 "Information Systems Audit: Is It A System Audit Or An Information Audit?")
Most companies that handle consumer data have some kind of compliance such as ISO, GLBA, HIPAA or RBI framework, against which periodic compliance audits are conducted.
To state an example, an audit on the handling of credit card transaction data in a bank would include checking the perimeter security of the systems the data resides on, checking the encryption used to store the data, looking at each input and output point that touches the data (and each output point is seen as a risk and measured with the same thoroughness as the core system), including checking the levels of access each role/employee has to that data. An audit of such data will also include checking the process of backup, including following the backup tape in the armoured van all the way to the backup vault.
An audit such as the above recognises that a leak from any part of the system renders the strength of the rest of the system useless. In situations such as the above, the bank owns or tightly controls the entire value chain from the input of the data all the way to archive/storage. At no point does the data is in the hands of a third party without the third party being tied down with draconian penalty clauses for any leak, for any reason.
When the information is resident within a specified boundary, information audit becomes a comprehensive information systems audit. Take the example of an audit done on a high volume transactional website that engages third party shipment companies (to ship products bought on the website), third party call centre support personnel, often uses third party business intelligence companies to give insights into customer behaviour and purchase patterns. In each of these cases, the data is shipped out or made available in real time.
To audit third parties in such cases becomes near impossible, as they are usually scattered around the globe, subcontract work-at-home employees, and urgency of requirement or costing constraints have ensured that the third parties are seldom compliant with industry standard security practices.
Once the information has left your system, any checks done on the system are rendered useless, and no track-ability directly translates to no accountability. The information is not really contained within any perimeter and an information audit would ideally cover all the systems the information touches through its life cycle. This may include internal and external systems. This is clearly a very difficult job. In this case, an information systems audit is a poor way of performing information audit.
Thinning of the enterprise perimeter is forcing organisations to perform an information audit over and beyond information systems audit. Beyond the semantics this shift is a fairly fundamental paradigm shift. Focusing the audit to the asset (information) over and beyond the cost base (systems) looks like right approach, but is not very easy. An information audit would cover the whole life cycle of information from creation to destruction.
There will be no real ‘boundary’ of this audit since the information will span perimeters, countries, companies, applications, networks and devices. Given present day systems this is a difficult activity to even know about, so audit looks like a distant dream. Such a ‘borderless’ audit would involve process and technologies which have the capability to track and control information usage across perimeters and to provide a central view of information usage through its lifecycle.
Information Rights Management (IRM) systems provide a mechanism by which unstructured information such as documents, emails, drawings, etc. can be audited for use within and outside of the enterprise. The good thing is that IRM systems are available easily and can be deployed without a lot of changes. The not-so-good thing is that IRM systems for now are restricted to unstructured information such as documents and emails and do not cover databases.
The author is CEO, Seclore.
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
