How privacy laws have changed security auditor requirements

Introduction

At the outset of 2018, it was hard to predict what the year ahead would have in store for consumer privacy. Between revelations of user data-sharing relationships between Facebook and Cambridge Analytica and Google and Mastercard as well as the implementation of the Global Data Privacy Regulation (GDPR) by the European Union, privacy has never been so public. 

In the wake of these events, U.S. companies are finally beginning to warm to the concept of federal privacy regulations. After working through their representatives for years to fend them off, companies and industry coalitions such as the Information Technology Industry Council — which represents firms like Facebook, Amazon, Google and Salesforce — are beginning to work with policy makers to help shape the potential new federal privacy regulations. 

But it shouldn’t take comprehensive federal legislation to motivate a company to examine how they handle customer data and enable personal privacy. Instead, companies can elevate the role that their security auditors play, step up their privacy practices and work to understand the regulatory environment of today while planning for what’s in store for tomorrow. 

Why do companies conduct privacy audits?

Audits are nothing new for many businesses, but privacy audits are a different kind of experience. Broader in scope than an information technology audit or an annual tax review, the objective of a privacy audit is to evaluate an organization’s privacy protection posture against not only regulatory requirements and best practices of their industry, but also their own privacy-related policies. 

Because some organizations security auditors interact with often have access to very deeply personal information about customers that expect a high level of responsibility to protect their data, privacy audits involve evaluating procedures throughout the information life cycle. This includes ensuring internal mechanisms and third-party partners (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Patrick Mallory. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/nKE75_7gojY/