privacy review

8/14/2019 Privacy Review

1/8

f

The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply

specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association (ISACA) is to advance globallyapplicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA

professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance: Standards define mandatory requirements for IS auditing and reporting. They inform:

IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACACode of Professional Ethics

Management and other interested parties of the professions expectations concerning the work of practitioners Holders of the Certified Information Systems Auditor

(CISA

) designation of requirements. Failure to comply with these standards

may result in an investigation into the CISA holders conduct by the ISACA Board of Directors or appropriate ISACA committeeand, ultimately, in disciplinary action.

Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieveimplementation of the standards, use professional judgement in their application and be prepared to justify any departure. The objectiveof the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.

Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provideinformation on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the ISAuditing Procedures is to provide further information on how to comply with the IS Auditing Standards.

COBITresources should be used as a source of best practice guidance. The COBITFrameworkstates, "It is management's responsibility tosafeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve its expectations, management must establishan adequate system of internal control." COBIT provides a detailed set of controls and control techniques for the information systemsmanagement environment. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on thechoice of specific COBIT IT processes and consideration of COBIT information criteria.

As defined in the COBIT Framework, each of the following is organised by IT management process. COBIT is intended for use by business andIT management, as well as IS auditors; therefore, its usage enables the understanding of business objectives, communication of bestpractices and recommendations to be made around a commonly understood and well-respected standard reference. COBIT includes: Control objectivesHigh-level and detailed generic statements of minimum good control Control practicesPractical rationales and how to implement guidance for the control objectives Audit guidelinesGuidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and

substantiate the risk of controls not being met Management guidelinesGuidance on how to assess and improve IT process performance, using maturity models, metrics and critical

success factors. They provide a management-oriented framework for continuous and proactive control self-assessment specificallyfocused on:

Performance measurementHow well is the IT function supporting business requirements? Management guidelines can be used

to support self-assessment workshops, and they also can be used to support the implementation by management of continuousmonitoring and improvement procedures as part of an IT governance scheme. IT control profilingWhat IT processes are important? What are the critical success factors for control? AwarenessWhat are the risks of not achieving the objectives? BenchmarkingWhat do others do? How can results be measured and compared? Management guidelinesprovide example

metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of ITprocesses, and the key performance indicators assess how well the processes are performing by measuring the enablers of theprocess. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management tomeasure control capability and to identify control gaps and strategies for improvement.

Glossaryof terms can be found on the ISACA web site at www.isaca.org/glossary. The words audit and review are used interchangeably.Disclaimer:ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professionalresponsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successfuloutcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and teststhat are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls

professional should apply his/her own professional judgement to the specific control circumstances presented by the particular systems orinformation technology environment.The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures.Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The StandardsBoard also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. TheStandards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties toidentify emerging issues requiring new standards. Any suggestions should be e-mailed ([email protected]), faxed (+1.847. 253.1443) ormailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research standards andacademic relations. This material was issued 15 April 2005.

IS AUDITING GUIDELINEPRIVACY

DOCUMENT G31


2/8

Page 2 Privacy Guideline

1. BACKGROUND1.1 Linkage to Standards1.1.1 Standard S1 Audit Charter states, "The purpose, responsibility, authority and accountability of the information systems audit

function or information systems audit assignments should be appropriately documented in an audit charter or engagementletter.

1.1.2 Standard S5 Planning states, The IS auditor should plan the information systems audit coverage to address the audit objectivesand to comply with applicable laws and professional auditing standards.

1.1.3 Standard S6 Performance of Audit Work states, During the course of the audit, the IS auditor should obtain sufficient,reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported byappropriate analysis and interpretation of this evidence.

1.2 Linkage to COBIT1.2.1 High-level control objective PO8, Ensure compliance with external requirements, states, Control over the IT process of ensuring

compliance with external requirements that satisfies the business requirement to meet legal, regulatory and contractual obligationsis enabled by identifying and analysing external requirements for their impact, and taking appropriate measures to comply withthem and takes into consideration: Laws, regulations and contracts Monitoring legal and regulatory developments Regular monitoring for compliance Safety and ergonomics Privacy Intellectual Property

1.2.2 Detailed control objective PO8.4, Privacy, intellectual property and data flow states, Management should ensure compliance withprivacy, intellectual property, transborder data flow and cryptographic regulations applicable to the IT practices of the organisation.

