Discover the Facets of Information Governance: Audit
Have you ever frantically searched your wallet, pockets, and bags for your credit card while at the cash register? It’s the moment to pay for whatever you needed from the store, but you can’t find the darned thing. Did you leave it at home, at the previous store, or maybe you dropped it in the street? It will remain a mystery unless you find it somewhere. If someone finds it, will they be a good samaritan and give it back or go crazy buying expensive things with your hard-earned money?
This little parable illustrates the consequences of not knowing where your data is on a micro scale. For today’s organizations, the stakes are exponentially greater. That is why proper data audits are so vital. If you do not know where your data is, who has it and what they can do with it, you are at serious risk. With this post, discover this facet of Information Governance: Audit.
There are a few possible scenarios for data auditing. Audits can be performed to assess data quality. They can be done to find data liabilities like sensitive information in unsafe locations, and remediate it to protect data privacy. Audits can serve to identify suspicious patterns and uncover data leaks. Some audits are carried out to comply with regulatory requirements. Auditing could also be a matter of evaluating a system’s performance to improve its efficiency, and so on. When looking at all this from a higher level, it’s all about protecting data assets and extracting the most value from it, by identifying and taking action on system flaws, and potential risks.
Where does threat come from?
In organizations, threats come from both internal and external actors. Since all users have different levels of access to data, they don’t appeal to cybercriminals in the same way and are themselves potential threats of varying significance. Whether it’s for security, risk, or compliance, identifying the risk types, the location of high-value data, and who has access to it are all important parts of the first step toward developing and implementing an Information Governance strategy.
An ounce of prevention… is a whole lot better than a pound of cure
So what are the biggest potential threats and how does auditing help counter them?
First, compliance fines. Auditing reduces non-compliance risks. Also, in case of incidents, regulatory authorities tend to be more forgiving when there is evidence of due diligence.
Second, data leaks. Auditing helps detecting of suspicious patterns, like the leaking of sensitive data through email.
Third, meaningful data breaches. When sensitive content is rapidly moved to secure locations and redundant, obsolete or trivial (ROT) data is purged, what is important can’t easily be accessed and unimportant yet sensitive data can’t be breached since it doesn’t exist.
For organizations to be protected and compliant, security, risk, and compliance teams all work toward pinpointing important and sensitive information. When found, it has to be secured if relevant or subject to retention requirements, or purged if irrelevant. This should happen often as new data is constantly created and stored. This is an internal audit. For compliance with rules and regulations, these audits should leave trails, like breadcrumbs, in the audited files’ metadata. Audit reports have to be produced as evidence that organizations are diligent.
Supervisory review is a kind of audit that has to be performed in financial organizations as per FINRA and SEC requirements. It’s about supervising the communications of the members of these organizations to ensure investors are protected from misleading or incomplete information that could influence their investment choices against their interests. Supervisory review consists of regularly taking representative samples of email communications and analyzing their content so noncompliant behavior can be detected.
Sometimes randomly, or after an incident occurs, organizations can be audited by external parties. These external parties are the authorities regulating certain industries or activities, like the SEC and FINRA for finance or PCI Security Standards Council for organizations processing payment card data. They have to be granted access to the required data sets to carry out their own audits, and if internal audits are a requirement for them, be able to assess what has been audited internally or not.
Auditing as a growth driver
Auditing has other advantages than reducing risks. Since data is sanitized, all that is left is pertinent and analyzing it allows for better decisions to be taken. It also can help identify business opportunities that would otherwise have been missed. Removing ROT from systems can improve its efficiency while reducing storage costs.
Why is Audit a facet of Information Governance?
Audit is a facet of Information Governance because this activity reduces the risks related to information and creates value. Proactive auditing allows organizations to stay ahead of the competition by getting better visibility into data, by improving systems while minimizing costs, and by mitigating regulatory and legal risks. In turn, good Information Governance practices allow for better audits because everyone with a stake in organizational information across departments is involved, taking down the silos we usually work in. The continuity of efforts encouraged by IG ensures that auditing is a recurring activity, not a one time project. Data auditing is the start of something very empowering and rewarding: being data-driven. Good auditing practices are necessary for data analytics as it's useless to analyze inaccurate or outdated information.
In 2018, Gartner published this assumption about enterprises' data transformation: ''By 2020, 80% of organizations will initiate deliberate competency development in the field of data literacy, acknowledging their extreme deficiency.'' There is no downside to being ahead of the curve, so why not audit?