Maintaining data security has become more challenging in recent years. Many countries have passed and adopted comprehensive laws dealing with this issue, and others are debating the necessity of doing so. For instance, the European Union (EU) enacted the General Data Protection Regulation (GDPR) on 25 May 2018, covering the entire EU and countries that do business with it. Some developed and emerging economies have adopted a comprehensive, EU-style approach to data protection, while other countries, such as the United States, have just started debating the urgent need for a national data protection law.
As the issue of data protection is debated, all enterprises, regardless of jurisdiction and sector, should remember that they may already have a basic line of defense when the time comes to embrace whatever new laws are enacted: It is the 2013 Internal Control—Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which integrates enterprises’ operations, reporting and compliance objectives. Applying this framework can help organizations achieve their data security goals.
A COSO Approach to Data Security
COSO is a group of five private-sector organizations—the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives International, the Institute of Management Accountants and The Institute of Internal Auditors—dedicated to providing leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. COSO’s Internal Control—Integrated Framework, originally developed in 1992, helps enterprises design and implement systems of internal control.1 The 2013 version of the Internal Control—Integrated Framework broadened its application by addressing operations and reporting objectives and clarified the requirements for determining what constitutes effective internal control.
The framework integrates three types of objectives: operations, reporting and compliance. Depending on the nature of the enterprise, data security may be either directly related to each individual objective or intertwined with any combination of the three. The integrated approach lessens complexity, allowing enterprises to achieve their data security goals concurrently with other organizational objectives.
The 2013 Internal Control—Integrated Framework is principles based, extensive in coverage and suitable for a wide range of enterprises. The five components of the original 1992 framework have not changed: control environment, risk assessment, control activities, information and communication, and monitoring activities. The 2013 version divided the fundamental concepts of the 1992 version into 17 principles, each of which is suitable for all entities, regardless of jurisdiction and sector.2 This renders the 2013 Internal Control—Integrated Framework more applicable and more comprehensive than any other framework dealing with data security. The following details each of the five components of the COSO Internal Control—Integrated Framework to illustrate how data security measures can be built into this framework to help enterprises achieve their data security goals.
DATA PRIVACY IS CONTINGENT ON SECURITY, AND SECURITY IS A MANAGEMENT ISSUE, NOT ONLY AN INFORMATION AND TECHNOLOGY ISSUE.
Control Environment
The control environment is the foundation of all the other components of the framework. Setting the right tone at the top is crucial for the management of data security. Data privacy is contingent on security, and security is a management issue, not only an information and technology issue. Enterprises need to include data security in their mission or value statements. Corresponding procedures and policies should be established based on job descriptions, not individuals. In 2014, Yahoo suffered a data breach affecting 500 million users due to improperly protected passwords.3 In May 2014, eBay reported that hackers used the credentials of three corporate employees to gain access to sensitive information for 229 days.4 If Yahoo and eBay had implemented adequate control environments, these incidents could have been prevented.
The control environment requires management to make a commitment to integrity and ethics in the area of data security. Independent of management, the board of directors should exercise oversight of organizational structures, reporting lines and responsibilities to ensure data security. The enterprise should be committed to attracting, developing and retaining competent individuals who are held responsible and accountable for data security. For example, in September 2015, California (USA)-based Systema Software suffered a data breach not due to hackers but due to an internal error during a system upgrade when data storage was set up improperly and data became publicly available on the Internet.5 Arguably, had Systema Software hired competent employees and held them accountable, this incident might have been avoided.
Risk Assessment
A risk assessment is the process of identifying, analyzing and assessing risk factors associated with the enterprise’s data. Each enterprise must identify, analyze and manage risk related to data security. Risk is ubiquitous and continually evolving. This is especially true when the operating environments of the enterprise, both internal and external, are undergoing dramatic changes, such as changes in the control environment or changes in management. Managing risk demands a commitment to identifying and analyzing new risk factors and acquiring or developing new control mechanisms to thwart ongoing threats to data security.
There are four possible responses to risk: avoid, accept, reduce or share.6 All enterprises have some data, big or small. It is very unlikely that an enterprise can opt to avoid risk altogether by not keeping any data. Hackers are constantly seeking ways to evade data security systems, and simply accepting this risk exposes an enterprise to too much liability. Establishing and implementing a system of internal control to safeguard data and reduce the risk from within is the appropriate approach. Enterprises need data to generate useful information, but collecting unnecessary data that are not used incurs storage costs and creates the risk of data leakage. Therefore, enterprises need to be very cautious when determining whether they need to collect data and, if they do, planning for the appropriate deletion of data when they are no longer needed.