1.3 Reference to COBIT1.3.1 The COBIT reference for the specific objectives or processes of COBIT that should be considered when reviewing the area

addressed by this guidance. Selection of the most relevant material in COBIT applicable to the scope of the particular audit isbased on the choice of specific COBIT IS processes and consideration of COBIT control objectives and associatedmanagement practices. In a privacy issue, the processes in COBIT likely the most relevant to be selected and adapted areclassified as primary and secondary in the following list. The process and control objectives to be selected and adapted mayvary depending on the specific scope and terms of reference of the assignment.

1.3.2 Primary: PO8Ensure compliance with external requirements DS5Ensure systems security

1.3.3 Secondary: PO7Manage Human Resources DS1Define and manage service levels

DS2Manage third-party services. DS10Manage problems and incidents DS11Manage data DS13Manage operations M1Monitor The process M2Access internal control adequacy M3Obtain independent assurance M4Provide for independent audit

1.2.4 The information criteria most relevant to a privacy review are: PrimaryEffectiveness, compliance, confidentiality and integrity. SecondaryReliability and availability.

1.4 Purpose of the Guideline1.4.1 The purpose of this guideline is to assist the IS auditor to appreciate privacy and appropriately address the privacy issues in

carrying out the IS audit function. This guideline is aimed primarily at the IS audit function; however, aspects could beconsidered for other circumstances.

1.4.2 This guideline provides guidance in applying IS Auditing Standards. The IS auditor should consider it in determining how toachieve implementation of the above standard, use professional judgment in its application and be prepared to justify anydeparture.

1.5 Guideline Application1.5.1 When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA standards and

guidelines.


3/8

Privacy Guideline Page 3

1.6 Definition of Privacy in an IS Auditing ContextLimits and Responsibilities1.6.1 Privacy means adherence to trust and obligation in relation to any information relating to an identified or identifiable

individual (data subject). Management is responsible to comply with privacy in accordance with its privacy policy orapplicable privacy laws and regulations.

1.6.2 Personal data is any information relating to an identified or identifiable individual.1.6.3 The IS auditor is not responsible for what is stored in the personal databases, he/she should check whether personal data

are correctly managed with respect to legal prescriptions by adoption of the correct security measures.

1.6.4 The IS auditor should review managements privacy policy to ascertain that it takes into consideration the requirements ofapplicable privacy laws and regulations including transborder data flow requirements, such as Safe Harbor and OECDGuidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (see reference section).

1.6.5 IS auditors should review the privacy impact analysis or assessment carried out by management. Such assessmentsshould:

Identify the nature of personally identifiable information associated with business processes Document the collection, use, disclosure and destruction of personally identifiable information Provide management with a tool to make informed policy, operations and system design decisions based on an

understanding of privacy risk and the options available for mitigating that risk

Provide reasonable assurance that accountability for privacy issues exists Create a consistent format and structured process for analysing both technical and legal compliance with relevant

regulations

Reduce revisions and retrofit the information systems for privacy compliance Provide a framework to ensure that privacy is considered starting from the conceptual and requirements analysis stage

to the final design approval, funding, implementation and communication stage

1.6.6 IS auditors should determine whether these assessments are conducted as part of an initial privacy review and on anongoing basis for any change management project, such as:

Changes in technology New programs or major changes in existing programs Additional system linkages Enhanced accessibility Business process reengineering Data warehousing New products, services, systems, operations, vendors and business partners

1.6.7 In assessing applicable privacy laws and regulations that need to be complied with by any particular organisation,particularly for organisations operating in different parts of the globe, IS auditors should seek an expert opinion as to therequirement of any laws and regulations and should carry out the necessary compliance and substantive tests to form anopinion and report on the compliance of such laws and regulations.

1.6.8 Data controller is a party who is competent to decide about the contents and use of personal data regardless of whether or notsuch data are collected, stored, processed or disseminated by that party or by an agent on its behalf.

2. AUDIT CHARTER2.1 Privacy in the Connected World2.1.1 The advancement of communication technology such as the World Wide Web and electronic mail allows the efficient

dissemination of information on a global scale. Controls should be in place to ensure the ethical use of this technology andthe projection of electronic/digitalised and hard copy personal information. Furthermore, the global promulgation oflegislation requires that organisations implement controls to protect individual privacy. This guideline provides a common setof criteria that the IS auditor can apply to assess the effectiveness of security controls designed to ensure personal privacy.

3. INDEPENDENCE3.1 Sources of Information3.1.1 The auditor should consider local regulations about privacy and, after that, global regulations that the organisation is

adopting. If the organisation is international, it should consider that local regulations take precedent over enterprise policies,

but in this case, the organisation additionally must comply with both (i.e., Sarbanes Oxley for EEUU companies).

