Ethical & Legal Issues Revised on 2014. Content Code of ethics – what and why? Code of ethics for...
48
Ethical & Legal Issues Revised on 2014
Ethical & Legal Issues Revised on 2014. Content Code of ethics – what and why? Code of ethics for auditors Illegal and irregular acts Roles of IT auditors
Content Code of ethics what and why? Code of ethics for
auditors Illegal and irregular acts Roles of IT auditors with
relation to illegal and irregular acts in an organization
Regulatory and Legal Issues CISB424, Sulfeeza
Slide 3
What is Code of Ethics? A document that outlines the mission
and values of the business or organization, how professionals are
supposed to approach problems, the ethical principles based on the
organization's core values and the standards to which the
professional will be held. (Source: Investopedia) A written set of
guidelines issued by an organization to its workers and management
to help them conduct their actions in accordance with its primary
values and ethical standards. (Source: BusinessDictionary.com)
CISB424, Sulfeeza
Slide 4
Example of Code of Ethics Tenaga Nasional Berhad
http://www.tnb.com.my/about-tnb/tnb-code-of-ethics.html CISB424,
Sulfeeza
Slide 5
Reasons for Organizations to Develop Codes of Ethical conduct
1. Define acceptable behaviors for relevant parties; 2. Promote
high standards of practice throughout the organization; 3. Provide
a benchmark for organizational members to use for self evaluation;
4. Establish a framework for professional behavior, obligations and
responsibilities ; 5. Offer a vehicle for occupational identity ;
6. Reflect a mark of occupational maturity. CISB424, Sulfeeza
Slide 6
Failure to comply Can result in INVESTIGATION OR DISCIPLINARY
ACTION CISB424, Sulfeeza
Slide 7
Code of Ethics for Auditors IIA Code of Ethics a) PRINCIPLES
Internal auditors are expected to apply and uphold the following
principles: i. Integrity The integrity of internal auditors
establishes trust and thus provides the basis for reliance on their
judgment. ii. Objectivity Internal auditors exhibit the highest
level of professional objectivity in gathering, evaluating, and
communicating information about the activity or process being
examined. Internal auditors make a balanced assessment of all the
relevant circumstances and are not unduly influenced by their own
interests or by others in forming judgments. iii. Confidentiality
Internal auditors respect the value and ownership of information
they receive and do not disclose information without appropriate
authority unless there is a legal or professional obligation to do
so. iv. Competency Internal auditors apply the knowledge, skills,
and experience needed in the performance of internal audit
services. CISB424, Sulfeeza
Slide 8
Code of Ethics for Auditors (cont.) b) RULES OF CONDUCT 1.
Integrity Internal Auditors: 1.1. Shall perform their work with
honesty, diligence, and responsibility. 1.2. Shall observe the law
and make disclosures expected by the law and the profession. 1.3.
Shall not knowingly be a party to any illegal activity, or engage
in acts that are discreditable to the profession of internal
auditing or to the organization. 1.4. Shall respect and contribute
to the legitimate and ethical objectives of the organization. 2.
Objectivity Internal Auditors: 2.1. Shall not participate in any
activity or relationship that may impair or be presumed to impair
their unbiased assessment. This participation includes those
activities or relationships that may be in conflict with the
interests of the organization. 2.2. Shall not accept anything that
may impair or be presumed to impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not
disclosed, may distort the reporting of activities under review. 3.
Confidentiality Internal Auditors: 3.1. Shall be prudent in the use
and protection of information acquired in the course of their
duties. 3.2. Shall not use information for any personal gain or in
any manner that would be contrary to the law or detrimental to the
legitimate and ethical objectives of the organization. 4.
Competency Internal Auditors: 4.1. Shall engage only in those
services for which they have the necessary knowledge, skills, and
experience. 4.2. Shall perform internal audit services in
accordance with the International Standards for the Professional
Practice of Internal Auditing. 4.3. Shall continually improve their
proficiency and the effectiveness and quality of their services.
CISB424, Sulfeeza
Slide 9
Example of Code of Ethics ISACA sets forth this Code of
Professional Ethics to guide the professional and personal conduct
of members of the association and/or its certification holders.
