05. The Nature and Evaluation of IT General Controls
05.08. Data Governance, Management, and Security
Briefly reflect on the following before we begin:
- How does data governance contribute to IT General Controls?
- How do data encryption and privacy controls protect against data breaches?
- What are the challenges in assessing data security and compliance?
Data governance refers to the policies, procedures, and standards that ensure an organization’s effective management and use of data. In this section, we will discuss the importance of data governance by going over how it helps maintain data quality, ensures compliance with regulations, and supports business objectives. We will also explore the various data classification and handling policies organizations use to categorize data based on sensitivity and criticality. This classification guides the implementation of appropriate handling and security measures. We will discuss the importance of having clear policies for data handling, which ensure that data is managed and protected consistently across the organization.
Data encryption and privacy controls are other critical aspects of data governance and management. With the growing concerns around data privacy and the rise in cyber threats, encryption has become a fundamental tool for protecting sensitive data. We will cover the basic principles of data encryption and discuss how privacy controls are implemented to protect personal and sensitive information. By examining the key risks and relevant ITGCs, we will review these critical security measures and their role in safeguarding data. We will also evaluate an organization’s data security practices and compliance with relevant laws and regulations, including data protection measures, privacy policies, and compliance frameworks. Lastly, we will discuss the methodologies and techniques for auditing data governance frameworks and data management processes. This includes assessing the alignment of data management practices with organizational goals and regulatory requirements.
Role of Data Governance in IT General Controls
Data governance, management, and security encompasses an organization’s strategies, processes, and technologies to manage and protect its data assets. It is about instituting a governance framework that ensures data is handled responsibly, used effectively, and safeguarded from threats. It’s a critical aspect of modern business operations, given the centrality of data in decision-making and the growing risks of data breaches and misuse. It also involves defining who has authority and control over data assets and how they are managed and protected throughout their lifecycle. This includes everything from data creation and storage to its use, sharing, archiving, and disposal. The goal is to ensure that data is accurate, available, and secure, supporting the organization’s objectives while complying with legal and regulatory requirements. Poor data management can lead to incorrect decisions, operational inefficiencies, and a loss of trust among stakeholders. Additionally, with increasing regulations around data privacy and protection, such as GDPR and HIPAA, non-compliance can result in significant legal penalties and damage to reputation. Let’s explore critical aspects of data governance, management, and security.
Data classification is the foundation of data governance and involves categorizing data based on its sensitivity, value, and regulatory implications. Organizations typically adopt a tiered classification system with public, internal, confidential, and restricted categories. This classification helps determine each data category’s appropriate access controls, encryption methods, and retention policies. Classification should align with regulatory requirements, such as GDPR for personal data or HIPAA for healthcare information. The process starts with identifying the different types of data the organization handles, including customer data, financial records, intellectual property, and operational information. A classification framework is established, typically consisting of public, internal, confidential, and restricted categories. Each piece of data is then assigned a specific classification based on criteria such as its content, value, and potential impact if exposed or compromised. Metadata is often used to label data with its classification.
Access controls and encryption methods are closely aligned with the data classifications. For example, confidential data may require stricter access controls, such as role-based access control (RBAC) and encryption, to protect it from unauthorized access. Regular data classification reviews and audits are conducted to remain accurate and current. Robust access controls ensure that only authorized personnel can access sensitive data, reducing the risk of data breaches. It is essential to regularly review and update access permissions to reflect personnel changes and evolving business needs. Access control management is a multifaceted process that regulates who can access data, what they can do with it, and under what circumstances. The process begins with robust user authentication methods, including username and password combinations, biometrics, or multi-factor authentication (MFA). Users are assigned roles or groups based on their job responsibilities, and permissions are defined for these roles. Role-based access control (RBAC) is a common approach where roles are associated with specific access privileges. For example, an HR manager might access employee records for hiring and payroll purposes but not financial data. Access permissions are carefully managed and regularly reviewed to align with personnel changes, job roles, and evolving business needs. Audit trails and logs are maintained to track access activities and detect unauthorized or suspicious access attempts.
