A New Tool for Fast Times: Continuous Risk Assessment

Brian Christensen - Protiviti PHX 2012_Low ResBy Brian Christensen – Executive Vice President
Global Leader – Internal Audit and Financial Advisory Practice




Many internal audit functions work hard to complete one enterprisewide risk assessment each year and then plan, or hope, to rely on it for the next 12 months.

But what good is an annual audit plan that can become obsolete almost overnight by new risks we know are surfacing faster than the expected shelf life of the plan?

Richard Chambers, president and CEO of The Institute of Internal Auditors (IIA), in a recent article for Internal Auditor Magazine, called for the adoption of a new, continuous approach to risk assessment. I couldn’t agree more.

Audit plans need to evolve continuously, incorporating up-to-date information and assessments of potential risks as they emerge. There are several techniques that can be used to do this efficiently and effectively, but they must be embraced and practiced by the entire audit team. As Chambers emphasizes, a continuous risk assessment process can’t be executed by the CAE alone.

To adopt this new approach, Chambers recommends the following steps:

  • Identify key risk indicators (KRIs) – At the beginning of the year, identify KRIs and monitor them continuously, or at least periodically, throughout the year. KRIs can be linked to the results of the annual risk assessment or to risks that are known to be volatile. When anomalies appear in these KRIs, “red flags” should go up, triggering internal audit to evaluate whether risks are shifting and adjust coverage as needed.
  • Conduct “shoe-leather assessments” – This approach involves conducting risk assessment “by walking around.” As the name implies, auditors need to spend quality time with senior management leaders with the intent of learning about new risks as soon as management does. Though they may lack the structure of formal assessments, shoe-leather assessments can uncover vital new information that otherwise may skip detection. It’s imperative that the entire internal audit team develop relationships with all key executives – especially in large organizations with numerous business units – to ensure comprehensive coverage.
  • Establish a “bird’s-eye view” – Chambers recommends “setting your antenna as high as possible” to alert your organization as soon as possible about industry-wide changes, economic trends and other external factors. Practically speaking, this means, among other things, attending professional association meetings and seminars and keeping current with industry publications as some of the ways to see ahead of the curve.

Using these three approaches together best assures protecting the organization. And they work well with other key action steps recommended for CAEs in the most recent Common Body of Knowledge (CBOK) Study by The IIA Research Foundation. It echoes Chambers’s advice and urges organizations to develop a more responsive and flexible risk-based audit plan.

One way to help companies not just realize the importance of but fully embrace continuous assessment is to set new priorities and incentives for the audit team. In other words, make the identification of emerging issues a key performance responsibility for those who report to you directly.

CAEs are encouraged to discuss with executive management and the audit committee the need to make more frequent updates to the audit plan and establish a clear process to make changes to appropriately address emerging risks.

Businesses have improved their ability to manage risks and that’s great. Now it’s time for all of us to learn to do it faster.

Four Things to Know Before Your IPO

It is common sense than an uncertain global economy slows IPO activity, and yet, the IPO pipeline is at near-record levels.

In the U.S. market alone, there were more than 270 IPOs priced in 2014, up 23 percent from the prior year. And total proceeds raised reached more than $85 billion, an increase of 55 percent compared with 2013.

My colleague Steve Hobbs, managing director of Protiviti’s Public Company Transformation solution, says that 2014 was one of the strongest IPO years in the last decade, fueled by legislation such as the JOBS Act, which was enacted in 2012 to help ease regulatory burdens on emerging growth companies.

The IPO appeal is immense. But what companies don’t know about the process can drive an offering off the rails in a hurry. Last November, Protiviti held a nationwide webinar highlighting key challenges and offering tips to help companies avoid common missteps. Some highlights from the discussion:

Challenge #1 – Investor Relations: Many companies underestimate the amount and intensity of preparation required, especially regarding the growing demand for transparency from regulators and shareholders.

Just how much is required? For Barracuda Networks, provider of cloud-connected security and storage solutions, the time from IPO process launch to its first public call in January 2014 spanned eight months.

The journey to public company readiness involves a complex array of tasks, deadlines and focal points that require significant time, effort and attention throughout the organization.

Among the many tasks Barracuda tackled: scheduling organizational meetings to educate management on operational metrics; staging a “test-the-waters roadshow” to meet with prospective investors and obtain their feedback; and even holding a full mock earnings call with syndicated analysts to practice interacting with the investment community.