Members and ISACA certification holders shall: a) Support the
implementation of, and encourage compliance with, appropriate
standards and procedures for the effective governance and
management of enterprise information systems and technology,
including: audit, control, security and risk management. b) Perform
their duties with objectivity, due diligence and professional care,
in accordance with professional standards. c) Serve in the interest
of stakeholders in a lawful manner, while maintaining high
standards of conduct and character, and not discrediting their
profession or the Association. d) Maintain the privacy and
confidentiality of information obtained in the course of their
activities unless disclosure is required by legal authority. Such
information shall not be used for personal benefit or released to
inappropriate parties. e) Maintain competency in their respective
fields and agree to undertake only those activities they can
reasonably expect to complete with the necessary skills, knowledge
and competence. f) Inform appropriate parties of the results of
work performed including the disclosure of all significant facts
known to them that, if not disclosed, may distort the reporting of
the results. g) Support the professional education of stakeholders
in enhancing their understanding of the governance and management
of enterprise information systems and technology, including: audit,
control, security and risk management. Failure to comply with this
Code of Professional Ethics can result in an investigation into a
member's or certification holder's conduct and, ultimately, in
disciplinary measures. CISB424, Sulfeeza
Slide 10
Irregular And Illegal Acts Irregular act : An intentional
violation of corporate policies or regulatory requirements An
unintentional breach of law Illegal act : Willful violations of
laws or governmental regulations CISB424, Sulfeeza
Slide 11
Irregular and Illegal Acts Irregular and illegal acts can have
negative impact to organizations, in term of: i.Financial aspects
ii.Reputation of the organization iii.Productivity of the
organization iv.Retention of employees CISB424, Sulfeeza
Slide 12
Examples of illegal acts: Fraud Act or course of deception, an
intentional concealment, omission, or perversion of truth, to (1)
gain unlawful or unfair advantage, (2) induce another to part with
some valuable item or surrender a legal right, or (3) inflict
injury in some manner. (Source: BusinessDictionary.com) CISB424,
Sulfeeza
Slide 13
Examples of illegal acts: Computer crimes/ Cybercrime "Offences
that are committed against individuals or groups of individuals
with a criminal motive to intentionally harm the reputation of the
victim or cause physical or mental harm to the victim directly or
indirectly, using modern telecommunication networks such as
Internet (Chat rooms, emails, notice boards and groups) and mobile
phones (SMS/MMS) (Halder & Jaishankar, 2011) CISB424,
Sulfeeza
Slide 14
Examples of illegal acts: Violations of intellectual property
rights IP rights - A right that is had by a person or by a company
to have exclusive rights to use its own plans, ideas, or other
intangible assets without the worry of competition, at least for a
specific period of time. (Source: BusinessDictionary.com) CISB424,
Sulfeeza
Slide 15
Who is responsible for prevention, detection, and reporting? IT
auditors are NOT responsible for preventing and detecting illegal
or irregular acts in an organization Then, whose responsibilities
are those? The management and Board of Directors of the
organization are responsible. They must: adopt a preventative
approach for identifying, analyzing and managing the risk of
illegal and irregular acts occurrences that could prevent the
organization from achieving its business objectives or strategies.
have detective procedures in place to increase their ability to
detect illegal and irregular acts occurrences and uncover illegal
and irregular acts occurrences Designed response controls are to
take corrective action and to correct the illegal and irregular
acts CISB424, Sulfeeza
Slide 16
What is the IT Auditors Responsibility? According to ISACAs IS
Audit and Assurance Guideline 2207 Irregularity and Illegal Acts
Section 2.3 Responsibilities of the Professionals 2.3.3
Professionals are NOT responsible for the prevention or detection
of irregularities or illegal acts. An audit engagement cannot
guarantee that irregularities will be detected. Even when the audit
is planned and performed appropriately, irregularities could go
undetected. The aim (of an audit engagement) is to determine the
control is in place, adequate, effective and complied with
2.3.4Where professionals have specific information about the
existence of an irregularity or illegal act, they have an
obligation to report it 2.3.5Professionals should inform management
and those charged with governance when they have identified
situations where a higher level of risk exists for a potential
irregularity of illegal act, even none is detected. CISB424,
Sulfeeza
Slide 17
How should IT Auditor respond? According to ISACAs IS Audit and
Assurance Guideline 2207 Irregularity and Illegal Acts Section 2.6
Responding to Irregularities and Illegal Acts 2.6.2 Professionals
should demonstrate an attitude of professional skepticism.