Data encryption is critical for protecting data at rest, in transit, and during processing. It involves converting data into a coded format that can only be deciphered with an encryption key. It ensures that even if data is intercepted or compromised, it remains unintelligible to unauthorized individuals. Strong encryption is vital for sensitive data like financial records, healthcare information, and intellectual property. Data encryption control is implemented to protect data at rest, in transit, and during processing. In an organization, this process begins with identifying which data requires encryption based on its sensitivity and regulatory requirements. Encryption techniques, such as symmetric or asymmetric encryption, are chosen based on the organization’s specific needs. Encryption keys are generated, securely stored, and managed to ensure that only authorized parties can decrypt the data. Encryption is applied to data stored in databases or storage devices, transmitted over networks, and even within applications to protect data during processing. Regular monitoring and auditing of encryption practices help maintain the security of sensitive information.
Organizations accumulate vast data over time, but not all should be retained indefinitely. Data retention and disposal controls establish guidelines for how long different data types should be included and when they should be securely disposed of. Compliance with data retention regulations, like Sarbanes-Oxley, ensures that organizations maintain data only as long as legally required, reducing storage costs and data security risks. Data encryption control is implemented to protect data from unauthorized access, whether at rest, in transit, or during processing. The process starts with identifying which data requires encryption based on sensitivity, regulatory mandates, and organizational policies. Encryption techniques, including symmetric and asymmetric encryption, are chosen based on the specific requirements.
Encryption keys are generated, securely stored, and managed to ensure that only authorized parties can decrypt the data. Data encryption is applied at various levels, such as encrypting data stored in databases or on storage devices, encrypting data transmitted over networks using secure protocols (e.g., SSL/TLS), and encrypting data within applications during processing. Regular encryption key management and rotation practices are followed to maintain the security of encrypted data.
High-quality data is essential for informed decision-making. Data quality management involves processes and technologies to maintain data accuracy, consistency, and completeness. Data validation checks, data cleansing, and data profiling are techniques used to enhance data quality. Clean and reliable data minimizes errors, reduces operational inefficiencies, and supports better business outcomes. Data retention and disposal control focuses on establishing guidelines for how long different data types should be retained and when they should be securely disposed of. The process starts with categorizing data based on its regulatory and business value. Regulatory requirements, industry standards, and internal policies dictate the retention periods for various data types. Data that has exceeded its retention period or is no longer needed is subjected to secure disposal procedures. These procedures may include physically destroying storage media (e.g., shredding hard drives) or secure deletion of digital files (e.g., using data erasure tools). Organizations must maintain records of data disposal activities to demonstrate compliance with retention and disposal policies. Adherence to these controls reduces the risk of retaining unnecessary data, minimizes storage costs, and mitigates data security risks associated with maintaining obsolete information.
Data privacy and compliance control involves ensuring that an organization collects, processes, and stores data by relevant data privacy regulations and industry-specific compliance requirements. Organizations assess the regulatory landscape to determine which data privacy regulations, such as GDPR, CCPA, HIPAA, or industry-specific standards, apply to their operations. Data mapping involves identifying what data is collected, where it is stored, how it is processed, and who has access to it. This mapping helps organizations understand their data flows and potential points of compliance risk. Organizations then establish procedures for obtaining and managing data subject consent for data processing. Consent records are maintained to demonstrate compliance with consent requirements. Next, guidelines are set to allow data subjects to exercise their rights, such as the right to access their data, request deletion, or rectify inaccuracies. Organizations must have mechanisms in place to respond to these requests promptly. Moreover, Data Protection Impact Assessments (DPIAs) are conducted to assess the impact of data processing activities on data privacy and compliance. These assessments help identify and mitigate risks associated with data processing. Incident response plans are developed to address data breaches or privacy incidents. Organizations must have procedures to detect, report, and respond to data breaches, including notifying regulatory authorities and affected data subjects where required by law. Organizations sometimes appoint a Data Privacy Officer (DPO) responsible for overseeing data privacy initiatives, ensuring compliance, and acting as a point of contact for regulatory authorities.
