Auditors Tackle New Tech Challenges

Monitoring Social Media, Mobile Devices Are New Priorities

By Upasana Gupta, April 10, 2012.
Auditors Tackle New Tech Challenges

With the rapid growth in the use of social media and mobile devices, monitoring these channels has become a priority for IT auditors as they're held accountable for helping to manage the risks involved.

See Also: Breaking Down Ease-of-Use Barriers to Log Data Analysis for Security

"Our role as auditors is expanding with social media and mobile," says Thomas Andreesen, partner with Protiviti, an IT risk and audit consultancy. "We now have to actively determine if a good data governance program is in place to oversee what's being done to handle sensitive information, secure more exit points and create ownership and accountability of data."

Social media, mobile devices and the bring-your-own-device trend "provide for more exit points for sensitive data," says Richard Knight, a senior manager in risk consulting at the consulting firm KPMG, U.K. If the transmission of this data is not controlled, he says, organizations risk damaging their reputations as well as violating increasingly strict data privacy laws.

As IT auditors take on new responsibilities for monitoring the use of social media and mobile devices. they're helping to create privacy and security policies for these new channels. As a result, auditors need to:

  • Become better informed about social media use;
  • Get involved in conducting risk assessments for these channels;
  • Learn about emerging monitoring technologies; and
  • Leverage data classification.

Evolving Role of Auditors

With the explosive growth in the use of social media and mobile devices, Andreesen says, auditors "are now more absorbed in understanding new technologies and employing technology-enabled auditing processes."

Marc Vael, a board member and director at ISACA, a worldwide auditors' association, offers a similar perspective: "Our dimensions have increased multifold. I am frequently being asked, 'What data leakage technologies have I considered to protect information on these channels?'"

At Raytheon, a U.S. defense contractor, Anita Helpert, an IT auditor, monitors the online activity of the company's 70,000 employees by using the company's self-developed monitoring system called SureView. For example, she pinpoints when employees transmit unencrypted sensitive information and monitors websites visited and information shared. When the monitoring system detects, for example, suspicious attempted uploads to an external site, it triggers an alert and stores data for an investigation.

Helpert is a member of Raytheon's IT leadership team, helping to develop security strategies for mobile devices and social media. She contends that auditors "need to be an integral part of IT and understand IT strategy" to be successful in helping assure the security of new channels.

When it comes to mobile devices, Knight says, "the auditor needs to work with IT closely to determine what tools can be used to monitor data download onto these devices to ensure it remains in line with corporate policy."

Risk-based Approach

Auditors must help adopt a comprehensive, risk-based approach to monitoring social media and mobile devices. "Unlike certain other areas of technology, social media and mobile are used across the organization, and this creates new enterprise-wide risks, which auditors now specifically need to address," Andreesen says.

Larry Harrington, chief audit executive at Raytheon, adds: "The key challenge with social media and mobile is to understand technology and its impact on key stakeholders to protect their data, execute proper controls, identify gaps and then take corrective action."

Important Steps

As they develop strategies to monitor social media and mobile devices, auditors must take several steps, experts say. These include:

  • Develop a better understanding of social media. A recent Protiviti study on 2012 internal audit capabilities shows that auditors need to develop a better understanding of social media, the risks involved and the policies to help mitigate risks. "Auditors need to have a driving desire to learn and try out social media capabilities on their own so that they can learn about the challenges first hand," Andreesen says.
  • Play a role in risk assessments. Auditors must help perform a comprehensive risk assessment, or leverage existing risk assessments, for social media and mobile devices. "Without understanding the risks to the organization, it is very difficult to form a relevant view on how information should be controlled across such devices and channels," Knight says.
  • Learn about emerging technologies. To effectively monitor employee behavior and implement controls on these channels, auditors need training on the latest data extraction, data analytics and data loss prevention tools, Helpert says.
  • Leverage data classification. Data can be classified according to its critical value or how often it needs to be accessed. Auditors need to understand how to review this categorization to help determine if any information potentially leaving the organization through mobile devices or social networks is sensitive, and what controls need to be put in place .

Harrington encourages auditors to join professional associations, such as The Institute of Internal Auditors, and work closely with IT staff to learn about the latest technologies.

"It is only by continuous learning and active collaboration we can be effective in our roles as auditors and understand the link between IT, social media, mobile devices and the associated risks," he says.

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE InfoSec Workforce Continues Robust Growth

In the first three months of 2015, the number of information security analysts in the United States...

Latest Tweets and Mentions

ARTICLE InfoSec Workforce Continues Robust Growth

In the first three months of 2015, the number of information security analysts in the United States...

The ISMG Network