Indictors (or Red Flags ) of persons committing irregularities or
illegal acts are: Overrides controls by management Irregular or
poorly explained management behavior Consistently over performing,
compared to set targets Problems with, or delays in, receiving
requested information or evidence Transactions not following the
normal approval cycles Increase in activity of a certain customer
Increase in complaints from customers Deviating access controls for
some applications or users CISB424, Sulfeeza
Slide 18
How should IT Auditor respond? According to ISACAs IS Audit and
Assurance Guideline 2207 Irregularity and Illegal Acts Section 2.6
Responding to Irregularities and Illegal Acts 2.6.3 When
professionals become aware of information concerning a possible
irregularity or illegal act, they should consider taking the
following steps after direction from the appropriate legal
authority: Obtain understanding of the nature of the act Understand
the circumstances in which the act occurred Gather evidence of the
occurrence of the act Identify all persons involved in committing
the act Obtain sufficient supportive information to evaluate the
effect of the act Perform limited additional procedures to
determine the effect of the act and whether additional acts exist
Document and preserve all evidence and work performed CISB424,
Sulfeeza
Slide 19
Regulatory & Legal Issues As discussed earlier, auditors
need to know when to inform management of they have identified
potential irregular or illegal acts; and report if such acts exist
during the course of audit But, how do they know whether such acts
are considered irregular or illegal? Auditors need to have a
working knowledge of regulations and laws so they at least can
determine when to refer matters to legal counsel Some knowledge
that auditors required to have: Legal contracts Computer crime
Intellectual Property Rights Privacy Issues CISB424, Sulfeeza
Slide 20
a) Legal Contracts An agreement with specific terms between two
or more persons or entities in which there is a promise to do
something in return for a valuable benefit known as consideration
(Source: http://legal-dictionary.thefreedictionary.com/contract)
Types of legal contracts: Lease a contact between a landlord and a
tenant that specifies the terms under which the tenant has the
right to use the landlord's property Employment contract a legal
agreement between a business and an employee that details the terms
of employment, such as pay and benefits. Sales contract an
agreement between two parties that details the terms of a financial
transaction and documents the fact that ownership of an asset has
transferred from seller to buyer. Licensing agreement a contact
between the owner of intellectual property and an outside party,
that gives the outside party the right use the intellectual
property in a capacity specified it the agreement. CISB424,
Sulfeeza
Slide 21
Elements of Legally Binding Contract 1. An offer 2. An
acceptance of that offer which results in a meeting of the minds;
3. A promise to perform; 4. A valuable consideration (which can be
a promise or payment in some form that the offeror expects in
return from the offeree); 5. A time or event when performance must
be made (meet commitments); 6. Terms and conditions for
performance, including fulfilling promises; 7. Performance.
CISB424, Sulfeeza
Slide 22
Types of Legally Binding Contract 1. A unilateral contract is a
contract in which only one party makes an express promise, or
undertakes a performance without first securing a reciprocal
(mutual) agreement from the other party (Source:
http://legal-dictionary.thefreedictionary.com/Unilateral+contract)
CISB424, Sulfeeza
Slide 23
Types of Legally Binding Contract 2. A bilateral contract is an
agreement formed by an exchange of a promise in which the promise
of one party is consideration supporting the promise of the other
party (Source:
http://legal-dictionary.thefreedictionary.com/Bilateral+Contract)
CISB424, Sulfeeza
Slide 24
Types of Legally Binding Contract Examples: a) I will pay you
RM500 to fix my car by Thursday b) I promise to fix your car by
Thursday and you promise to pay RM500 on Thursday c) John offers to
drive Mary to work on Mondays and Tuesdays in exchange for Mary to
drive to work on Wednesdays and Thursdays, or Mary offers to pay
John RM15 each day he drives her to work CISB424, Sulfeeza
Slide 25
Employment Contracts What type of contract is employment
contracts? Unilerateral Why? Eg: employment contract cannot include
that employee must work for the employee for a certain period of
time. However, employer may request employee to sign some agreement
upon hiring such as: a) Confidentiality agreement b) Trade secret
agreement c) Discovery agreement d) Non-compete agreement CISB424,
Sulfeeza
Slide 26
i) Confidentiality Agreements A legal contract between at least
two parties that outlines confidential material, knowledge, or
information that the parties wish to share with one another for