Despite robust safeguards, data breaches can still occur. Incident response and data breach management controls establish procedures for identifying, containing, and mitigating data breaches. These controls also ensure compliance with breach notification requirements, where applicable. A well-defined incident response plan is critical for minimizing the impact of data breaches on both data subjects and the organization’s reputation. Organizations implement monitoring and detection mechanisms to promptly identify security incidents and data breaches. These mechanisms may include intrusion detection systems, log analysis, and security information and event management (SIEM) tools. Once an incident is identified, organizations have procedures in place for reporting the incident to relevant stakeholders, including internal teams, regulatory authorities, and affected individuals, where required. Then, incidents are classified based on severity, impact, and scope. This classification helps organizations prioritize their response efforts. Next, an incident response team is assembled, consisting of individuals with the expertise to assess, contain, and mitigate the incident. Roles and responsibilities are clearly defined. Immediate actions are taken to stop the incident and prevent further damage. This may involve isolating affected systems, removing malicious code, and addressing vulnerabilities. Organizations can also conduct forensic investigations to understand the incident’s root cause, identify compromised data, and assess the extent of the breach. Depending on the severity and regulatory requirements, organizations may need to notify affected individuals, regulatory authorities, and other stakeholders about the breach. After the incident is resolved, organizations conduct a post-incident analysis to identify lessons learned and areas for improvement in their incident response procedures and security controls. Detailed incident records, response actions, and outcomes are documented for compliance and future reference. Lastly, organizations must continuously improve their incident response capabilities based on lessons learned from previous incidents and changes in the threat landscape. This includes updating incident response plans, training personnel, and enhancing security measures.
Relevant Risks
Organizations face several primary data governance, management, and security risks that can significantly impact their operations and strategic objectives. Understanding these risks is vital for effective risk management and ensuring that the organization’s data is protected sufficiently and appropriately. Let’s consider some of these risks.
| Risk | Description | Example |
|---|---|---|
| Inadequate Data Classification | Correctly classify data based on sensitivity to avoid inconsistent security measures and increased exposure to data breaches. The risk of data breaches and non-compliance with regulations increases. Sensitive data may be inadequately protected, resulting in potential financial and reputational damage. | An organization needs to classify customer data correctly, treating all data equally. As a result, customer payment information needs to be adequately protected, leading to a data breach. |
| Unauthorized Access | Unauthorized individuals gaining access to sensitive data can compromise its confidentiality, integrity, and availability. Potential data breaches, data theft, data manipulation, and unauthorized disclosures can occur, causing reputational harm and legal liabilities. | A former employee retains access to the organization’s systems and accesses confidential financial reports, leading to unauthorized disclosure of sensitive financial information. |
| Data Encryption Failures | Inadequate or misconfigured data encryption measures can result in the exposure of sensitive data to unauthorized parties. Data breaches may occur, and sensitive information could be intercepted or accessed by malicious actors, leading to financial losses and damage to the organization’s reputation. | Encryption keys for customer credit card data must be adequately managed, allowing an attacker to access and steal encrypted credit card information. |
| Data Retention Non-Compliance | Adherence to data retention policies and regulations can result in data being kept longer than necessary, leading to increased legal and compliance risks. Organizations may face legal penalties, data security risks, and excessive storage costs due to the retention of unnecessary data. | An organization retains customer data beyond the required retention period, violating data protection regulations and incurring fines. |
| Data Quality Degradation | Data quality can lead to accurate decision-making, efficient operations, and increased customer satisfaction. Due to inaccurate data, organizations may make incorrect business decisions, experience operational inefficiencies, and lose customer trust. | An e-commerce platform’s product listings must be updated and information corrected, leading to customer complaints and reduced sales. |
| Non-Compliance with Data Privacy Regulations | Failing to comply with data privacy regulations (e.g., GDPR, CCPA) can result in legal actions, fines, and reputational damage. Organizations may face significant financial penalties and loss of customer trust if they mishandle or misuse personal data. | An organization collects customer data without obtaining proper consent and does not provide mechanisms for data subjects to exercise their privacy rights, leading to regulatory fines. |