Challenge #2 – Tone at the Top: Setting the proper tone at the top to encourage “buy-in” is a top priority.

Public companies operate in a fishbowl of public disclosure and regulatory compliance. Finance, at the center of IPO preparations, is usually well-prepared by the end of the process, however, establishing a positive tone for compliance throughout the company is the job of executive management.

Another one of my colleagues, Gordon Tucker, managing director and leader of Protiviti’s Technology, Media and Communication Industry practice, recommends promoting compliance infrastructure not just as a system of controls, but as a tool for growth and scalability.

Challenge #3 – Documentation: Establishing documented policies and procedures is critical for expansion.

Beyond the initial buy-in, Tucker also emphasizes the importance of developing and documenting processes to ensure consistency and sustainability across the organization. If you want to be able to scale, new hires should be able to handle transactions according to well established and documented procedures.

Challenge #4 – IT Infrastructure: It is critical to properly assess the organization’s IT readiness.

An organization’s ability to conduct accurate, timely and effective financial reporting and regulatory compliance hinges on the strength of its applications and systems infrastructure. The topics that need to be addressed in this arena include selection and implementation of an ERP system and scaling of IT processes and governance. And during a time when cyberattacks routinely make headlines, it is imperative to evaluate IT security and privacy.

When Protiviti meets with pre-IPO companies’ executive teams, we ask the CFO:

  • Do you know what assets you are trying to secure?
  • Is there somebody in your organization who is responsible for securing the enterprise?
  • Would you know if you were breached? And if you were, would you be prepared to respond in a timely manner?

If the answer to any of those questions is ”No,” then it’s probably time to take a look at the IT systems from a security perspective.

The four points above underscore certain of the key challenges of successfully executing an IPO. But they also show where proper preparation can boost the odds in your favor.

And I’ve only skimmed the surface here. For a more thorough analysis, check out the online version of our November 18 webinar entitled “It’s What You Don’t Know That Can Affect Your IPO.”

Jim DeLoach

Is Your Data Safe and Are You Sure?

Cal Slemp mug



by Cal Slemp, Protiviti Managing Director
Leader – Security Program, Strategy and Policy Practice

Data is the lifeblood of any organization, fueling nearly every aspect of operations. But with reports of cyberattacks and data breaches making headlines routinely, the question needs to be asked:

Is your business really safe?

There is no better time than now to assess whether you have the protections you want in place to protect your information and data and, equally important, whether your organization is prepared to respond to a crisis.

Protiviti professionals have performed data security fieldwork for decades, and Protiviti has formally surveyed the cybersecurity landscape for the past 3 years. We’ve identified recurring issues among organizations that threaten to compromise their data and privacy security. To best protect your organization, here are a few key safety measures:

  • Classify data. Not all data is made equal. Some is useful or valuable, and some is critical. Companies should identify their most critical data – the “crown jewels” – and classify it accordingly so its protection can be addressed first. Protiviti’s 2014 IT Security and Privacy Survey indicates developments in data classification that are both positive and negative: While more organizations are becoming aware of the concept of data classification (“don’t know” responses to the question whether the organization has a classification scheme and policy in place dropped almost in half), a full one-third of organizations surveyed admit they have not yet performed such classification. This is a rise from 20 percent in 2013. Let’s hope this high number is tied to the increased awareness and that these companies tackle the complex but important task of data classification soon. With a clear data classification scheme and policy, those companies will be able to identify types of data (sensitive, confidential, non-sensitive, public, etc.) and allocate security resources accordingly.
  • Only keep what you need. Companies should adhere to the principle “If you don’t need it, don’t store it.” Not only is retaining all data and records inefficient and costly, it exposes your organization to a greater security risk and liability. Instead, companies should “stratify” data based on importance and type and then assign appropriate retention periods for each “stratum” according to regulatory and legal requirements, as well as industry- or company-defined standards. What’s alarming is the increase in the number of organizations that fail to adhere to this practice. 17 percent of respondents to our survey acknowledged retaining all data and records without a defined destruction date – up from 9 percent in 2013.
  • Make sure your cloud is safe. Although relatively few organizations are currently moving sensitive information to the cloud, Protiviti’s survey did document a significant year-over-year jump in the use of cloud-based vendors: 8 percent versus 3 percent in 2013. By comparison, 64 percent of respondents said they store sensitive data on on-site servers. For those choosing a cloud-based service, it’s critical to focus on terms and conditions and understand the information security standards that will be used. Many companies are discovering that cloud-based vendors are holding more data than they were contracted to store, potentially escalating risk. A related focus must be to ensure that the physical processing and storage of specific sensitive data is done in concert with established data privacy regulations.
  • Minimize legal exposure with information security policies. In the United States, almost every state has data privacy laws that impose penalties on organizations that expose confidential data. Nearly all of these laws, however, provide for leniency if the organization that suffers a data breach had a written information security policy (WISP) and a data encryption policy in place. Naturally, these policies should be well-communicated and understood by your employees and business partners. The value of such policies, aside from reducing legal liability, is obvious. But shockingly, one-third of respondents in the 2014 Protiviti survey acknowledged not having a WISP, and 41 percent had no data encryption policy.
  • Perform regular fire drills. Even the most secure organizations cannot expect to prevent all breaches. That’s why it’s critical for a company to have a documented crisis response plan, in which everyone involved knows what to do, and the ability to implement this plan quickly in the event of a crisis or cyberattack. Organizations with robust security protocols involve various senior management members, including the CIO, in their crisis response planning to bring different critical perspectives to the process and ensure an effective response. Again, it’s troubling to note that only 56 percent of respondents in our 2014 survey said they had a crisis response plan. Best practice calls for an annual risk assessment and testing of the response plan every six months.