Risk can also be shared with customers, who should always protect and monitor their private information. Customers should address any suspected privacy breach immediately, such as by calling the credit card company and requesting a credit watch or suspension of the account.
Control Activities
Control activities are actions enterprises take to prevent, detect and correct incidents that are likely to happen, are happening or have already happened. There are two approaches to data security: defense in depth and a time-based model.7 Defense in depth means that an enterprise has several layers of defense to fend off perpetrators’ attacks. If one layer of defense is broken, additional layers are in place to thwart an attack or at least allow the enterprise more time to take corrective actions. The time-based model verifies whether the enterprise’s security system is essentially secure. It compares the time it takes an attacker to break through the enterprise’s preventive defenses (P) and the sum of the time the enterprise spends detecting (D) and correcting (C) the issue. If P > (D+C), the system is secure. These three aspects of control—prevention, detection and correction—are discussed in the following sections.
Preventive Controls
Creating a security-conscious culture is key to achieving data security. The top management team must communicate the enterprise’s security policies, and it must lead by example. Security awareness training is an effective preventive control. Involvement of the human resources (HR) department is critical in organizing initial training for new hires and refresher courses for employees on a regular basis.
The following sections discuss some of the fundamental types of preventive controls.
User Access Controls
Authentication and authorization are important control mechanisms. Authentication is a process to verify the identity of the person or device attempting to access the system. The goal is to ensure that only legitimate users can gain access to the system. Authentication can be achieved by using three types of credentials:8
- Something employees know, such as a password or personal identification number (PIN)
- Something employees have, such as an employee identification card
- Some physical or behavioral characteristic, such as fingerprints or typing patterns
Deloitte, for example, experienced a data breach in March 2017 by failing to employ two-factor authentication.9 Hackers acquired a single password from an administrator for the firm’s email account, giving them access to all areas of the email system.
Authorization is a process of restricting authenticated users’ access to specific portions of the system and limiting the actions they are permitted to perform. This type of control is closely related to the job description of each position in the enterprise. It also demonstrates the importance of initial job training by the HR department.
ENCRYPTION IS THE ONLY PREVENTIVE APPROACH TO DATA SECURITY WHEN DATA ARE IN TRANSIT OR IN STORAGE.
Encryption and Hashing
Data encryption is an effective preventive control to ensure data security. Encryption is a process of transforming normal text, or plain text, into unreadable gibberish, or cipher text. For the recipient to read the message, decryption must be performed, transforming the cipher text back into plain text.
Encryption is the only preventive approach to data security when data are in transit or in storage. In 2016, the headquarters of Premier Healthcare, located in Bloomington, Indiana, USA, experienced a data breach when a laptop computer belonging to the billing department was stolen. The laptop, which contained sensitive information about more than 200,000 patients, was protected by a password, but the data were not encrypted.10 Encrypting those data may have prevented the data breach.
Several factors influence the strength of encryption: key length, encryption algorithm and management of cryptographic keys. Longer keys provide stronger encryption, and a strong algorithm is very unlikely to be broken using brute-force guessing techniques. Cryptographic keys must be stored securely and protected with strong access controls. Enterprises also need sound policies and procedures for issuing and revoking keys.
SINCE HASHING IS VERY SENSITIVE TO THE INTEGRITY OF THE ORIGINAL DATA, IT CAN BE USED WITH ASYMMETRIC ENCRYPTION TO ACQUIRE DIGITAL SIGNATURES ON BINDING CONTRACTS.
There are two types of encryption systems: symmetric and asymmetric. Symmetric encryption systems use the same key for encryption and decryption. Asymmetric encryption systems use two different keys: a public key and a private key. Symmetric encryption is much faster than asymmetric encryption in transmitting data, and it is used to encrypt large amounts of data.
Asymmetric encryption is safer in terms of managing the keys. It can also be used to create digital signatures with a hashing algorithm. Hashing is a process of transforming plain text of any length into a short code called hash. Unlike encryption, this process is not reversible. Since hashing is very sensitive to the integrity of the original data, it can be used with asymmetric encryption to acquire digital signatures on binding contracts.
Social Engineering Controls
Social engineering is a deceptive process used by hackers to obtain unauthorized access to confidential data.11 It involves the use of techniques or psychological tricks to convince victims to comply with the attackers’ instructions to gain access to a building, computer, server or network. Attackers often appeal to certain human traits—compassion, greed, sex appeal, sloth, trust, vanity—to entice victims to grant access to confidential data.