| Ineffective Incident Response | An efficient incident response plan may result in timely detection and containment of security incidents and data breaches. Extended periods of unauthorized access or data exposure can lead to more extensive data breaches, higher recovery costs, and increased reputational damage. | A company experiences a data breach but needs a well-defined incident response plan, causing delays in identifying and mitigating the impact. |
| Insider Threats | Malicious or negligent actions by employees or insiders can lead to data leaks, unauthorized access, and data sabotage. Insider threats can result in data breaches, loss, and damage to the organization’s reputation, requiring comprehensive monitoring and security measures. | An employee with access to sensitive customer data intentionally leaks it to a competitor for personal gain. |
| Data Disposal Failures | Inadequate or improper data disposal practices can result in sensitive data being exposed, retrieved, or reconstructed. Data breaches, privacy violations, and regulatory non-compliance may lead to legal consequences and reputational harm. | An organization disposes of old computers without securely erasing the hard drives, allowing sensitive business data to be recovered by unauthorized individuals. |
Addressing these risks involves implementing robust security measures, ensuring regulatory compliance, maintaining data quality, enforcing strict access controls, regular backups and recovery planning, unified management across platforms, clear governance policies, monitoring insider threats, and adapting to technological advancements. Effectively managing these risks is essential to protect an organization’s data assets and support its operational integrity and strategic objectives.
Relevant IT General Controls Objectives and Activities
In data governance, management, and security, a subset of IT General Controls (ITGC), several crucial controls ensure information systems’ effective data integrity management. These controls are vital in aligning existing IS with business objectives, managing risks, and ensuring successful outcomes. Let’s consider the primary ITGC objectives for this category.
Data Classification Control
The primary objective of this control is to ensure that all organizational data is consistently classified based on sensitivity, value, and regulatory requirements. This control objective establishes a systematic process for categorizing data according to its characteristics and importance. Organizations can apply appropriate security measures, access controls, and encryption by consistently classifying data to protect sensitive information while complying with relevant regulations.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Implement ACLs to specify who can access and modify data based on its classification. ACLs ensure that only authorized users or groups can interact with sensitive data.
- Develop and enforce data labelling policies that automatically classify data upon creation or modification, making applying access controls and encryption consistently easier.
- Utilize data discovery and classification tools that scan data repositories to identify and classify sensitive information based on predefined criteria.
Access Control Management
This control aims to ensure that only authorized personnel have access to data and that access privileges are aligned with job responsibilities. Access control management aims to regulate who can access organizational data and what actions they can perform. By defining access permissions based on roles and responsibilities, this control objective helps prevent unauthorized access and data breaches, enhancing data security and confidentiality.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Implement RBAC to assign access permissions based on user roles and responsibilities, ensuring users can only access data necessary for their job functions.
- Enforce strong user authentication (e.g., password policies, MFA) and authorization mechanisms to verify users’ identities and control their access to data.
- Regularly review and recertify user access permissions to identify and remove unnecessary or inappropriate access rights.
Data Encryption Control
The purpose of this control is to implement encryption measures to protect data at rest, in transit, and during processing, based on its sensitivity and regulatory requirements. Data encryption control focuses on safeguarding data by converting it into a secure, coded format that can only be deciphered with the appropriate encryption keys. By applying encryption to data, organizations ensure its confidentiality and integrity, especially when stored on devices, transmitted over networks, or processed within applications.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Apply FDE to encrypt all storage devices (e.g., hard drives, solid-state drives) to protect data at rest from unauthorized access in case of physical theft or loss.
- Implement TLS to encrypt data transmitted over networks, ensuring secure communication between users and systems.