4. PROFESIONAL ETHICS AND STANDARDS4.1 Need for Personal Data Protection4.1.1 An increasing number of connections between internal and external registries/data sources and use of the Internet increases

the need for privacy in both public and private enterprises. Information regarding life, health, economy, sexual predilection,religion, political opinion, etc., may, if exposed to unentitled people, cause irretrievable harm for individuals.

4.1.2 Laws and regulations regarding privacy exist in many countries, but these are often not well known or specific enough.Therefore, an IS auditor must have a basic knowledge of privacy matters and, when necessary, be aware of the basicdifferences between various countries' regulationsto evaluate the level of protection regarding personal information in anenterprise.


4/8


5. COMPETENCE5.1 Approach for Personal Data Protection5.1.1 There must be requirements and rules for treating digitalised and hard copy personal information to secure confidentiality,

integrity and availability of personal information. Every organisation must have an approach for protecting all types andforms of personal information and should consider:

Privacy managementThechief executive officer or the person in charge of the organisation should have the primary

responsibility for privacy. The objective and superior guidelines for the use of personal information should be describedin security objectives/policy and strategy. There should be formalised routines for frequent evaluation to providereasonable assurance that use of personal information is compliant with the needs of the organisation and public rulesand regulations. The results of the evaluation should be documented and used as the basis for possible change insecurity policy and strategy.

Risk assessmentThe organisation should have an overview of the various kinds of personal information in use. Theorganisation must also determine the criteria for acceptable risk connected to treatment of personal information. Theresponsibility for personal information should be attached to a data controller. The data controller is responsible forexecution of risk assessments to identify probability for, and consequences of, security incidents. New riskassessments should be carried out according to changes of significance for information security. The result of the riskassessments should be documented.

Security auditSecurity audit regarding use of information systems should be carried out on a regular basis. Securityaudit should encompass the organisation, security efforts and cooperation with partners and vendors. The resultsshould be documented.

DeviationAny use of information systems that is not compliant with formalised routines and which may cause securitybreaches should be treated as a deviation. The objective of deviation treatment is to reestablish normal conditions,

remove the cause that lead to the deviation and prevent recurrence. If deviations have caused unauthorised release ofconfidential information, the local authorities may need to be notified. The results should be documented.

OrganisationResponsibility for use of the information systems should be established and documented. Theresponsibility should be unchangeable without authorisation from appropriate management. The information systemshould be configured to achieve satisfactory information security. Configuration should be documented and onlychanged with authorisation from appropriate management.

StaffEmployees should use personal information according to their tasks and have the necessary authorisation.Furthermore, employees should have the necessary knowledge to use the information system according to formalisedroutines. Authorised use of information systems should be registered.

Professional secrecyEmployees should sign a formal agreement to not disclose any kind of personal informationwhere confidentiality is necessary. This professional secrecy should also encompass other information of importancefor information security.

Physical securityThe organisation should implement measures to prevent unauthorised access to technicalequipment in use to process personal information. Security measures should also encompass other equipment ofimportance for information security. Equipment should be installed in a way that does not affect the treatment ofpersonal information.

ConfidentialityThe enterprise should take measures to prevent unauthorised access to personal information whereconfidentiality is necessary. Security measures should also prevent unauthorised access to other information ofimportance for information security. Confidential personal information that is being transferred electronically to externalpartners should be encrypted or secured in another manner. Stored information containing confidential personalinformation should be marked appropriately.

IntegrityMeasures should be taken against unauthorised change of personal information to provide reasonableassurance of integrity. Security measures should also prevent unauthorised changes of other information of importancefor information security. Furthermore, measures should be taken against malicious software.

AvailabilityMeasures should be taken to provide reasonable assurance of access to personal information. Securitymeasures should also encompass other information of importance for information security. Backup and recoveryroutines should be in place to provide reasonable assurance of access to information in situations when normaloperations fail. Proper backup routines should be established.

Security measuresSecurity measures should be in place to prevent unauthorised use of information systems andmake it possible to discover unauthorised access attempts. All unauthorised access attempts should be logged.Security measures should encompass efforts that can not be influenced or bypassed by staff, and should not be limitedto legal actions taken against individuals. Security measures should be documented.

Security toward external partnersThe data controller is responsible for clarifying responsibility and authority towardexternal partners and vendors. Responsibility and authority should be formalised in a written document. The datacontroller must have proper knowledge about the security strategy of partners and vendors, and on a regular basisensure that the strategy gives satisfactory information security.

