Data Security Management

Scope
Date

Client Name
Protiviti Team:
(Insert Team Member Name)
(Insert Team Member Name)
 Big Data Work Program – Data Security Management

Process Overview
Data Security Management consists of the planning, development, and execution of security policies and procedures to provide
proper authentication, authorization, access, and auditing of data and information assets. Effective data security policies and
procedures ensure that the right people can use and update data in the right way, and that all inappropriate access and update is
restricted. Understanding and complying with the privacy and confidentiality interests and needs of all stakeholders is in the best
interest of any organization. Client, supplier, and constituent relationships all trust in, and depend on, the responsible use of data.
Time invested in better understanding stakeholder interests and concerns generally proves to be a wise investment. An effective
data security management function establishes judicious governance mechanisms that are easy enough to abide by on a daily
operational basis by all stakeholders.

Table of Contents
1. Understand Data Security Needs and Regulatory Requirements..........................................................................2
2. Define Data Security Policy....................................................................................................................................... 2
3. Define Data Security Standards................................................................................................................................ 3
4. Define Data Security Controls and Procedures....................................................................................................... 4
5. Manage Users, Passwords, and Group Membership.............................................................................................. 5
6. Manage Data Access Views and Permissions......................................................................................................... 6
7. Monitor User Authentication and Access Behavior................................................................................................ 8
8. Classify Information Confidentiality..........................................................................................................................9
9. Audit Data Security................................................................................................................................................... 10

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Security Management

Ref Control Objectives Testing Procedures Test Results

1. Understand Data Security Needs and Regulatory Requirements
Related Risk: Data security needs and requirements do not map to the company’s short term or long term goals or address regulatory requirements.
This may lead to compliance, reputational or financial impact.
1.1 Data security needs and requirements 1. Determine if the organization has a formally Test results should be detailed here and work paper
address the organization’s privacy, defined data security strategy that references should be included at the end of each
confidentiality, and regulatory requirements. addresses the privacy and confidentiality sentence as follows [WPXX]. Once fieldwork is
requirements of the organization. complete, each work paper should be assigned a
unique number (e.g., WP01, WP02, WP03, etc.).
2. Verify the data security strategy address
Exception related text should be in red font and
the regulatory requirements that affect the
summarized in the “Observations” section.
organization (e.g., Sarbanes-Oxley, Health
Insurance Portability and Accountability Act,
Gramm-Leach-Bliley Act, etc.). Observations:
3. Confirm with management that data Section to be populated with any exceptions or “No
security processes are in place to ensure exceptions noted”.
compliance with applicable regulations
identified in Test Step 2. Work Papers:
4. Verify that a process is in place to track WPXX – Work Paper File Name.doc
changes and updates to applicable
regulatory requirements and to address
these changes in a timely manner.

2. Define Data Security Policy

Related Risk: Absence of a data security policy may lead to employees being unaware of privacy policies and procedures which may lead to exposure
of sensitive data
2.1 Data security policies and procedures have 1. Determine if the organization has a data-
been defined, documented, and centric security policy that defines the
communicated. individual application, database roles, user
groups, and password requirements. The
policy should be owned by a data
governance council or similar governing
structure. Note: It is common for the IT
Security Policy and Data Security Policy to
be part of a combined security policy. The
preference, however, should be to separate
them out.
2. Confirm data security policies are made
available to all employees.

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Security Management
Ref Control Objectives
2.2 Clear ownership, roles, and responsibilities
have been defined related to the security of
data.
3. Define Data Security Standards
Related Risk: Data Security standards are not aligned with local or national privacy laws and the company’s policies that may lead to compliance and
financial impacts.
3.1 Data security standards have been
documented to define the means for
achieving compliance with data security
policies.
** CONFIDENTIAL ** For internal use only
Testing Procedures Test Results
3. Verify is a process is in place to periodically
review and approve data security policies.
4. Inquire as to the process for verifying data
security policies and procedures address
various regulatory requirements.
1. Determine if a person or group has been
formally assigned the responsibility of
ensuring the security of data (e.g., data
governance council).
2. Select a sample of data repositories and
confirm roles and responsibility have been
formally defined related to the security of
the data contained within those
repositories.
1. Verify that security standards have been
established that address the following:
 Database security
 Data encryption standards
 Access guidelines to external vendors
and contractors
 Data transmission protocols over the
internet
 Documentation requirements
 Remote access standards
 Security breach incident reporting
 Access to data using mobile devices
 Storage of data on portable devices
 Verify that physical security standards
have established that address the
following:
 Access to data using mobile devices.
 Storage of data on portable devices
such as laptops, DVDs, CDs or USB
drives.
Page of
 Big Data Work Program – Data Security Management

Ref Control Objectives Testing Procedures Test Results

 Disposal of these devices in compliance
with records management policies.

