privacy legislation and/or regulations.
7.2.3 The IS auditor should conduct a privacy impact analysis. This involves:
Identifying, analysing and prioritising the risks of nonadherence to privacy legislation
Understanding the various privacy measures currently in place in the organisation
Assessing the weaknesses and strengths
Recommending strategies for improvement7.2.4 A report should be written by the IS auditor that documents the results of the privacy review. The report should include an outline of the objectives and scope and provide a summary of the type of data and information collected, stored and used by the organisation.
7.2.5 The report should include information on the privacy related risks that face the organisation and a summary of the risk reduction measures or privacy protection strategies that exist.
7.2.6 Weaknesses identified in the privacy review either due to an absence of risk reduction measures or inadequate measures should be brought to the attention of the information owners and to the management responsible for the privacy policy.
7.2.7 Where weaknesses identified during the privacy review are considered to be significant or material, the appropriate level of management should be advised to undertake immediate corrective action.
7.2.8 The IS auditor should include appropriate recommendations in the audit report to provide management with opportunities to strengthen the organisation’s privacy controls.
8. REPORTING
8.1 Security Measures Verification Regulations
8.1.1 Local privacy regulations may require that some security measure are in place to ensure personal data are properly protected against risks of unauthorised access, improper disclosure, modification and/or loss.
8.1.2 The following is a list of key controls to help provide reasonable assurance that local privacy requirements are satisfied. Please note that local laws or regulations can impose additional measures. The IS auditor should check the applicability and completeness of this table before starting the audit, as stated in table 2 of section 6.1.3.
8.2 Media Reuse
8.2.1 A formal procedure to provide reasonable assurance that due care is taken by all personnel with custody of media and documentation containing personal data should exist and be verified.
8.2.2 Before reusing media (e.g., electronic/digitalised or paper) that previously contained personal data reasonable assurance should be provided that all information has been deleted. Sometimes, according to data sensitivity or media nature, it is necessary to destroy the media itself.
8.3 Training
8.3.1 Security training should be scheduled regularly for all personnel dealing with personal data.
8.4 Access Control
8.4.1 As a general principle, the “need-to-know” philosophy must be enforced (i.e., any person should be granted access only to the files and archives necessary to perform his/her work).
8.4.2 Access privileges and user IDs should be assigned according to this policy.
8.4.3 A written procedure to immediately update/delete user IDs when an employee leaves or is assigned to another department/function should exist and be verified.
8.4.4 Proper instructions regarding the use of personal computers should be provided and verified. They must include every aspect of individual data security, such as the necessity of performing regular data back-up, that workstations should not be left unattended, etc.
8.4.5 The internal network should be adequately protected by the use of security devices, such as firewalls.
8.4.6 The existence of a contingency plan to restore personal data archives within defined time limits should be verified.
8.5 Maintenance and Support
8.5.1 Every maintenance and support access should be logged and monitored.
8.6 Data Integrity
8.6.1 Reasonable assurance that the antivirus software is installed in every workstation and that it is regularly updated by subscription to the selected antivirus company should be provided.
8.6.2 The operating system and any applicable software vendors should be checked regularly for patches/updates availability.
8.6.3 Data back-up should be scheduled regularly, on servers, mainframes and personal computers.
8.7 Access Control to Facilities
8.7.1 Any person entering the organisation facilities should be registered. Employees coming to work during off-hours should sign a logbook.
8.8 Risk Analysis
8.8.1 A risk analysis aimed to identify personal data risks and exposures should be carried out on a regular basis.
9. EFFECTIVE DATE
9.1 This guideline is effective for all information systems audits beginning 1 June 2005. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary.
APPENDIX