Let’s see if we can’t get the creative juices flowing by applying a little fusion cooking theory to the world of internal audit. Take some ingredients that don’t normally go together (or perhaps we have not thought of putting together before), throw them all in the wok and see what happens.
The recipe is data loss and data loss prevention (DLP) strategies and the ingredients include the battle-scarred thoughts of a Vietnam fighter pilot; should be interesting.
Data loss is high on the agenda and we don’t have to reel of a list of miscreants here to make the point. The HMRC loss alone was enough to spark a series of government backed reviews and hopefully guidance for change. Output from these reviews already includes a Cabinet Office report Data Handling Procedures in Government: Interim Progress Report and from the PWC-led Poynter Review, a ‘short progress report’.
It should come as no surprise that internal audit is going to carry a significant portion of the burden for getting this sorted, and they should expect to play a key role in the development and delivery the organisation’s DLP strategy. It is for this reason that I thought we’d introduce OODA into the recipe as a means of thinking through some of the problems organisations face when it comes to protecting their data assets.
OODA, the acronym for Observe-Orient-Decision-Act is a cyclical process coined by Col. John Boyd, an ex U.S. Air Force fighter pilot. He developed the concept of the OODA Loop to describe a process for out manoeuvring and defeating an opponent .
It has been much revisited by a wide range of interest groups including those in the information security sphere. Its essence is that when two combatants meet, the ability to defeat the opponent will be decided by the speed and accuracy with which each cycles through the OODA Loop (see table 1).
Let’s get a couple of precepts on the table. Internal audit’s role is to actively contribute to the economic, efficient and effective use of resources and to reduce the potential risks faced by the institution. One of those risks requiring mitigation is the failure to protect confidential, private data (it’s the law and public knowledge of such a failure is always bad press and can impact on the bottom line).
So how can internal audit use OODA as a management tool? By recognising that data loss – often the result of sloppy data management – is increasingly likely to be part of pro-active criminal activity. Using OODA, this means we have to out-think our opponents, moving through the Loop by making better, faster actions.
Tom LaSusa, writing in Information Week suggests a useful mantra: "Everyday we should do one thing to remind us that someone is out there, waiting for the right opportunity to steal customer information".
Network privacy audits carried out by iCompli and our technology partner PixAlert have shown us that the ‘right opportunity’ is often when confidential and sensitive data exists outside of current security measures. Examples include data on employees laptops, in e-mail correspondence and on users ‘home’ drives. Deploying a solution like ‘Privacy Auditor’ allows internal audit the ability to greatly reduce the time taken to scan large, diverse data assets (network shares, desktop PCs, e-mail accounts) OBSERVING and ACTING at a faster pace than the opponent.
In a recent financial services client audit 150,295 files were scanned in their Lotus Mailbox environment revealing 112 credit card numbers, 1,677 UK National Insurance numbers and 2,113 instances of post code related data i.e. contact information.
A simple audit command could then immediately encrypt the data. In the words of one ex-Vietnam fighter pilot, this puts the client ‘inside their opponents OODA Loop’, reacting faster to the information observed and taking decisive action based on better information.
Now should ‘fusion cooking’ be a little too rich for your tastes you might like to think of this without the OODA framework. In responding to your organisations DLP challenge, you first need to know what confidential, sensitive personal data you have and where it is. Inertia, driven by the sheer scale of the problem (4,783,682 files were analysed in the financial services discovery audit), can lead to dangerous false sense of security. If you don’t see anything you don’t do anything.
Maintaining the status quo is a decreasingly viable long-term solution. The Cabinet Office’s ‘Interim Progress Report’, whilst admittedly thin on substance, waves some clear warning flags when it states “Legislative steps should be taken to enhance the ability of the Information Commissioner to provide external scrutiny of arrangements … the Government should commit in principle to the introduction of new sanctions under the Data Protection Act for the most serious breaches of its principles”.
So, if you’re stuck for ideas on how internal audit can fulfil its role in mitigating data loss risk, you might do well to remember the words of the French philosopher Émile Chartier: “Nothing is more dangerous than an idea, when it is the only one we have”.
We could have a few more ideas for you!
Duncan Smith is a Director of iCompli Limited and principal trainer on information law and privacy.
iCompli specialises in delivering real world compliance solutions in the arena of information law, privacy and corporate social responsibility.