Social engineering attacks often take place over the telephone or via email. For example, the attacker may impersonate an executive who is unable to obtain remote access to important files. On 3 March 2016, attackers pretending to be Snapchat Chief Executive Officer Evan Spiegel simply requested and received sensitive employee information, including names, US Social Security numbers and payroll information.12 In March 2011, RSA Security reported that two separate hacker groups collaborated with a foreign government to launch a series of phishing attacks against RSA employees, posing as people the employees trusted to penetrate RSA’s network.13
Awareness training can help identify and prevent social engineering. Employees should be instructed to:
- Never let people follow them into a restricted building.
- Never log in for someone else on a computer, especially if the employee has administrative access.
- Never provide sensitive information over the telephone or through electronic devices.
- Never share passwords.
- Be cautious of unknown people who are trying to gain access through employees.
Preventive IT solutions include installing firewalls, intrusion prevention systems and antimalware software to minimize the possibility of attacks.
Enterprises can also harden their software and hardware by configuring or disenabling unnecessary functions.
Detective Controls
Ongoing detective measures should be taken to identify potential attacks. Attackers may be more adept at attacking a system than the enterprise’s IT staff is at defending it. In the time-based model mentioned earlier, if P < (D+C), the system is not secure. For example, in November 2018, Marriott International announced that cyberthieves had stolen the private information of 500 million customers. The attackers remained in the system for about two years before being detected.14
Two fundamental types of detective controls are:
- Log analysis—A process of examining logs to identify evidence of possible attacks or abnormal access to the system.
- Penetration testing—An authorized attempt to break into the enterprise’s information system, usually performed by an independent specialized tester who is familiar with the system. The strength of the system is tested, and if problems are identified, the internal IT team or outside IT personnel should write new codes or programs to fix the vulnerabilities.
Corrective Controls
The position of chief information security officer (CISO) should be created (if it does not already exist in the organization) to take the leadership role in implementing corrective measures to minimize the damage of a data breach, whether reputational or monetary. A computer incident response team can help the CISO achieve this goal.
Patch management is a corrective process whereby new programs or codes, called patches, are written to fix loopholes or vulnerabilities in current programs. For example, Equifax, one of the three largest US credit agencies, suffered a data breach in 2017, potentially affecting 143 million consumers.
Hackers were able to break into its system from mid-May to July by exploiting a weak point in its website software.15 Equifax immediately took corrective action by writing patches to fix the vulnerabilities in the affected software.16
Information and Communication
The information and communication component requires enterprises to have a securely configured system to collect, store, process and communicate data and information internally and externally. The information system should be hardy enough to secure data, and it should collect only the data needed and allowed.
CUSTOMERS SHOULD BE ENTITLED TO ACCESS, REVIEW, CORRECT AND DELETE THEIR PERSONAL INFORMATION.
Internal and external communications about the policies and procedures related to collecting private information should be clear. An enterprise should provide notice about its privacy and security policies and practices either before it collects or at the time of collecting data. The notice should clearly explain what data are being collected, the reasons for the collection and how the data will be used. Customers should be given the choice of opting in or out, and their consent should be obtained before the actual collection of any personal information. The enterprise should use and retain the collected data in the manner stated in its policies and procedures, and it should maintain the accuracy of collected personal information. Customers should be entitled to access, review, correct and delete their personal information. When data are disclosed to a third party, the enterprise should clearly state so and ensure that the third party provides at least the same level of privacy and security protection as the enterprise itself.
Incidents of data privacy and security breaches should be disclosed in a timely and professional manner, and appropriate liability should be established and disclosed to customers. Uber learned in late 2016 that two hackers were able to get the names, email addresses and mobile phone numbers of 57 users of the Uber application. They also got the driver’s license numbers of 600,000 Uber drivers. Uber did not make the breach public until about a year later. To make matters worse, Uber paid the hackers US$100,000 to destroy the data, with no way to verify that they did so.17 Target stores suffered a data breach in 2013, compromising the personal information of 110 million people. Target was later credited with making significant security improvements. However, these improvements focused on keeping hackers out instead of improving Target’s incident response.18 VeriSign suffered a data breach throughout 2010 but never announced the attacks. The incidents did not become public until a quarterly US Securities and Exchange Commission (SEC) filing in 2011, as if this were just another tidbit of mundane information.19
Monitoring Activities
Monitoring activities evaluate current data security practices and provide feedback for their improvement. Internal and external monitoring activities should be in place to protect data security. CISOs and their teams can fulfill this function on a regular basis. Teams should cooperate with the internal audit function to investigate all data security issues identified and collect feedback related to these issues to improve data security. Google Inc.’s data privacy breach in March 2011 is a typical example of a poorly executed internal audit function. Google made deceptive representations and violated its own security policy when it launched its social network, Google Buzz, in 2010.20 Enterprises should learn from their mistakes and take steps to improve their data security.