With high-profile breaches making headlines almost daily, it is becoming clear that a security incident is not a matter of “if” but rather, “when.” With so much at stake, isn’t it best to be prepared?

Author’s note: I want to thank SingleHop for providing information to us as part of National Cybersecurity Awareness Month (NCSAM) in October. For more information, visit www.singlehop.com.

OECD Foreign Bribery Report Debunks a Number of Widely Held Beliefs on Bribery

Scott Moritz - Protiviti NY 2013 (hi res)by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice

Over the past week, since its December 2, 2014 release, anti-corruption nerds everywhere, myself included, have been poring over the recently released Organization for Economic Cooperation and Development (OECD) Foreign Bribery Report – An Analysis of the Crime of Bribery of Foreign Public Officials. For those of you unfamiliar with the report, it is a study of 427 prosecutions of bribery offenses that have been brought in countries that are signatories to the OECD Anti-Bribery Convention, enacted in 1999. The report is a very comprehensive analysis of cases involving bribery of foreign officials, and it debunks some widely held beliefs about bribery and corruption. It also provides valuable insights into the industries in which bribery is most prevalent, categories of bribe recipients and the role of intermediaries, as well as how often corporate management is aware of bribery and how these cases come to light.

Widely Held Belief Number 1: Most Bribes Are Paid in Emerging Markets

The report found that “two-thirds of bribes were paid to officials in countries higher on the UN Human Development Index.” The UN Human Development Index is a composite statistic of life expectancy, education and income indices used to rank countries into four tiers of human development as a means of measuring how developed a country is. While the OECD report pointed out that this number may be somewhat skewed by the fact that more developed countries may be less reticent to share details of their bribery cases, it is a surprising finding nonetheless.

Widely Held Belief Number 2: The Majority of Bribe Payments Are the Acts of Rogue Employees

The report found that 53 percent of cases involved corporate management or CEOs. More specifically, it found that in 41 percent of cases, management-level employees paid or authorized the bribe, and in 12 percent of cases, the CEO was involved. Corporate culture is set by its leadership, and the “tone at the top” is considered one of the ten hallmarks of an effective compliance program. Corporate leadership that tacitly approves bribery with a wink and a nod and gives lip service to compliance but fails to back up compliance personnel and instead overrules them in favor of meeting sales goals or quarterly earnings contributes greatly to this staggering figure.

Widely Held Belief Number 3: Bribery Is Usually the Result of Corrupt Government Regulators or Inspectors

The report examined the unfair business advantages that bribe payers were seeking and found that in 57 percent of cases, bribes were paid to obtain public procurement contracts. The other business advantages sought by bribe payers included customs clearance (12 percent), tax relief (6 percent), other preferential treatment (7 percent), obtaining a license, permit or other form of governmental approval (6 percent) and access to confidential information (4 percent).

The fact that the majority of the 427 cases examined involved bribery to obtain public procurement contracts should cause any company operating outside the U.S. selling to governments and state-owned companies to sit up and take notice. If there is a positive to be gleaned from this statistic, it is that companies involved in bidding on public procurement projects have now been signaled that strengthening controls around public procurement will go a long way toward lowering their exposure to liability under the various anti-bribery statutes to which they may be subject.