certain purposes, but wish to restrict access to or by third
parties (Source:
http://encyclopedia.thefreedictionary.com/Confidentiality+agreement)
Also known as non-disclosure agreement ( NDA ), confidential
disclosure agreement ( CDA ), proprietary information agreement (
PIA ), or secrecy agreement Content of the agreement: Employee
agrees not to divulge confidential information Describe nature of
protected information List permissible uses of such information
Identify remedies for non-compliance State term of agreement
CISB424, Sulfeeza
Slide 27
ii) Trade Secret Agreements A trade secret is a formula,
practice, process, design, instrument, pattern, or compilation of
information which is not generally known or reasonably
ascertainable, by which a business can obtain an economic advantage
over competitors or customers. (Source:
http://encyclopedia.thefreedictionary.com/trade+secret) Enforceable
for indefinite period of time. CISB424, Sulfeeza
Slide 28
iii) Discovery Agreements For employees hired to develop ideas
and innovations. Agreement transfers ownership of discovery to
employer. Prevents employees from claiming the discovery as their
own property. CISB424, Sulfeeza
Slide 29
iv) Non-Compete Agreements Employee agrees to not work for
competing employer (including self) for a)Specified time (must be
reasonable) b)Specified geography Prevents employee from working
for other companies in connection with the design or sale of a
competitive product. Monetary remedy may be awarded to company for
violation CISB424, Sulfeeza
Slide 30
b) Computer Crime "Offences that are committed against
individuals or groups of individuals with a criminal motive to
intentionally harm the reputation of the victim or cause physical
or mental harm to the victim directly or indirectly, using modern
telecommunication networks such as Internet (Chat rooms, emails,
notice boards and groups) and mobile phones (SMS/MMS)" (Halder
& Jaishankar, 2011) Includes any behaviors that are deemed by
states or nations to be illegal, examples: a.Fraud achieved by the
manipulation of computer records b.Spamming wherever outlawed
completely or where regulations controlling it are violated
c.Deliberate circumvention of computer security systems
d.Unauthorized access to or modification of computer programs or
data e.Intellectual property theft, including software piracy
f.Industrial espionage by means of access to or theft of computer
materials g.Identity theft where this is accomplished by use of
fraudulent computer transactions h.Writing or spreading computer
viruses or worms i.Salami slicing
http://www.pcpro.co.uk/news/201252/hacker-takes-50-000-a-few-cents-at-a-time
http://www.pcpro.co.uk/news/201252/hacker-takes-50-000-a-few-cents-at-a-time
j.Denial-of-service attack (Source:
http://www.crime-research.org/news/26.11.2005/1661/) CISB424,
Sulfeeza
Slide 31
Jurisdiction Internet users remain in physical jurisdictions
and are subject to law independent of their presence on the
Internet A single transaction may involve the laws of at least
three jurisdictions: The laws of the state/nation in which the user
resides The laws of the state/nation that apply where the server
hosting the transaction is located, and The laws of the
state/nation which apply to the person or business with whom the
transaction takes place (Source: Suneet Dwivedi,
https://www.academia.edu/3700793/Jurisdictional_Issues_in_Cyber_Crime)
CISB424, Sulfeeza
Slide 32
Which jurisdictions apply? Alex lives in Kansas, USA. He sells
a fake handbag through his website to Marni that lives in
Birmingham, Britain. The online storefront that Alex used is hosted
in a server in Canada. CISB424, Sulfeeza
Slide 33
Intellectual Property Creations of the mind, such as
inventions; literary and artistic works; designs; and symbols,
names and images used in commerce Categories of Intellectual
Property: 1.Industrial Property Patents, trademarks 2.Individual
Property Copyrights of literary and artistic works. CISB424,
Sulfeeza
Slide 34
Patents Patent protects invention 20 years from date of
application Patents are territorial rights, i.e. the exclusive
rights are only applicable in the country or region in which a
patent has been filed and granted, in accordance with the law of
that country or region Criteria for a patent are that an invention
must be: Novel - means that it has never existed before Useful Not
of obvious nature Idea must be subject matter that is patentable.
There are four types of discoveries that can receive patents: a)
Machines or mechanical device
http://www.prv.se/en/Patents/Why-apply-for-a-patent/Examples-of-patents/System-for-shorter-flight-
times/ b) Human made products
http://www.prv.se/en/Patents/Why-apply-for-a-patent/Examples-of-patents/Life-saving-invention/
c) Compositions of matter (chemical composition or other substance)
d) Processing methods - method of doing something CISB424,
Sulfeeza
Slide 35
Trademarks Grants the owner exclusive right to use the
trademark on the intended or related products for identification.
