A Business Technology Place

The data we see

What we see

When I was an intern in college I worked as a desktop service technician for computer support. I remember an internal financial auditor on the fourth floor of my building that I would occasionally help. Reese was much older than me, but took time to talk to me about life as I fixed his computer. I wish I would have appreciated it more at the time, but I was young and learning my way in a corporate environment.  I thought about him recently because the world of auditing and compliance is changing rapidly in the areas of security and availability of data. While Reese was making sure our company followed GAAP for our financial books I wonder what he would think about compliance controls for information security.

Our news feeds are filled with incidents, thefts, and breaches of company assets involving personal and protected information. A whole new generation of auditors is here to check compliance with controls for how we protect data like credit card numbers, health records, and education records. Identity thieves and hackers have created a gold-rush in recent years to steal data bits that when assembled correctly tell them about you and me. Digital gold.

What we do with it

Today, I have to answer the auditor’s questions about controls in the audit. Unlike my time with Reese, I’m no longer part of the auditor’s day to fill time with a nice break and chit-chat. When I am answering an audit, I often try to really understand the basis of a control or as I as the “spirit” of what the control is trying to achieve (auditors don’t always like this, they’re often a bit stiff).

But here’s my take. The essential question behind the myriad of compliance controls is “what do we do with and how do we protect the data we see in our jobs?”  The intention of the controls is to modify our behaviors to take greater care of the data we see. To do this we have to modify our behavior to treat the data we see like our personal accounts. That means we have to consider who has access to the data. We have to consider the classification of the data we see (confidential, private, restricted, public, etc.) and take action to protect the data in storage and transit.

Thieves rely on our inconveniences to be successful. Restricting access to data in storage and transit is rarely convenient. It requires we think, classify, and take action. It could mean we need to password protect a file, use a secure site for sending a file to a customer, or check to make sure the network folder is only accessible to people in our immediate workgroup. But it doesn’t stop there; sometimes we need to challenge people asking for information.  Tailgating and phishing are made possible because it is uncomfortable for us to challenge people.

Behaviors worth changing

One thing is certain. We are stewards of the data we see each day. Our customers expect us to treat the data with confidentiality and care as if it were own personal data. Forming good habits in data security is worth a little bit of hassle. So here are some practical steps I can offer to help us be better stewards of the data we see each day at work:

  • Take the annual Information and Security Awareness training seriously. Much of the information will repeat each year, but it serves as reinforcement for good habits and the tactics used by thieves.
  • Be cognizant of the data we handle. Classify the data and treat it accordingly. This may mean marking the data classification on documents, storing data in secure places, or using encrypted controls for transferring data to others.
  • Challenge others who ask for access to data. Make sure they truly need access to the data to complete their assigned job function. Make sure they understand the classification of the data.

It’s rarely convenient. But it’s worth the effort.

Onward and upward!

Photo credit: Robert Couse-Baker via creative commons

How to use SharePoint to create audit trails

Show me the evidence.

I think auditors chuckle inside when they say “show me the evidence.” It’s part of their craft to seek and inspect. Over the past several years I’ve been giving documentation and evidence to auditors for various IT controls. With regard to policies, procedures, and standard practices auditors want to see more than a one-time pieces of evidence. They want to see proof that the behavior is happening on a regular basis. It’s the classic audit trail.

SharePoint – Love it. Hate it.

I’ve had my moments with SharePoint on a few items related to workflow. But one valuable attribute I’ve found with the tool is the ability to version documents and lists. This capability creates the perfect audit trail and evidence proof.

Example 1 – Annual Policy Updates

I keep version information in two places for policy documents. The first is in the document header. This shows the date of the policy, the last review date, and a version number. You can do this part without SharePoint.

 

 

The second place is in the version of the SharePoint document. First make sure that versioning is turned on for the document repository (one-time setup). Go to the library settings and select versioning settings. Then fill-in the specifics for how you want the versions to be incremented and how many versions to keep.

 

 

Each time I edit a document I use the check-out for editing feature. Then I apply my changes and when I check the document back-in SharePoint prompts for a summary of the updates. Each time this happens a new version of the document is created and logged.

 

To see the previous versions and comments select the version history from the document selection menu.

 

Example 2 – Production Change Updates

I use a SharePoint list to track requests and approvals for production change updates. As with documents, make sure the list has version control turned on by going to the list settings and enabling versioning.

 

The version history for a list shows the dates of the field updates and which specific fields were updated. It also keeps the name of the person who updated the fields (redacted in my example).

 

 

This is a simple way to keep history of policies, procedures, and updates. Having this available and ready to show an auditor makes the audit process a little easier.

Onward and upward!