Ref Control Objectives Testing Procedures Test Results

4. Define Data Security Controls and Procedures

Related Risk: Security controls and procedures do not address company policies or compliance obligations which may lead to financial and compliance
related impacts.
4.1 Individuals are informed as to how their 1. Inquire as to the process for informing
data will be used. individuals as to how data will be used.
4.2 Client data is not used for purposes outside 1. Inquire as to the process to monitor the use
of those detailed in the client noticed or of personal data.
contract. 2. Confirm that client data is not used for
purposes outside of those detailed in the
client’s notice or contract.
4.3 Sensitive Data is not used for testing 1. Inquire with management as to the data
purposes. used for testing purposes. Confirm that
sensitive data is not used for testing or that
data is scrubbed prior to use in testing.
2. Understand and review a sample of test
data to identify where it exists and where it
originated.

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Security Management

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Security Management
Ref Control Objective
5. Manage Users, Passwords, and Group Membership
Related Risk: Inappropriate user management procedures may lead to unauthorized access to functions and individuals, which may lead to financial,
compliance related impacts.
5.1 Procedures exist to ensure that requests for
new or modified user access are
documented and approved prior to access
being granted to information assets.
5.2 User identity data and role-group
membership data is centrally managed.
5.3 All users are uniquely identifiable and user
activity is traceable to a single individual.
** CONFIDENTIAL ** For internal use only
Testing Procedures Test Results
1. Inquire with management to determine the
processes in place to grant new or modified
user access to information assets. Confirm
that documented approval is required prior
to access being granted.
2. Obtain a list of user access to information
assets and select a sample of users for
testing.
3. Review access requests for samples
selected in Test Step 2 and confirm that
they are appropriately documented and
approved.
4. Verify that access privileges granted were
the privileges requested and that granted
privileges appear appropriate given the job
function of the user.
5. Confirm that access assigned is on a “least
privilege” basis and that privileges are not
mirrored from existing users.
1. Inquire with management to confirm that
user identity and role-group data (ID, name,
title) is centrally managed to ensure data
integrity and consistency.
1. Inquire with management to confirm that
users authenticate to information assets with
unique IDs that are traceable to an
individual.
2. Obtain user listings for information assets.
3. Review the respective user listings and
identify user accounts that appear to be
generic. If any exist, seek business
justification for the generic account.
Page of
 Big Data Work Program – Data Security Management
Ref Control Objective
5.4 User passwords are controlled according to
formal password standards and procedures.
5.5 Procedures are in place to ensure that
access to information assets for terminated
users is disabled in a timely manner.
5.5 A process exists to periodically review and
confirm access rights.
6. Manage Data Access Views and Permissions
Related Risk: Access to sensitive data is not appropriately managed, resulting in the exposure of sensitive information to unauthorized parties that may
lead to financial and compliance related impacts.
** CONFIDENTIAL ** For internal use only
Testing Procedures Test Results
1. Inquire with management to determine
password policies and procedures in place.
Confirm that password standards address
the following:
 Password length
 Password complexity
 Password history
 Frequency password needs to be
changed
 Forbidden passwords
2. Obtain password requirements for
applicable information assets.
3. Verify that settings identified in Test Step 1
are set appropriately or to the maximum
security level as allowed by the system.
1. Inquire with management to confirm that
access for terminated users is disabled in a
timely manner to mitigate the risk of
unauthorized access via their old accounts.
2. Review a listing of terminated individuals
that had access to information assets and
select a sample of terminated users.
Compare the sample to the listing of current
users and confirm that no terminated
individuals appear on the current user
listing.
1. Inquire with management as to whether user
access to information assets is periodically
reviewed.
2. Obtain a sample of periodic review
documentation and confirm that any
changes to access indicated in the review
were completed in a timely manner.
Page of
 Big Data Work Program – Data Security Management
Ref Control Objective
6.1 Sensitive data is not accessible to
unauthorized personnel.
6.2 Sensitive data is not sent via corporate
email in an unsecured format.
6.3 Sensitive data is not transferred via
unsecured methods.
6.4 Sensitive information does not leave the
company’s network in the form of
unencrypted removable media and storage.
6.5 Sensitive information is not uploaded or
inputted into a web site that does not
protect the data.
6.6 Sensitive information does not exist in the
company’s network via bulk transfer to third
parties in an insecure format.
6.7 Use of client data by a third parties or
** CONFIDENTIAL ** For internal use only
Testing Procedures Test Results
1. Inquire about the security program in place
to protect sensitive data.
2. Verify the following controls are in place to
protect sensitive data:
 Access limited based on business need
 Access logging / monitoring
 Periodic reviews
 Periodic network scans
1. Inquire as to the extent sensitive data is sent
via email.
2. Discuss if sensitive data was sent over
external email or IM.
3. Discuss and assess any email encryption
solutions in place.
1. Inquire as to the process for transferring
sensitive data.
2. Confirm that information is encrypted prior to
being transferred via unsecured methods.
1. Inquire about the process to encrypt data.
2. Inquire about the backup process and
determine how backup data is moved offsite.
1. Inquire about the use of web applications in
relation to sensitive data.
2. Assess controls in place to protect the
transfer and subsequent storage of sensitive
information. Confirm that sensitive
information transferred over unsecured
mediums is encrypted prior to transmission.
1. Inquire about bulk transfers related to
sensitive data.
2. Assess the controls in place to protect
transfers. Confirm that sensitive information
transferred over unsecured mediums is
encrypted prior to transmission.
1. Discuss the process for sharing data with
Page of
 Big Data Work Program – Data Security Management
Ref Control Objective
consultants is managed.
6.8 Sensitive data is given to governmental
authorities following the correct process.
6.9 Sensitive data is protected so it is not lost
through an external malicious act.
6.10 Sensitive data is restricted to be printed
and adequately secured.
6.11 Employees are restricted from access to
sensitive hard copy and/or electronic data
sources without a legitimate business need.
7. Monitor User Authentication and Access Behavior
Related Risk: Inappropriate access and misuse of information assets goes undetected resulting in negative compliance, reputational, and financial
impacts.
7.1 Processes are in place to monitor
authentication and access behavior for
unusual or suspicious activity.
** CONFIDENTIAL ** For internal use only
Testing Procedures Test Results
third parties or consultants.
2. Inquire as to how individuals are notified
when data is processed by third parties.
3. Discuss the process for reviewing third party
contracts.
4. Discuss the process for sharing data with
third parties.
5. Determine if third party processing takes
place. If so, obtain and review third party
service level agreement for appropriate
guarantees of sufficient measures
1. Inquire as to the types of external sensitive
data requests that are made, and the
process that these are fulfilled. Verify that
this process complies with applicable
regulatory requirements.
2. Confirm that any external data requests
fulfilled followed the standard process in
place.
1. Inquire as to the controls around the
network.
1. Inquire as to policies regarding printing of
sensitive data.
2. Confirm that policies regarding the printing of
sensitive data are appropriately
communicated to employees.
1. Discuss the process to restrict access to
data to users that need the information to
perform their job functions.
1. Determine if processes are in place to
monitor authentication and access behavior
for unusual or suspicious activity. Consider
Page of
 Big Data Work Program – Data Security Management