- Utilize database encryption solutions to protect sensitive data stored in databases, preventing unauthorized access to the data’s content.
Data Retention and Disposal Control
The primary objective of this control is to establish clear guidelines for data retention periods and secure disposal procedures, ensuring compliance with regulatory and business requirements. This control objective is designed to minimize the risks of retaining unnecessary data. By defining retention periods and secure disposal practices, organizations reduce storage costs, mitigate data security risks, and adhere to legal and regulatory obligations.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Establish clear data retention policies that specify how long different data types should be retained based on regulatory requirements and business needs.
- Develop and document secure data disposal procedures that ensure data is irretrievably deleted or destroyed at the end of its retention period.
- Implement data archiving solutions to store historical data separately from active data, allowing efficient retrieval and retention management.
Data Quality Management Control
The objective of this control is to maintain high data quality standards, ensuring data accuracy, consistency, completeness, and timeliness. Data quality management aims to improve the reliability and utility of organizational data. Organizations enhance data accuracy and usability by identifying data quality requirements, establishing standards, conducting data profiling, and implementing data validation and cleansing processes, leading to more informed decision-making.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Define and enforce data validation rules at the point of data entry to prevent incorrect or incomplete data from entering systems.
- Utilize data quality dashboards and reports to monitor data quality metrics and identify areas requiring attention.
- Employ data cleansing tools that automatically identify and rectify errors, inconsistencies, and duplications to maintain data accuracy.
Data Privacy and Compliance Control
This control ensures that data privacy and compliance with relevant regulations (e.g., GDPR, CCPA) are maintained throughout data processing activities. This control objective addresses the complex landscape of data privacy regulations. It involves mapping data flows, obtaining and managing consent, addressing data subject rights, conducting data protection impact assessments (DPIAs), and establishing incident response and breach notification procedures to maintain compliance and protect data subjects’ rights.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Implement systems to manage and track data subject consents for data processing activities, ensuring compliance with regulations like GDPR.
- Conduct PIAs to assess the impact of data processing activities on data privacy and identify and mitigate potential risks.
- Enhance incident response plans to include specific procedures for addressing data privacy breaches and complying with breach notification requirements.
Incident Response and Data Breach Management Control
The primary purpose of this control is to develop and maintain an effective incident response plan to promptly detect, respond to, and mitigate data breaches and security incidents. Incident response and data breach management control are essential for minimizing the impact of security incidents. It involves incident identification, classification, containment, mitigation, forensics, communication, and continuous improvement efforts to strengthen the organization’s security posture and compliance with incident response requirements.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- Develop incident response playbooks that provide step-by-step guidance for responding to incidents, including data breaches.
- Implement SIEM systems to monitor and detect security incidents and automate incident alerting and reporting.
- Subscribe to threat intelligence feeds that provide real-time information about emerging threats, helping incident response teams stay proactive and informed.
Summarized Audit Program
As discussed in Chapter 3, an audit program is a structured and comprehensive plan that outlines the procedures and activities to assess the effectiveness of an organization’s control environment. Based on the core concepts of data governance and security management ITGCs discussed above, presented below is a summarized audit program highlighting select relevant risks, corresponding ITGCs, and potential ways (audit procedures) to assess the operating effectiveness of such ITGCs. Please note that this is not an exhaustive audit program covering all applicable risks and controls and is provided for your reference only.
