Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Privacy Review

Privacy Review



|Views: 83 |Likes:
Published by adiltsa
Privacy Review
Privacy Review

More info:

Categories:Types, Brochures
Published by: adiltsa on Aug 05, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that applyspecifically to IS auditing. One of the goals of the Information Systems Audit and Control Association
) is to advance globallyapplicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACAprofessional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance:
define mandatory requirements for IS auditing and reporting. They inform: – IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACACode of Professional Ethics – Management and other interested parties of the profession’s expectations concerning the work of practitioners – Holders of the Certified Information Systems Auditor 
) designation of requirements. Failure to comply with these standardsmay result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committeeand, ultimately, in disciplinary action.
provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieveimplementation of the standards, use professional judgement in their application and be prepared to justify any departure. The objectiveof the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.
provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provideinformation on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the ISAuditing Procedures is to provide further information on how to comply with the IS Auditing Standards.
resources should be used as a source of best practice guidance. The C
states, "It is management's responsibility tosafeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve its expectations, management must establishan adequate system of internal control." C
T provides a detailed set of controls and control techniques for the information systemsmanagement environment. Selection of the most relevant material in C
T applicable to the scope of the particular audit is based on thechoice of specific C
T IT processes and consideration of C
T information criteria.As defined in the C
each of the following is organised by IT management process. C
T is intended for use by business andIT management, as well as IS auditors; therefore, its usage enables the understanding of business objectives, communication of bestpractices and recommendations to be made around a commonly understood and well-respected standard reference. C
T includes:
Control objectives—High-level and detailed generic statements of minimum good control
Control practices—Practical rationales and “how to implement” guidance for the control objectives
Audit guidelines—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance andsubstantiate the risk of controls not being met
Management guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and criticalsuccess factors. They provide a management-oriented framework for continuous and proactive control self-assessment specificallyfocused on: – Performance measurement—How well is the IT function supporting business requirements? Management guidelines can be usedto support self-assessment workshops, and they also can be used to support the implementation by management of continuousmonitoring and improvement procedures as part of an IT governance scheme. – IT control profiling—What IT processes are important? What are the critical success factors for control? – Awareness—What are the risks of not achieving the objectives? – Benchmarking—What do others do? How can results be measured and compared? Management guidelines
provide examplemetrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of ITprocesses, and the key performance indicators assess how well the processes are performing by measuring the enablers of theprocess. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management tomeasure control capability and to identify control gaps and strategies for improvement.
of terms can be found on the ISACA web site at www.isaca.org/glossary. The words audit and review are used interchangeably.
ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professionalresponsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successfuloutcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and teststhat are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controlsprofessional should apply his/her own professional judgement to the specific control circumstances presented by the particular systems or information technology environment.
The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures.Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The StandardsBoard also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. TheStandards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties toidentify emerging issues requiring new standards. Any suggestions should be e-mailed (standards@isaca.org), faxed (+1.847. 253.1443) or mailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research standards andacademic relations. This material was issued 15 April 2005.
Page 2 Privacy Guideline
BACKGROUND1.1 Linkage to Standards
Standard S1 Audit Charter states, "The purpose, responsibility, authority and accountability of the information systems auditfunction or information systems audit assignments should be appropriately documented in an audit charter or engagementletter.”
Standard S5 Planning states, “The IS auditor should plan the information systems audit coverage to address the audit objectivesand to comply with applicable laws and professional auditing standards.”
Standard S6 Performance of Audit Work states, “During the course of the audit, the IS auditor should obtain sufficient,reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported byappropriate analysis and interpretation of this evidence.”
Linkage to C
High-level control objective PO8, Ensure compliance with external requirements, states, “Control over the IT process of ensuringcompliance with external requirements that satisfies the business requirement to meet legal, regulatory and contractual obligationsis enabled by identifying and analysing external requirements for their impact, and taking appropriate measures to comply withthem and takes into consideration:
Laws, regulations and contracts
Monitoring legal and regulatory developments
Regular monitoring for compliance
Safety and ergonomics
Intellectual Property”
Detailed control objective PO8.4, Privacy, intellectual property and data flow states, “Management should ensure compliance withprivacy, intellectual property, transborder data flow and cryptographic regulations applicable to the IT practices of the organisation.”
Reference to C
The C
T reference for the specific objectives or processes of C
T that should be considered when reviewing the areaaddressed by this guidance. Selection of the most relevant material in C