DocumentationRoutines for use of information systems and other information of relevance for information securityshould be documented. Documentation should be stored according to national laws and regulations. Incident logs frominformation systems should be stored for at least three months. Policy, standards and procedures should be deployedto specify approved use of personal information.

Awareness and training sessionsThese should be implemented to communicate the privacy policy to employees andproviders, especially to those persons handling the personal information of customers (i.e., customer service).


5/8


6. PLANNING6.1 Overview of Privacy Laws in Various Countries Principles and Main Differences6.1.1 Most countries have already issued their own privacy regulations. The principles are basically the same, but with significant

differences in terms of definition of personal data, basic security measures to adopt, etc. These differences can affect the ISauditors role, especially when the assignment involves more than one country and/or data repositories are located inanother area.

6.1.2 Table 1 lists general principles from OECD Guidelines on the Protection of Privacy and Transborder Flows of PersonalData, published by the Organisation for Economic Co-operation and Development (OECD) in 1980 and 2002.

Table 1GENERAL PRINCIPLES

N PRINCIPLE EXPLANATION

1 Collection limitation The collection of personal data is possible with the (explicit) consent and knowledge of thedata subject.

2 Data quality Personal data are relevant to the purposes for which they are to be used and, to the extentnecessary for those purposes, are accurate, complete and kept up-to-date.

3 Purpose specification The purposes for which personal data are collected, are specified not later than the time ofdata collection and the subsequent use is limited to the fulfilment of those purposes or suchothers as are not incompatible with those purposes and as are specified on each occasion ofchange of purpose.

4 Use limitation Personal data cannot be disclosed, made available or otherwise used for purposes otherthan those specified above (except with the consent of the data subject or by the authority oflaw).

5 Security safeguards Personal data should be protected by reasonable security safeguards against risks, such asloss or unauthorised access, destruction, use, modification or disclosure of data.

6 Openness There should be a general policy of openness about developments, practices and policieswith respect to personal data. Means should be readily available to establish the existenceand nature of personal data, the main purposes of their use, and the identity and usualresidence of the data controller.

7 Individual participation 1 An individual has the right to obtain from a data controller, or otherwise, confirmation ofwhether or not the data controller has data relating to him/her.

8 Individual participation 2 An individual has the right to have communicated to him/her, data relating to him/her: Within a reasonable time At a charge, if any, that is not excessive In a reasonable manner In a form that is readily intelligible to him/her

9 Individual participation 3 An individual has the right to be given reasons if a request, such as those in principles 7 and8, is denied, and to challenge such denial.

10 Individual participation 4 An individual has the right to challenge data relating to him/her and, if the challenge issuccessful, to have the data erased, rectified, completed or amended.

11 Individual participation 5 Specific procedures must be established so that the individual can communicate to thecompany if he/she changes his/her mind about the use and disposal of his/her personalinformation, and these changes must be reflected in all systems and platform where his/herdata is used.

12 Accountability of datacontroller

The data controller is accountable for complying with measures that give effect to theprinciples stated above.

6.1.3 Based on the aforementioned principles, the checklist in table 2 should help to build a comparison between variouscountries regulations and represent a rough indicator of how those principles are actually applied. The ref column is thereference number to the principles listed in Table 1.

Table 2CHECKLIST

N REF. Questions

1 1 Is collection of personal data regarding an individual, for any kind of processing, NOT possible without either the

unambiguous consent of the individual or for the fulfillment of a contract with the individual or in accordance with othercondition explicitly permitted by law? Except for special cases such as public security or national security, which shouldbe done by the authority of law and authorised by an entity different from the collector.

2 1 Is consent to collecting and/or processing personal data necessary for any third party who needs to access/manipulatethem (e.g., outsourcing) and must it be exploited by the data subject by written consent, distinct from the one given tothe main contractor (in other words, no data controller can give access to any third party to data without unambiguousexplicit authorisation of the data subject)?

3 2 Are data controllers compelled to periodically verify the accuracy of data, and to update or deleteirrelevant/excessive/outdated (for the scope of processing) information?

4 3 Are data controllers compelled to communicate the scope of collecting data to the data subject(s)?

5 3 Are data controllers compelled to limit the use of data to those communicated to the data subject(s) when the data werecollected?

6 3 Are data controllers compelled to communicate any change of purpose of collecting/processing data to the data


6/8


Table 2CHECKLIST

N REF. Questions

subject(s) and to obtain his approval?

