What a security auditor needs to know about privacy compliance
Constant changes in the regulatory environment are putting more pressure on organizations to get data security and privacy right. Some regulations require audits to show compliance, but outside of that, any company that collects, processes or stores sensitive data could benefit from conducting regular security audits. An audit can help to identify gaps in processes and overall security posture as well as uncover any privacy compliance issues that will need to be addressed in order to avoid penalties.
What is a compliance audit?
A security audit evaluates the organization’s information system against a predefined set of criteria. The audit may assess everything from the physical environment and controls to business processes and procedures, IT environment, hardware configurations and user practices.
An audit is typically less comprehensive than a vulnerability assessment, whose purpose is to find potential weaknesses in the IT system. It’s also different from penetration tests, which are sanctioned attacks on the organization by ethical hackers, known as penetration testers, to exploit the organization’s defenses the same way hackers would.
A compliance audit may be narrower in scope than a security audit, because it’s intended to examine policies and procedures as they relate to the laws and regulations that are relevant to the organization. These audits are conducted for different reasons, which may include:
- Mandate by specific regulations, such as the Gramm-Leach-Bliley Act for financial institutions
- Third-party certification for specific framework, such as PCI or CIPL, often to satisfy a customer requirement
- Client’s assessment of a vendor’s or business associate’s security posture, whether as general policy or as required by regulations such as the Health Insurance Portability and Accountability Act (HIPAA)
- Internal assessment of readiness for compliance with regulations such as European Union’s General Data Protection Regulation (GDPR), or in preparation for a formal external audit
- Internal assessment of the organization’s overall effectiveness of practices related to data governance for privacy, confidentiality and compliance and how these practices align with external expectations
Data privacy audits
During a privacy audit, the auditor needs to consider the organization’s key risks and controls in the context of the specific legislative and regulatory requirements as well as best practices. The auditor will review policies and evaluate procedures for how data is collected, created, received, transmitted, maintained, disposed of and so on. The purpose of the audit is to verify compliance, or to identify risks and recommend mitigation strategies.
Ground rules should be agreed upon prior to the audit, such as what kind of access the auditor will need and how access will be provided (in conformity with the organization’s policy for disclosing proprietary information), what security testing methods may be used (if applicable) and how they’ll be used with minimum disruptions to employee workflow, and what documentation will be required for review. The auditor should present a plan for the audit that includes the steps and the expected outcomes.
To identify privacy risks, the audit should consider areas such as:
- IT model: Is the organization using appropriate controls, regardless of whether it processes and stores information on premises or with a hosted (cloud) provider?
- Workflows: How is information transmitted externally and internally, who has access and how is highly sensitive information classified?
- Social media: Are policies in place, and being followed, to avoid accidental disclosure of sensitive information either directly or through aggregating and correlating data sources?
- Wireless/mobile technology: Is there a BYOD policy, and does it address aspects such as location identifiers, unsecure off-premises Wi-Fi connections and unique hardware identifiers?
The auditor should assign inherent risks to the data processes and procedures, and then assess the controls implemented by the organization. The privacy and security controls that the organizations use may include:
- Data encryption, both at rest and in transit
- Privacy and access controls for databases, such as partitioning
- Privileged user management, including restricted access to sensitive information based on user role and job function
- Multi-factor authentication
- Privacy policies that are documented, reviewed regularly and communicated to employees, vendors and other stakeholders
- Ongoing training programs for staff on security and privacy threats and best practices
In addition to assessing controls, the auditor should review risk-management policies, processes and initiatives, which are typically overseen and implemented by high-level leadership. A high-quality audit should include not only reports of findings but also an independent analysis that gives the organization actionable feedback.
Auditing for HIPAA compliance
The Department of Health and Human Services Office of Civil Rights, which enforces HIPAA, has finished its second round of random audits of covered entities and business associates for HIPAA compliance. However, organizations are still subject to investigation and fines in the event of a data-breach incident. Regular audits for HIPAA compliance, whether internal or external and whether voluntary or required by a client or a certification program, can help ensure that risks are proactively identified and mitigated.
Some of the HIPAA compliance aspects that a security auditor should know include:
What constitutes Protected Health Information (PHI)
HIPAA’s Privacy Rule defines PHI as individually identifiable health information that is stored or transmitted in any form or medium and relates to a person’s physical or mental health and condition, provision of health care and payment for the care. This includes past, present and future information, including demographics. Common identifiers such as name, birthdate, address and social security number are also considered PHI when they can be associated with the protected medical records.
The HIPAA Security Rule establishes administrative, technical and physical safeguards both for covered entities and business associates. Some of these safeguards include:
- Technical: Access to files, systems and applications; policies and procedures for protecting data integrity; audit controls for recording and examining activities within information systems; authentication of individuals accessing electronic PHI (ePHI)
- Physical: Policies and procedures for controlling access to facilities, measures for appropriate use of workstations, physical safeguards for workstations that can access ePHI; controls for media and devices including the removal of hardware that contains ePHI
- Administrative: Policies and procedures to prevent, detect, stop and correct violations; governance of employee access to ePHI including authorization, clearance, supervision and termination; security-awareness training for employees
HIPAA is not prescriptive in the type of technology and processes required to meet the privacy protections; rather, it’s designed to be flexible and to scale based on each organization’s situation. Each covered entity or business associate must determine for itself what are considered appropriate and reasonable measures.
