Privacy, the current focus for corporations, presents a new set a potential liabilities that have to be addressed by audit and information security. Worse yet, these complex set of issues are not being handled by general control reviews, SOD, access or even accounting controls.
Privacy policies, if in place, have to encompass various requirements like PII, some of which seem almost contradictory. Generally, privacy is the safeguarding of information that can be identified with a person. The right to privacy implies ownership rights to one's own personal data.
For organizations, the concern is how to define, protect, and respond to privacy issues. Thus, auditors need to determine whether privacy-related information handling meets various privacy requirements.
A good starting point is to examine the current privacy statements, especially those sent to customers, and trace back to ensure that what is promised is adequately covered by policies, procedures, and actual practices. It will help to avoid potential false and deceptive business practices issues arising from not actually performing what has been promised to customers.
No comments:
Post a Comment