7 4 Are there limitations to the use of data which forbid any utilisation/disclosure not explicitly authorised by the datasubject(s)?

8 5 Are there requirements about minimum security safeguards requested of the data controllers to protect data againstunauthorised disclosure/utilisation?

9 5 Must data controllers prepare and periodically update a security plan?

10 5 Must data controllers periodically conduct a risk assessment?

11 5 Are there requirements that make any individual (belonging to data controllers organisation) uniquely identifiable andaccountable for access to any subject(s) data?

12 6 Is the identity of the data controller (as an individual or an organisation) necessarily communicated to the data subject(s)as well as the nature of data collected/processed?

13 6 Are there any training or awareness programs in place to alert staff to the requirements of personal informationprotection?

14 7 Can a data subject(s) ask the data controller for information regarding the existence or nature of data pertaininghim/her?

15 7 Can a data subject(s) obtain his/her data from the data controller and verify them?

16 8 Is there a maximum period of time fixed to answer questions 15 and 16? Yes, the information should be provided in areasonable manner and ion an intelligible form.

17 9 Can a data subject(s) challenge any denial by the data controller to communicate to him/her the existence ofdata/processing pertaining to him/her?

18 10 Can a data subject(s) have the data pertaining him/her erased by the data controller? Yes.

19 11 Can a data subject deny at any time to anyone (even if authorised before) the consent to collect data regarding him/her?

20 12 Are there sanctions against data controllers who are not compliant to the above stated principles?

21 12 Are there organisations that have a duty to verify compliance of a data controller to the above stated principles?

7. PERFORMANCE OF AUDIT WORK7.1 Reviewing an Organisations Privacy Practices and Procedures7.1.1 The IS auditor should have a good understanding of the audit planning process. An audit program should be developed

including the scope, objectives and timing of the audit. Reporting arrangements should be clearly documented in the auditprogram.

7.1.2 Consideration should be given to the nature and size of the organisation and its stakeholders. Knowledge of transborderrelationships (both within the country and internationally) is important and will help determine the scope and time required forthe audit.

7.1.3 The IS auditor should gain an understanding of the organisations mission and business objectives, the types of datacollected and used by the organisation and the legislation applicable to the organisation, which may include privacyrequirements. Also, an understanding of the organisational structure, including roles and responsibilities of key staffincluding the information managers and owners is needed.

7.1.4 A primary objective of the audit planning phase is to understand the risks to the organisation in the event of nonadherence toprivacy legislation/regulations.

7.2 Steps to Perform7.2.1 The IS auditor should conduct a preliminary privacy assessment to help determine the impact on the organisation if

compliance with the relevant privacy legislation is not achieved. This helps to define the scope of the review and should alsotake into account factors such as the type of information collected, stored and used for various purposes within theorganisation.

7.2.2 The IS auditor should determine whether the organisation has the following in place: Privacy policy Privacy officer Data controller Training and awareness plan in relation to privacy Privacy complaint management process Regime of privacy audits conducted against the privacy legislation Privacy requirement for outsourced and contractors

These, if available, should be assessed by the IS auditor to ensure they are in line with the relevant privacy legislation and/orregulations.

7.2.3 The IS auditor should conduct a privacy impact analysis. This involves: Identifying, analysing and prioritising the risks of nonadherence to privacy legislation Understanding the various privacy measures currently in place in the organisation Assessing the weaknesses and strengths Recommending strategies for improvement


7/8


7.2.4 A report should be written by the IS auditor that documents the results of the privacy review. The report should include anoutline of the objectives and scope and provide a summary of the type of data and information collected, stored and used bythe organisation.

7.2.5 The report should include information on the privacy related risks that face the organisation and a summary of the riskreduction measures or privacy protection strategies that exist.

7.2.6 Weaknesses identified in the privacy review either due to an absence of risk reduction measures or inadequate measuresshould be brought to the attention of the information owners and to the management responsible for the privacy policy.

7.2.7 Where weaknesses identified during the privacy review are considered to be significant or material, the appropriate level ofmanagement should be advised to undertake immediate corrective action.7.2.8 The IS auditor should include appropriate recommendations in the audit report to provide management with opportunities tostrengthen the organisations privacy controls.

8. REPORTING8.1 Security Measures Verification Regulations8.1.1 Local privacy regulations may require that some security measure are in place to ensure personal data are properly

protected against risks of unauthorised access, improper disclosure, modification and/or loss.