GDPR Privacy Compliance
While GDPR doesn’t apply to some businesses — mostly those that are small and only sell their products or services locally and don’t market to European Union citizens — anyone who collects any private information from EU citizens, even as basic as website cookies, has to be in compliance. A few aspects that make GDPR different and auditors should consider include:
Definition of Personal Information
GDPR has a broad definition for personal data, as “any information relating to an identified or identifiable natural person.” An identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In other words, even a person’s IP address, hair color or religious preference could be considered personal information if, on its own or with other data, it can be used to identify a specific individual.
One of the GDPR requirements that are not common for other privacy laws is the control that consumers have over their data. In addition to their “right to be forgotten” — the right to request that their data no longer be processed and to be deleted — consumers can also request to inspect and correct data that companies have collected about them. The auditor should review whether the organization has mechanisms and policies in place for satisfying such requests.
Controller versus Processor Obligations
GDPR classifies the “entity that determines the purposes and the means of processing personal data” as the controller, and the entity that processes the data on behalf of the controller as the processor. While processors have legal obligations to process data according to the GDPR, the controller must ensure that it has GDPR-compliant contracts with its processors.
Preparing for an audit
If you’re expecting an external audit, get all your stakeholders involved. You’ll need the participation and cooperation of many people on different teams, and you’ll also want to assemble an audit team to see things through the process. Here’s a checklist with some of the main steps to take:
Inventory Your Data Assets
Theoretically, you’ve done this already as part of your security strategy, but if you haven’t, you can’t get far without this basic step. Since not all your data needs equal safeguarding, your inventory will help you classify your assets, so you know what control levels they need.
Identify the Regulation or Framework You Need to Comply With
As you’ll need a set of criteria to measure against, this step will help you narrow down the list of requirements for this specific audit. In some cases, only some portions of the framework will apply to your business, and you’ll need to further identify which ones. If you’re performing an overall audit of your security and privacy, make sure to include criteria from all the frameworks that are applicable to your business. This step will also help you identify the qualifications your auditor will need to have before you hire one.
Map Out Your Workflows and Components
Besides the data assets, other assets that you’ll need to inventory include your systems and people involved in the data handling. Each component category needs its own policies and procedures, and your auditor will want to take a look at your documentation describing the controls you have.
Conduct Your Own Risk Assessment
Performing a risk assessment ahead of your audit gives you a chance to identify potential gaps internally and act to fix them. In all likelihood, you already have the tools you need to reduce your risk but may not have the right processes or enforcement in place.
Prepare Your Team
The auditor will need access to certain assets, including people. Your team needs to know what to expect and what the procedure will be for working with your auditor. Make sure they know who the point person is on the audit team in case of questions both before and during the audit.
Best Practices for Privacy Audits
The auditor should create written questionnaires to be completed by the different business units that handle sensitive data. The questionnaires should have questions such as:
- What kinds of personal data is being collected and for what purpose?
- What kinds of personal data is being processed and for what purpose?
- What kinds of personal data is being stored and for what purpose?
- How is the personal data collected, processed and stored?
- What kind of consent is required by the individual?
- What steps are taken to ensure the accuracy and integrity of the stored data?
- How is the data disposed of when it is no longer required?
Follow-up interviews may be needed to clarify or expand on the provided answers, or perhaps to understand the rationale behind specific policies or procedures. The auditor’s goal is to determine whether the policies align with the actual processes and workflows.
A matrix is a good tool for organizing the findings and recommendations, and can also include useful notes and resources.
As compliance requirements constantly evolve, auditors need to maintain current knowledge. Some of the ways to keep up with the regulatory climate and best practices include reading industry publications such as HIPAA Journal. Certifications are another good avenue, since they typically have a continuing professional education component.
Likewise, organizations need to keep their employees up-to-date on privacy compliance issues through training programs. They should also have designated staff who owns different policies and are accountable for ensuring they’re current and reflect not only any regulatory changes but also existing company practices.
- CIPL Project on EU GDPR Implementation, Center for Information Policy Leadership
- Why You Need the Cybersecurity Framework, GovTech
- Privacy Audit, Methodology and Related Considerations, ISACA Journal
- “No Slowdown” with HIPAA Enforcement, but Audits Ending, Bank Info Security
- FTC guidance for Gramm-Leach-Bliley Act, FTC
- HIPAA Security Series: Technical safeguards, physical safeguards, administrative safeguards, Department of Health and Human Services
- Guide to the General Data Protection Regulation, U.K. Information Commissioner’s Office
- How to Prepare for a Security and Compliance Audit, OnRamp blog