Independent external audits add another layer of assurance for customers whose private information has been collected. Voluntary external audits signify an enterprise’s commitment to data security.
However, data breaches can result in mandatory external audits. For example, Google’s 2011 data breach led the US Federal Trade Commission (FTC) to require Google to implement a comprehensive privacy program to protect consumers’ personal information and to undergo independent privacy audits for the next 20 years.21
Conclusion
The global community has witnessed the enactment and adoption of several comprehensive national data security laws in recent years. As other nations debate the necessity of such laws and organizations move to be compliant with them, they should not overlook COSO’s Internal Control—Integrated Framework. Effective and efficient data security management can be achieved through the comprehensive implementation of the five elements of the COSO Internal Control—Integrated Framework: a proper control environment, an accurate risk assessment, appropriate control activities, clear information and communication policies, and effective monitoring mechanisms.
Endnotes
1 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control—Integrated Framework, 2013 http://www.coso.org/
2 COSO, “Internal Control—Integrated Framework: Executive Summary,” May 2013, http://www.coso.org
3 Swinhoe, D.; “The 15 Biggest Data Breaches of the 21st Century,” CSO Online, 17 April 2020, http://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
4 Ibid.
5 HIPAA Journal, “Systema Software Data Breach: 1.5M+ Medical Records Accessible via AWS,” 21 September 2015, http://www.hipaajournal.com/?s=systema+software
6 Romney, M. B.; P. J. Steinbart; Accounting Information Systems, Pearson, USA, 2015
7 Ibid.
8 Ibid.
9 Hopkins, N.; “Deloitte Hit by Cyber-Attack Revealing Clients’ Secret Emails,” The Guardian, 25 September 2017, http://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails
10 Cohen and Malad, “Bloomington-Based Premier Healthcare Reports Possible Patient Information Data Breach,” http://www.cohenandmalad.com/alerts/bloomington-based-premier-healthcare-reports-possible-patient-information-data-breach/
11 Op cit Romney, Steinbart
12 Leary, J.; “The Largest Data Breaches of 2016,” IdentityForce, 16 December 2016, http://www.identityforce.com/blog/2016-data-breaches
13 Leyden, J.; “RSA Explains How Attackers Breached Its Systems,” The Register, 4 April 2011, http://www.theregister.co.uk/2011/04/04/rsa_hack_howdunnit/
14 Perlroth, N.; A. Tsang; A. Satariano; “Marriott Hacking Exposes Data of Up to 500 Million Guests,” The New York Times, 30 November 2018, http://www.nytimes.com/2018/11/30/business/marriott-data-breach.html
15 Electronic Privacy Information Center (EPIC), “Equifax Data Breach,” http://epic.org/privacy/data-breach/equifax/
16 Equifax, “Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes,” 15 September 2017, http://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832
17 Larson, S.; “Uber’s Massive Hack: What We Know,” CNN Business, 23 November 2017, http://money.cnn.com/2017/11/22/technology/uber-hack-consequences-cover-up/index.html
18 Armerding, T.; “The 16 Biggest Data Breaches of the 21st Century,” In Consult, 7 September 2017, http://inconsult.com.au/publication/the-16-biggest-data-breaches-of-the-21st-century/
19 Bradley, T.; “VeriSign Hacked: What We Don’t Know Might Hurt Us,” PCWorld, 2 February 2012, http://www.pcworld.com/article/249242/verisign_hacked_what_we_dont_know_might_hurt_us.html
20 Kang, C.; “Google Settles Privacy Complaint With FTC Over Buzz Social Networking Launch,” The Washington Post, 30 March 2011, http://www.washingtonpost.com/business/economy/google-settles-privacy-complaint-with-ftc/2011/03/30/AF1hyZ3B_story.html
21 Op cit Equifax
Jason Jiao, Ph.D., CPA
Is an assistant professor of accounting at Bradley University (Illinois, USA). He is a Certified Public Accountant in the US states of Illinois and Massachusetts. Jiao worked in the gaming industry in Las Vegas (Nevada, USA) for approximately 10 years, including as an internal control compliance officer to ensure compliance with state gaming regulations. He has published articles in Internal Auditing, Internal Auditors, and Journal of Accounting and Finance.