T applicable to the scope of the particular audit isbased on the choice of specific C
T IS processes and consideration of C
T control objectives and associatedmanagement practices. In a privacy issue, the processes in C
T likely the most relevant to be selected and adapted areclassified as primary and secondary in the following list. The process and control objectives to be selected and adapted mayvary depending on the specific scope and terms of reference of the assignment.
PO8—Ensure compliance with external requirements
DS5—Ensure systems security
PO7—Manage Human Resources
DS1—Define and manage service levels
DS2—Manage third-party services.
DS10—Manage problems and incidents
DS11—Manage data
DS13—Manage operations
M1—Monitor The process
M2—Access internal control adequacy
M3—Obtain independent assurance
M4—Provide for independent audit
The information criteria most relevant to a privacy review are:
Primary—Effectiveness, compliance, confidentiality and integrity.
Secondary—Reliability and availability.
1.4 Purpose of the Guideline1.4.1
The purpose of this guideline is to assist the IS auditor to appreciate privacy and appropriately address the privacy issues incarrying out the IS audit function. This guideline is aimed primarily at the IS audit function; however, aspects could beconsidered for other circumstances.
This guideline provides guidance in applying IS Auditing Standards. The IS auditor should consider it in determining how toachieve implementation of the above standard, use professional judgment in its application and be prepared to justify anydeparture.
1.5 Guideline Application1.5.1
When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA standards andguidelines.
Privacy Guideline Page 3
1.6 Definition of Privacy in an IS Auditing Context—Limits and Responsibilities1.6.1
Privacy means adherence to trust and obligation in relation to any information relating to an identified or identifiableindividual (data subject). Management is responsible to comply with privacy in accordance with its privacy policy or applicable privacy laws and regulations.
Personal data is any information relating to an identified or identifiable individual.
The IS auditor is not responsible for what is stored in the personal databases, he/she should check whether personal dataare correctly managed with respect to legal prescriptions by adoption of the correct security measures.
The IS auditor should review management’s privacy policy to ascertain that it takes into consideration the requirements of applicable privacy laws and regulations including transborder data flow requirements, such as Safe Harbor and OECDGuidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (see reference section).
IS auditors should review the privacy impact analysis or assessment carried out by management. Such assessmentsshould:
Identify the nature of personally identifiable information associated with business processes
Document the collection, use, disclosure and destruction of personally identifiable information
Provide management with a tool to make informed policy, operations and system design decisions based on anunderstanding of privacy risk and the options available for mitigating that risk
Provide reasonable assurance that accountability for privacy issues exists
Create a consistent format and structured process for analysing both technical and legal compliance with relevantregulations
Reduce revisions and retrofit the information systems for privacy compliance
Provide a framework to ensure that privacy is considered starting from the conceptual and requirements analysis stageto the final design approval, funding, implementation and communication stage
IS auditors should determine whether these assessments are conducted as part of an initial privacy review and on anongoing basis for any change management project, such as:
Changes in technology
New programs or major changes in existing programs
Additional system linkages
Enhanced accessibility
Business process reengineering
Data warehousing
New products, services, systems, operations, vendors and business partners
In assessing applicable privacy laws and regulations that need to be complied with by any particular organisation,particularly for organisations operating in different parts of the globe, IS auditors should seek an expert opinion as to therequirement of any laws and regulations and should carry out the necessary compliance and substantive tests to form anopinion and report on the compliance of such laws and regulations.
Data controller is a party who is competent to decide about the contents and use of personal data regardless of whether or notsuch data are collected, stored, processed or disseminated by that party or by an agent on its behalf.
2.1 Privacy in the Connected World2.1.1
The advancement of communication technology such as the World Wide Web and electronic mail allows the efficientdissemination of information on a global scale. Controls should be in place to ensure the ethical use of this technology andthe projection of electronic/digitalised and hard copy personal information. Furthermore, the global promulgation of legislation requires that organisations implement controls to protect individual privacy. This guideline provides a common setof criteria that the IS auditor can apply to assess the effectiveness of security controls designed to ensure personal privacy.
3. INDEPENDENCE3.1 Sources of Information3.1.1
The auditor should consider local regulations about privacy and, after that, global regulations that the organisation isadopting. If the organisation is international, it should consider that local regulations take precedent over enterprise policies,but in this case, the organisation additionally must comply with both (i.e., Sarbanes Oxley for EEUU companies).
4. PROFESIONAL ETHICS AND STANDARDS4.1 Need for Personal Data Protection4.1.1
An increasing number of connections between internal and external registries/data sources and use of the Internet increasesthe need for privacy in both public and private enterprises. Information regarding life, health, economy, sexual predilection,religion, political opinion, etc., may, if exposed to unentitled people, cause irretrievable harm for individuals.
Laws and regulations regarding privacy exist in many countries, but these are often not well known or specific enough.Therefore, an IS auditor must have a basic knowledge of privacy matters and, when necessary, be aware of the basicdifferences between various countries' regulations
to evaluate the level of protection regarding personal information in anenterprise.

Activity (5)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
jrfrmem liked this
jrfrmem liked this
Thilakp liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->