Ref Control Objective Testing Procedures Test Results

the following layers or data touch points:
 Application specific
 Implemented for certain users and / or
role groups
 Implemented for certain privileges
2. Determine if any real-time monitoring
solutions exist to alert the security
administrator or data steward when the
system observes suspicious activity or
inappropriate access. Select a sample of
recent security activity that resulted from
real-time monitoring and verify the
appropriate course of action was taken.
3. Determine if any passive monitoring
processes are in place to detect unusual or
suspicious activity. Note: passive monitoring
involves taking snapshots of the current
state of a system at regular intervals, and
comparing trends against a benchmark or
defined set of criteria. Select a sample of
recent security activity that resulted from
passive monitoring and verify the
appropriate course of action was taken.

8. Classify Information Confidentiality

Related Risk: Information is not adequately classified resulting inappropriate access to confidential information that may lead to financial or compliance
related impacts.
8.1 Data is classified and secured according to 1. Determine if the organization classifies data
its sensitivity. according to its sensitivity (e.g., data
classification scheme). Inquire about the
people who are responsible for evaluating
and determining the appropriate
confidentiality level of data.
2. Determine if the organization has defined
certain prerequisite control requirements
based on its classification scheme.
3. Select a sample of data repositories and
verify the data contained within those
repositories has been appropriately
** CONFIDENTIAL ** For internal use only Page of
 Big Data Work Program – Data Security Management
Ref Control Objective
9. Audit Data Security
Related Risk: Improvements and/or vulnerabilities are not identified resulting in process weaknesses and business requirements not being met. This
may lead to financial or compliance related impacts.
9.1 Independent assurance (internal or external)
is obtained regarding the conformance of
data security with relevant laws and
regulations; the organization’s policies,
standards and procedures; generally
accepted practices; and the effective and
efficient performance of IT.
** CONFIDENTIAL ** For internal use only
Testing Procedures Test Results
classified and is controlled according to the
organization’s standards.
1. Inquire with management to determine
processes in place to obtain assurance that
data security processes comply with
applicable regulations, organizational
policies, and best practices.
2. Review recent data audit reports and
confirm that the following was addressed:
 Data security policy was analyzed
against best practices.
 Actual practices were analyzed to
ensure consistency with data security
goals, policies, standards, guidelines
and desired outcomes.
 Verification that the organization is in
compliance with regulatory
requirements.
 Reviewing contracts, data sharing
agreements, and other obligations to
ensure that vendors are meeting their
obligations and that the organization is
meeting its obligations.
 Reporting to senior management, data
stewards, and other stakeholders and
recommending data security design,
operational, and compliance
improvements.
Page of