8.1.2 The following is a list of key controls to help provide reasonable assurance that local privacy requirements are satisfied.Please note that local laws or regulations can impose additional measures. The IS auditor should check the applicability andcompleteness of this table before starting the audit, as stated in table 2 of section 6.1.3.

8.2 Media Reuse8.2.1 A formal procedure to provide reasonable assurance that due care is taken by all personnel with custody of media and

documentation containing personal data should exist and be verified.8.2.2 Before reusing media (e.g., electronic/digitalised or paper) that previously contained personal data reasonable assuranceshould be provided that all information has been deleted. Sometimes, according to data sensitivity or media nature, it isnecessary to destroy the media itself.

8.3 Training8.3.1 Security training should be scheduled regularly for all personnel dealing with personal data.8.4 Access Control8.4.1 As a general principle, the need-to-know philosophy must be enforced (i.e., any person should be granted access only to

the files and archives necessary to perform his/her work).

8.4.2 Access privileges and user IDs should be assigned according to this policy.8.4.3 A written procedure to immediately update/delete user IDs when an employee leaves or is assigned to another

department/function should exist and be verified.

8.4.4 Proper instructions regarding the use of personal computers should be provided and verified. They must include everyaspect of individual data security, such as the necessity of performing regular data back-up, that workstations should not beleft unattended, etc.

8.4.5 The internal network should be adequately protected by the use of security devices, such as firewalls.8.4.6 The existence of a contingency plan to restore personal data archives within defined time limits should be verified.8.5 Maintenance and Support8.5.1 Every maintenance and support access should be logged and monitored.8.6 Data Integrity8.6.1 Reasonable assurance that the antivirus software is installed in every workstation and that it is regularly updated by

subscription to the selected antivirus company should be provided.

8.6.2 The operating system and any applicable software vendors should be checked regularly for patches/updates availability.8.6.3 Data back-up should be scheduled regularly, on servers, mainframes and personal computers.8.7 Access Control to Facilities8.7.1 Any person entering the organisation facilities should be registered. Employees coming to work during off-hours should signa logbook.8.8 Risk Analysis8.8.1 A risk analysis aimed to identify personal data risks and exposures should be carried out on a regular basis.9. EFFECTIVE DATE9.1 This guideline is effective for all information systems audits beginning 1 June 2005. A full glossary of terms can be found on

the ISACA web site at www.isaca.org/glossary.

APPENDIX


8/8


ReferencesAICPA/CICA Privacy Framework, American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Certified

Accountants (CICA), 2003Guidelines for the Regulation of Computerized Personal Data Files, Office of the United Nations High Commissioner for Human Rights,

1990The International E-commerce Standard for Security, Privacy and Service (Business to Business), International Standards

Accreditation Board (ISAB), IES: 2000 (B2B), 2000The International E-commerce Standard for Security, Privacy and Service (Business to Consumer), International Standards

Accreditation Board (ISAB), IES: 2000 (B2C), 2000

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Organisation for Economic Co-operation andDevelopment (OECD), 2002, 1980

Privacy : Assessing the Risk, The Institute of Internal Auditors (IIA) Research Foundation, April 2003Safe Harbor Privacy Principles, US Department of Commerce, USA, 21 July 2000US Department of Commerce Safe Harbor, US Department of Commerce, USA, www.export.gov/safeharbor

Information Systems Audit and Control Association 2004-2005 STANDARDS BOARDChair, Sergio Fleginsky, CISA ICI Paints, Uruguay

Svein Aldal Aldal Consulting, NorwayJohn Beveridge, CISA, CISM, CFE, CGFM, CQA Office of the Massachusetts State Auditor, USA

Claudio Cilli, Ph.D., CISA, CISM, CIA, CISSP Tangerine Consulting, ItalyChristina Ledesma, CISA, CISM Citibank NA Sucursal, Uruguay

Andrew MacLeod, CISA, CIA, FCPA, MACS, PCP Brisbane City Council, AustraliaV. Meera, CISA, CISM, ACS, CISSP, CWA Microsoft Corporation, USA

Ravi Muthukrishnan, CISA, CISM, FCA, ISCA Ikanos Communications, IndiaPeter Niblett, CISA, CISM, CA, CIA, FCPA WHK Day Neilson, Australia

John G. Ott, CISA, CPA AmerisourceBergen, USAThomas Thompson, CISA Ernst & Young, UAE

Copyright 2005Information Systems Audit and Control Association3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USATelephone: +1.847.253.1545Fax: +1.847.253.1443E-mail: [email protected] site: www.isaca.org

privacy review

Documents