Widely Held Belief Number 4: There Is a Staggering Array of Categories of Foreign Official that Could Trigger Corruption Liability

There is, indeed, a wide range of individuals who meet the definition of “foreign official” or “foreign government official.” However, the report shows that 95.1 percent of all bribe value was paid to public officials in only five categories: officials of state-owned enterprises (SOEs) (80.1 percent), heads of state (6.97 percent), government ministers (4.08 percent), defense official (2.93 percent) and customs officials (1.14 percent). Given the volume of bribe value being paid to officials of SOEs, is it any wonder that defense attorneys have been seeking to challenge the terms “foreign official” and “instrumentality of a foreign government”? When considered together with the fact that 57 percent of bribery cases relate to public procurement, this statistic makes board room discussions even more critical within any organization seeking a government contract and engaging with officials of SOEs, heads of state and government ministers in the process.

We’ve had numerous discussions with clients over the years that started with the sentence: “We just had a very uncomfortable conversation with the SEC.” They continue by elaborating that they couldn’t answer basic questions, including “Which of your customers are state-owned, how do you arrive at those conclusions and what is the heightened standard of care that you hold them to?” You either know the answers to these questions or you don’t. Given the statistics we just quoted, companies with international operations would be well served by being able to distinguish readily between the SOEs and government agencies and the private enterprises in their customer base. Companies that can’t answer this basic question and articulate how they go about mitigating the risks associated with interacting with employees of SOEs are not likely to receive a determination of an effective compliance program from anyone who matters.

Other Findings of Note

Numerous Signatory Countries to the OECD Anti-Bribery Convention Have Never Prosecuted a Single Bribery Case

Aside from debunking some widely held beliefs about bribery, the OECD Foreign Bribery Report offered some other very interesting facts, including in what it didn’t explicitly point to. One such noteworthy implication is that there are 41 signatory countries to the OECD Anti-Bribery Convention, yet the 427 prosecution cases brought since its going into force in 1999 come from only 17 countries. Thus, 24 signatory countries to the OECD Anti-Bribery Convention have not prosecuted a single bribery case since signing. Worse still, seven of the 17 who have prosecuted bribery schemes have only prosecuted one scheme each since signing.

The “Hall of Shame” of non-prosecutors includes Argentina, Australia, Austria, Brazil, Chile, Colombia, Czech Republic, Denmark, Estonia, Finland, Greece, Iceland, Ireland, Israel, Latvia, Mexico, New Zealand, Portugal, Russia, Slovakia, Slovenia, South Africa, Spain and Turkey. Nor do Belgium, Bulgaria, Hungary, Luxembourg, Netherlands, Poland and Sweden have much to brag about, as they have each prosecuted only one bribery scheme since signing to the Convention.

Internal Audit and Mergers & Acquisitions (M&A) Activities Triggered Nearly 20 percent of Cases

According to the report, one-third of cases were instigated by self-reporting. Of those, 31 percent were triggered by internal audits and 28 percent by M&A due diligence activity. In total, nearly 20 percent of cases reported to law enforcement were uncovered through this combination of internal audits and M&A due diligence. This fact clearly demonstrates the importance of two of the ten hallmarks of an effective compliance program: Continuous Improvement: Periodic Testing and Review, and Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration.

Internal Audit. In most organizations, internal auditors are generalists. But when considered an extension of the organization’s anti-corruption program – as supported by the report finding – it’s obvious why internal audit should receive advanced anti-corruption training. Specifically, internal auditors should understand key concepts comprising the various anti-corruption statutes to which the organization is subject, the risk factors that can trigger liability, the types of red flags indicative of potential problems, and the investigative steps to follow in the event they suspect a potential violation.

Due Dilligence. According to the Resource Guide to the U.S. Foreign Corrupt Practices Act (FCPA Guide), jointly published by the SEC and the U.S. Department of Justice in 2012, “Inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target.”

An important and sometimes overlooked aspect of acquisition due diligence is the performance of an anti-corruption risk assessment. In a perfect world, all acquisition targets have robust anti-corruption programs. In actuality, many small and midsize companies operating overseas do not have any type of anti-corruption program. That is why the performance of a high-level anti-corruption risk assessment is so important.