| Detailed Description of the Risk and Its Impact | Relevant IT General Control Activity | Detailed Test of Controls Audit Procedure |
|---|---|---|
| Inadequate data classification can result in improper handling and protection of sensitive data. | Data is classified according to sensitivity and criticality, with classifications reviewed and updated annually. Responsibilities include identifying data types (e.g., confidential, internal, public) and ensuring proper classification. | Inspect the documentation from the most recent annual data classification review. Use inspection techniques to verify that data is classified correctly according to the organization’s data classification policy and that the review covers all major data categories. |
| Poor access controls increase the risk of unauthorized access to sensitive data. | Implement robust access control mechanisms, including user access reviews, conducted quarterly. Responsibilities involve setting access permissions based on job roles and running regular reviews to adjust access as needed. | Review two records from recent quarterly access reviews. Use inspection and analysis techniques to assess whether access rights are appropriate based on job roles and that any changes in access rights are properly documented and authorized. |
| Inadequate data encryption exposes sensitive data to potential breaches. | Encrypt sensitive data in transit and at rest, with encryption protocols reviewed semi-annually. Responsibilities include managing encryption keys and ensuring the use of strong encryption standards. | Examine documentation from 1 recent semi-annual review of encryption protocols. Use inspection and analysis techniques to confirm that encryption protocols are up-to-date and that encryption critical management practices are secure and effective. |
| Data quality management can lead to operational inefficiencies and correct decision-making. | Regular data quality checks are performed to ensure accuracy, completeness, and reliability, with checks conducted monthly. Responsibilities include data validation, error checking, and updating data as necessary. | Review two records from recent monthly data quality checks. Use inspection and analysis techniques to verify the effectiveness of data quality management practices and identify recurring data issues. |
| Non-compliance with data protection regulations can lead to legal and reputational risks. | Regular compliance audits ensure adherence to data protection laws and standards, such as GDPR or HIPAA, with audits performed annually. Responsibilities include reviewing data handling practices and ensuring compliance with legal requirements. | Inspect documentation from the most recent annual compliance audit. Use inspection and confirmation techniques to assess compliance with data protection regulations and identify any areas of non-compliance. |
| Ineffective data backup and recovery practices increase the risk of data loss. | Regular data backups are conducted, with backup effectiveness tested quarterly. Responsibilities include ensuring reliable backup processes and maintaining offsite backups. | Review two records from recent quarterly backup effectiveness tests. Use inspection and analysis techniques to confirm that backups are conducted regularly and that backup testing ensures the reliability and effectiveness of the backup processes. |
| Lack of proper documentation and management of data governance policies can lead to inconsistencies and control gaps. | Maintain comprehensive documentation of data governance policies, with policies reviewed and updated annually. Responsibilities include documenting all data governance procedures and ensuring their alignment with business objectives. | Inspect the most recent annual data governance policy review documentation. Use inspection techniques to verify that data governance policies are comprehensive, up-to-date, and aligned with the organization’s data management and security needs. |
In the Spotlight
For additional context on data governance risks and leading practices, please read the article “Beware the Traps of Data Governance and Data Management Practice” [opens a new tab].
Pearce, G. (2022). Beware the traps of data governance and data management practice. ISACA Journal, 6. https://www.isaca.org/resources/isaca-journal/issues/2022/volume-6/beware-the-traps-of-data-governance-and-data-management-practice
Knowledge Check
Review Questions
- What is the primary purpose of data classification within the context of data governance and security?
- Why must organizations establish clear data retention policies and secure data disposal procedures?
- What role does incident response play in data governance and security, and what steps are typically involved in an effective incident response plan?
Essay Questions
- Explain the importance of data classification within the context of data governance and security. Please provide examples of different data classifications and their implications for security measures.
- Describe the critical components of an effective incident response plan and explain their significance in mitigating the impact of security incidents and data breaches.
- Discuss the challenges associated with data privacy and compliance in today’s digital landscape. Provide examples of how organizations can address these challenges to ensure data privacy and compliance with regulations like GDPR.
Mini Case Study
You are a data privacy officer at a European multinational e-commerce company. Your organization collects and processes vast customer data, including personal information, purchase history, and payment details. The company is subject to the General Data Protection Regulation (GDPR) and recently faced a data breach involving customer data. The incident has raised concerns among customers and regulatory authorities. Your CEO has asked you to address the breach immediately and ensure compliance with GDPR.
Required: As the data privacy officer, what steps would you take to respond to this data breach incident and ensure compliance with GDPR? Provide a detailed plan, including key actions and considerations.
