Government-Audit Convergence Part III

Professional prudence dictates legal mandates impacting IT-IAP audit practice areas should be thoroughly understood by audit team members prior to proceeding with fieldwork. Specifically, IT auditors “should review compliance with applicable statutory laws, regulations as well as contracts and, where applicable, seek legal guidance” when participating in an IAP related audit. Therefore, through preliminary discussions with a practicing attorney, an IT auditor should acquire sufficient knowledge to identify illegal act indicators. However, an IT auditor should not be expected to have the expertise of individuals whose primary responsibility is detecting and investigating illegal acts.

Source:

ISACA. “Professional Competence.” In Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals. Rolling Meadows, IL: ISACA, January 2005. http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40571 (accessed May 3, 2008).

ISACA. “Responsibility, Authority and Accountability.” In Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals. Rolling Meadows, IL: ISACA, March 2006. http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40571 (accessed May 3, 2008).

Government-Audit Convergence Part II

Government sponsored laws and regulations can influence auditor conduct and impose IT audit practice requirements.  Therefore, applying ISACA’s Professional Ethics and Standards, an IT auditor “should maintain the highest degree of integrity and conduct, and not adopt any methods that could be seen as unlawful, unethical or unprofessional to obtain or execute audit assignments.”  Considering ISACA’s assurance service standard for avoiding government imposed mandates transgressions by general members and certified individuals; practicing IT auditors should pursue sustaining currency with applicable information assets protection (IAP) related laws and regulations.

Source:

U.S. GAO. Government Auditing Standards. Rev. ed. Washington, DC: Government Printing Office, 2007. http://www.gao.gov/govaud/d07162g.pdf (accessed April 21, 2008).

Government-Audit Convergence Part I

Generally, audit has a responsibility for ensuring that (1) independence and objectivity are maintained in all phases of assignments, (2) professional judgment is utilized in planning approaches, performing procedures, and reporting results of engagements, (3) work is conducted by personnel who are professionally competent and collectively have the necessary skills and knowledge, and (4) an independent peer review is periodically performed resulting in an opinion issued as to whether the audit quality control system is designed and operated to provide reasonable assurance of conforming with professional standards as well as legal mandates.

Source:

U.S. GAO. Government Auditing Standards. Rev. ed. Washington,  DC: Government Printing Office, 2003. http://www.gao.gov/govaud/d07162g.pdf (accessed April 21, 2008).

Revisiting the Safeguarding of Information Assets – Part XXII

An entity in a multiple-compliance scenario may benefit by developing a centralized oversight function that evaluates controls across all compliance arenas, interfaces with auditors for each compliance area and provides direction on the most cost-effective controls that maximize total compliance benefit.

Revisiting the Safeguarding of Information Assets – Part XXI

Generally, there are three main dimensions to jurisdiction decisions: procedural, substantive, and enforcement issues.  Procedural jurisdiction considers which court or state has the proper authority.  Substantive jurisdiction determines which rules should be applied.  Whereby, enforcement jurisdiction addresses how court decisions should be implemented.  The principal criteria employed when establishing jurisdiction in particular cases are:

• Personal Link – normally considered as the state’s right to govern its citizens wherever they might be located;
• Territorial Link – generally presented as the state’s right to govern persons and property within its geographical domain;
• Effects Link – usually defined as the state’s right to rule on the economic and legal outcomes regarding a particular territory, stemming from activities conducted elsewhere.

Source:

Gelbstein, Ed and Jovan Kurbalija. Internet Governance: Issues, Actors and Divides. Geneva: DiploFoundation and Global Knowledge Partnership, 2005. http://textus.diplomacy.edu/textusbin/env/scripts/Pool/GetBin.asp?IDPool=641 (accessed April 21, 2008).

Revisiting the Safeguarding of Information Assets – Part XX

International jurisdiction is based predominantly on geographical world division into national territories. Within these geographical divisions, each established government has the sovereign right to exercise magistracy over its territory. However, upon detection of an illegal act, if a citizen of a country commits an IT-related crime in another country, problems may arise when the perpetrator is residing in their home country during violation discovery. For instance, when attempting to convict computer-related crime suspects, many countries resist extraditing nationals. In such situations, as feasible legal strategies, an existing rules extension to the extraterritorial jurisdiction or a change in proceedings venue can be considered; with a perspective for creating the necessary prerequisites enabling successful prosecution in at least one jurisdiction linked to the illegal act. Collaboratively, mutual assistance agreements, extradition laws, recognition and reciprocity provisions, legal proceedings transfers and other international cooperation in matters relating to IAP may facilitate aid to extraterritorial jurisdictional issues during violation investigations, apprehension of perpetrators as well as court appearances.

Source:

Generally Accepted Information Security Principles Committee. GAISP V3.0. N.p.: Information Systems Security Association, 2004.

Revisiting the Safeguarding of Information Assets – Part XIX

Since contracts, transactions and disputes relating to information assets can involve parties, actions and evidence in multiple distinct jurisdictions, it may be advantageous for entities to clarify existing rules or presumptions regarding the laws pertinent to IAP.  Additionally, assuming disputes related to IAP may involve complex factual situations as well as parties — with actions and evidence that can span multiple jurisdictions — it may be necessary to develop non-judicial means, including arbitration, for resolving issues.

Source:

Gelbstein, Ed and Jovan Kurbalija. Internet Governance: Issues, Actors and Divides. Geneva: DiploFoundation and Global Knowledge Partnership, 2005. http://textus.diplomacy.edu/textusbin/env/scripts/Pool/GetBin.asp?IDPool=641 (accessed April 21, 2008).

Revisiting the Safeguarding of Information Assets – Part XVIII

Intellectual property laws address something produced by the mind, of which the ownership or right to usage is legally protected. Intellectual property can denote knowledge-based assets as well as capital, including information or data that can result in intellectual capital extending to ideas, designs and innovations howsoever expressed or recorded. Intellectual capital is designated intangible for such items as product innovation, customer loyalty, employee morale, patents and trademarks.

Source:

Allen, Steve. Safeguarding Proprietary Information the Protection of Intangible Assets. Business Defence Europe, Summer 2001.

Commission on Guidelines. Information Asset Protection Guideline. Alexandria, VA: ASIS International, 2007.  http://www.asisonline.org/guidelines/guidelinesinfoassetsfinal.pdf (accessed April 21, 2008).

Revisiting the Safeguarding of Information Assets – Part XVII

Data privacy laws dictate adherence to trusts and obligations associated with any information connected to an identified or identifiable data subject. Personal data privacy generally refers to information that can be associated with a specific individual, or that has identifying characteristics that might be combined with other information or data to identify a specific individual. Sensitive personal data may include items classified as individual preferences, habits, racial or ethnic origin as well as financial or medical condition.

Source:

ISACA. “Privacy.” In Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals. Rolling   Meadows, IL: ISACA, September 2005. http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40571  (accessed May 3, 2008).

Shackelford, Kerry. “eSAC: Privacy Principles.” ITAudit, July 1, 2002. http://www.theiia.org/ITAuditArchive/index.cfm?act=ITAudit.archive&fid=464 (accessed April 22, 2008).

Revisiting the Safeguarding of Information Assets – Part XVI

Security laws can decree the required degree of protection for property, usually based on governmental interest. Specifically, information security laws may outline control measures to prevent unauthorized access to devices that process sensitive data. Inclusively, directed data control measures can encompass peripheral equipment considered important for compliant protection. Consequently, IT resources should be integrated with an approach that repels potential compromises in applicable data treatment edicts for the defined subject matter.