Gaining an understanding of the company’s ownership group, executive team, customer base, distribution channels, sales and marketing, products and services, activities, and ties to foreign officials will better position a potential acquirer to evaluate the true purchase price, inclusive of any compliance remediation work that may be necessary to properly integrate the entity post-acquisition. Not only will doing an anti-corruption risk assessment on the front end lower the risk of a future bribery violation, it could provide the acquiring company with additional leverage in negotiating a more favorable purchase price.

75 Percent of Cases Involved Payments Through Intermediaries

The OECD Foreign Bribery Report validated what most everyone in the anti-corruption field has known for a long time: the majority of bribes (75 percent) are paid by intermediaries. Of these, 41 percent fall into the category the report refers to as “agents.” The term is actually broader than the name suggests and includes sales and marketing agents, distributors and brokers. The next most popular type of intermediary (35 percent) is what the report calls “corporate vehicle.” Corporate vehicle is a term for a mishmash grouping of subsidiary companies, local consulting firms, offshore companies in tax havens and companies established under the beneficial ownership of bribe payers or recipients.

While third-party anti-corruption due diligence has become a cottage industry in the past five years or so, many organizations still employ a fairly minimalist approach to vetting their intermediaries, focusing most if not all of their efforts on commissioned sales agents since they represent the greatest degree of risk. While for most companies placing their initial focus on agents is justified, many other categories of intermediaries also pose potential corruption liability. Companies would be well served by conducting an inventory of their business intermediaries so that they can categorize them based upon the relative bribery risk they may represent. Such categorization should include how long the intermediary has been in existence, whether its primary role is to engage with a specific government agency or state-owned company on behalf of its clients and whether any of its control persons were previously in senior roles within those agencies or SOEs.

Often overlooked in the group of intermediaries are service providers such as attorneys or accountants. And before the GlaxoSmithKline case, who would have thought that there was intermediary risk associated with travel agents? A critical success factor for understanding third-party risk is to identify the universe of business intermediaries and focus attention on what they do rather than what label is used to describe them. Often, entities working in a commissioned sales agent role are referred to as “consultants,” which could cause this category to be overlooked, especially if the third-party management program is sales agent-centric. A more useful approach is to focus on compensation, including whether the intermediary is paid as a percentage of a sale or on a contingency fee or success fee basis.


The OECD Foreign Bribery Report provides the latest evidence that foreign bribery remains pervasive, and enforcement outside of just a handful of OECD signatory countries ranges from infrequent to non-existent. It paints a vivid picture of corruption as global and spanning multiple industries, with bribe payers who are increasingly sophisticated in how and through whom they pay bribes and how they conceal their activity through a web of opaque legal entities in offshore safe havens.

The report should be required reading for anyone in compliance and for any company’s senior leadership. By studying the report and understanding the various ways that companies can trigger liability under the FCPA and other international anti-bribery statutes, companies can develop better anti-bribery controls and raise awareness across their organizations, through their sales and distribution channels and into their customer bases. By applying the lessons learned from the report and through their own experiences and tailoring their programs accordingly, companies will become less attractive to bribe takers, and unscrupulous third parties and employees may think twice before paying bribes if they think they are at risk of detection and prosecution.

A Global Look at IT Audit Best Practices from ISACA and Protiviti

Brand.jpgby David Brand
Managing Director – Leader, IT Audit Practice



There is no disputing technology’s role in business today as an enabler of virtually every process and function. With this enablement and the advantages IT brings also come global risks – security, cyberattacks, privacy issues, data breaches, governance, asset management and much more. The critical question we ask is: Are IT audit practices keeping pace in order to assess, monitor and mitigate critical risks coupled to a technology-enabled business? This is what ISACA and Protiviti set out to determine in conducting the fourth annual IT Audit Benchmarking Survey.

Our 5 key findings from this year’s study:

  1. Cybersecurity and privacy are primary concerns – This area is rated as the top technology challenge and also may be driving trends such as increasing involvement from audit committees in IT auditing activities.
  1. Companies face significant IT audit staffing and resource challenges – Not only is this issue ranked among the top technology challenges, but it is an undercurrent in many of the survey findings, including the use of external resources to support IT auditing efforts.
  1. Audit committees, as well as organizations in general, are becoming more engaged in IT audit – More organizations have a designated IT audit leader, and over the past three years, the percentage of IT audit leaders that regularly attend audit committee meetings has doubled.
  1. IT audit risk assessments are not being conducted, or updated, frequently enough – Given the dynamic nature of technology change and risk, it is surprising to find that some companies still do not conduct IT audit risk assessments. Not only must IT audit risk assessments be performed, but they also should be reviewed and, if necessary, updated on a quarterly basis or more frequently. However, a majority of companies are conducting these reviews annually or even less frequently.
  1. There’s room for growth in IT audit reports and reporting structures – A majority of companies do not issue enough IT audit reports, and many still have the IT audit leader in a less-than-ideal reporting structure.

