With more companies migrating to the digital realm and relying on hacker-susceptible mobile and cloud technologies, data security threats and breaches have increased exponentially. More than 1,037 publicly reported incidents of loss, theft, or exposure of personally identifiable information were recorded in 2011, according to Open Security Foundation/DataLossDB.org .
Companies must deploy an ever-more robust security strategy, using three lines of defense, with internal audit playing a critical role, according to a new PwC U.S. white paper, "Fortifying your defenses: The role of internal audit in assuring data security and privacy."
"Despite all the attention around data security, the risk of breaches is only getting worse, with severe ramifications-not only in terms of dollar costs, but also management attention and company reputation," says Dean Simone, leader of PwC's U.S. risk assurance practice. "To battle the ever-changing hacker profiles and accelerating rate of technological change, companies need to constantly re-evaluate their privacy and security plans. No company, no matter how well it has secured its data, is ever finished maintaining information security and privacy, but by establishing three lines of defense involving internal audit, they are putting in place the best safeguards to deal with critical risks to a business."
According to PwC, most companies do have security controls and privacy policies, and they are often quite comprehensive. All too often, however, no one checks to see if these protocols are being followed. In addition, new threats to information security are often overlooked, which demands new procedures and tools.
As data thieves become even more inventive, corporate policies, procedures, tools, training, and compliance efforts have not kept up. In certain instances, PwC found that some security capabilities have actually diminished over the last three years. In 2011, only 39% of nearly 10,000 executives in 138 countries said they reviewed their privacy policies annually, compared to 52% in 2009. Only 41% had an identity-management strategy in 2011, a decrease from 48% in 2009.
According to the white paper, government bodies are increasing the penalties they impose on companies whose security flaws allow data breaches. At least 50 countries have enacted data-privacy laws, and more are expected to follow.
"No matter how strong a company's data-security policies and controls are, a company won't really know the adequacy of its defense if it doesn't continually verify that those defenses are sound, uncompromised, and applied in a consistent manner," says Jason Pett, PwC's U.S. internal audit services leader. "Internal audit has to play a far more substantial role in information security, and audit committees must also increase their attention on the increasing risk, heightening the expectations they place on internal audit to place adequate focus on data security and privacy concerns."
To combat the ever-increasing attacks on their data or any critical risk to the business, PwC identified the three lines of defense that companies should initiate:
- • Management. Companies that are good at managing information-security risks, typically assign responsibility for their security regimes at the highest levels of the organization. Management has ownership, responsibility, and accountability for assessing, controlling, and mitigating risks.
- • Risk-management and compliance. These functions facilitate and monitor the implementation of effective risk-management practices by management, and help risk owners in reporting adequate risk-related information, up and down the firm.
- • Internal audit. Internal audit provides objective assurance to the board and executive management on how effectively the organization assesses and manages risks. It's imperative that this line of defense be at least as strong as the first two for critical risk areas.
"Keeping the audit committee apprised of emerging risks and effective ways to address them is a critical role of internal audit, and they must stay ahead of the threat curve. If internal audit stays on the sidelines, a company could rush into launching a new process, product, or system without adequate controls," says Pett. "Internal audit must also understand changes to the business, either internally or externally driven, and move quickly to conduct special audits for new information security threats. In order to effectively monitor and communicate the risks of data security, all companies need internal audit to serve as that strong third line of defense."
http://www.pwc.com/us/en/press-releases/2012/internal-audits-role.jhtml
[This article was posted on August 28, 2012, on the website of ABA Banking Journal, www.ababj.com.]
- • Management. Companies that are good at managing information-security risks, typically assign responsibility for their security regimes at the highest levels of the organization. Management has ownership, responsibility, and accountability for assessing, controlling, and mitigating risks.
- • Risk-management and compliance. These functions facilitate and monitor the implementation of effective risk-management practices by management, and help risk owners in reporting adequate risk-related information, up and down the firm.
- • Internal audit. Internal audit provides objective assurance to the board and executive management on how effectively the organization assesses and manages risks. It's imperative that this line of defense be at least as strong as the first two for critical risk areas.
"Keeping the audit committee apprised of emerging risks and effective ways to address them is a critical role of internal audit, and they must stay ahead of the threat curve. If internal audit stays on the sidelines, a company could rush into launching a new process, product, or system without adequate controls," says Pett. "Internal audit must also understand changes to the business, either internally or externally driven, and move quickly to conduct special audits for new information security threats. In order to effectively monitor and communicate the risks of data security, all companies need internal audit to serve as that strong third line of defense."
http://www.pwc.com/us/en/press-releases/2012/internal-audits-role.jhtml
Trackback(0)
|
TrackBack URI for this entry
Subscribe to this comment's feed