IT Audit Benchmarking Survey Infographic

Check out our infographic here. To view and download our report with detailed results from our study, visit www.protiviti.com/ITAuditSurvey.


You Can’t Protect Intellectual Property and Sensitive Data Unless You Know What You are Trying to Protect

Scott Moritz - Protiviti NY 2013 (hi res)

Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice


Rocco Grillo - Protiviti NY 2014 (hi res) (2)

Rocco Grillo
Managing Director – Leader, Protiviti’s Incident Response and Forensics Practice


In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.


Cyber-crime targeting of commercial enterprises and organizations is rampant. Increasingly sophisticated organized crime groups are gaining improper access to point-of-sale systems and corporate networks to steal credit card numbers, expiration dates, account holder names and CVV codes, intellectual property, as well as other sensitive data.

In addition, certain countries have historically utilized their intelligence agencies to use intelligence-gathering techniques to steal information such as computer source code, product formulas, and design information about new products or processes. These types of state-sponsored economic espionage often target technology-centric industries, including computer software and hardware, biotech, aerospace and defense, telecommunications, transportation and engine technology, automobiles, machine tools, energy, materials and coatings, and so on.

The high-tech sector is widely considered to be the most frequently targeted area for economic espionage, although any industry with information of possible use to foreign governments and their commercial sectors is at risk. Increasingly, these government intelligence agencies are using hacking techniques to gain access to commercial secrets.

Whether it is organized crime that is seeking to gain access to your network or a foreign government seeking to obtain the product formulation of the next wonder drug, companies’ most valuable information is stored electronically on their networks and individual computer workstations. While companies expend tremendous sums of money and resources securing their networks and testing their security, sometimes the issue is not knowing the universe of sensitive data that they possess, where and how it is stored, and who has access to it.

Knowing where your data resides is, in many instances, half the battle. Trying to identify an organization’s “crown jewels,” or key assets, is equally important. Boards of many major corporations are scrambling to implement security controls to processes in order to safeguard their organizations, but many also need to focus on risk management to identify their crown jewels when implementing these controls and safeguards.

Often, information about what valuable data the company has, where it is stored and who may have access to it is determined only after there has been a breach. As network security experts trace the activities of the hackers to see what systems and applications were accessed illicitly, they learn what information was stored and whether it was exfiltrated from those devices. Indeed, one of the most challenging issues for internal auditors as well as IT security professionals is, when assessing their company’s information security, not only understanding the systems and the security controls designed to monitor, detect and prevent data breaches, but also taking an inventory of the various categories of sensitive data stored electronically across the organization, identify where specifically it is located, and who has access to it.

Without this critically important information, internal auditors and others charged with the responsibility of assessing the effectiveness of network security and the extent to which the company’s most sensitive data may be exposed are severely restricted.

Some sensitive data is of obvious interest to hackers, and it is fairly straightforward to assess how it is collected, where it is stored and how it can be accessed. Knowing who and when data was accessed is equally, if not more, important. Being able to pinpoint who has accessed data is critical to any organization trying to protect its data. Logging and monitoring controls enable organizations to accomplish this.

During a forensics investigation, trying to find the source of a breach is like trying to find a needle in a haystack. And without logging and monitoring controls or limited controls, that needle in the haystack becomes a needle in an open field. Sensitive data includes customer information, credit card numbers, personnel records, and payroll and banking information, among other assets deemed to be the organization’s crown jewels. The challenge is in determining what other types of sensitive data may exist and where. Such sensitive information includes corporate development (M&A) information, prototypes, source code, customer lists, proprietary pricing information, legal files, human resources data, and other data that, were it to be released, would be commercially damaging to the company.

What steps should companies take to better understand where their valuable data is?

  • Before companies understand where it is, they need to understand what it is or what their crown jewels are.
  • Survey key business units and obtain a list of their most sensitive data and IP by category.
  • Determine what added security may be in place to protect that data.
  • Request information about where the data is stored, how it is secured and how access is controlled.
  • Integrate what is learned by this data gathering exercise into future IT security audits.