Covers a)Distinctive images Symbols Pictures Words b)Distinctive
& unique packaging c)Color Combinations d)Building Designs
e)Product Styles f)Overall Presentations May grant trademark status
for secondary meaning over time that identifies it with the product
or seller.
http://www.legalteamusa.net/tacticalip/2012/11/13/five-classic-examples-of-trademark/
CISB424, Sulfeeza
Slide 36
Copyrights Offers protection from creation of work until the
end of authors life plus 50 years. Protects creative works from
others without permission from being: Reproduced Performed
Disseminated CISB424, Sulfeeza
Slide 37
Malaysia Laws Communications & Multimedia Act 1998
Malaysian Communications & Multimedia Commission Act 1998
Digital Signature Act 1997 Computer Crimes Act 1997 Telemedicine
Act 1997 Optical Discs Act 2000 Copyright Act 1987 Trade Marks Act
1976 Patents Act 1983 Industrial Designs Act 1996 Layout Designs of
Integrated Circuits Act 2000 Geographical Indications Act 2000
Trade Description Act 1972 Intellectual Property Corporation of
Malaysia Act 2002 E-Commerce Act 2006 All can be downloaded from:
http://www.msc.com.my/cyberlaws/index.asp
http://www.msc.com.my/cyberlaws/index.asp CISB424, Sulfeeza
Slide 38
Examples & Issues related to using patented materials
CISB424, Sulfeeza If the IT auditor observes that the client
appears to use some distinctive techniques within its IT
infrastructure, such as novel processes of encrypting data or
unique methods of thwarting denial of service attacks, the auditor
should investigate whether such processes are already patented by
other entities. If so, the auditor should ensure that the client
has legally procured the right to use such patents. If the IT
auditor observes that the client appears to use the trademarks of
other entities in its digital communications, the auditor should
ensure that client is not illegally using such trademarks.
Slide 39
Examples & Issues related to owning patented materials
CISB424, Sulfeeza If the IT auditor learns that the client owns one
or more patents pertaining to the IT infrastructure, such as those
mentioned above, the IT auditor should investigate whether and how
the company continually scans the environment to ensure that other
persons or entities are not infringing on the clients patent(s). If
the company has no policies or activities aimed at protecting its
patent(s) in this regard, the IT auditor could add value to the
engagement by suggesting several scanning methods. If the client
places its own unique logo on its digital communications, the IT
auditor should investigate whether and how the company continually
scans the environment to ensure that other persons or entities are
not using the company logo. If the company has no policies or
activities aimed at protecting its logo, the IT auditor could add
value to the engagement by suggesting several scanning
methods.
Slide 40
Examples & Issues related to developing patented materials
CISB424, Sulfeeza If the IT auditor discovers that the client has
developed unique and novel components of the digital IT
infrastructure that give competitive advantage to the company, such
as those mentioned above, the IT auditor could suggest that the
client consider the possibility of applying for patents, if it has
not already done so. If successful, the client will be able to
legally protect its intellectual property rights. If the client
places a unique logo on its digital communications but has not
properly registered it with the U.S. Patent and Trademark Office,
the IT auditor should suggest that the client registers the logo as
a way to protect the marketing value ascribed to the logo.
Slide 41
Examples & Issues related to copyrighted materials If the
IT auditor observes that the client appears to use copyrighted
creative works belonging to external parties, such as software
applications, the auditor should investigate whether the rights to
use such copyrighted works have been properly procured. With regard
to software applications, which reflect the most likely type of
infringements an IT auditor will encounter, the client should
possess properly executed software licensing agreements. If the IT
auditor learns that the client owns one or more copyrights, such as
software applications that the company has developed, the auditor
should investigate whether and how the company continually scans
the environment to ensure that other persons or entities are not
infringing on the clients copyrights. If the company has no
policies or activities aimed at protecting its copyrights in this
regard, the IT auditor could add value to the engagement by
suggesting several scanning methods. If the IT auditor discovers
that the client has developed its own creative works, such as
software applications, and the company has not copyrighted its
material, the IT auditor could suggest that the client consider the
possibility of registering for such copyrights, if it has not
already done so. The client should register its creative works as a
way to put the public on notice that it considers its works to be
protected as intellectual property. CISB424, Sulfeeza
Slide 42
Privacy The right to be free from secret surveillance and to
determine whether, when, how, and to whom, one's personal or
organizational information is to be revealed. In specific, privacy
may be divided into four categories: (1) Physical : restriction on
others to experience a person or situation through one or more of
the human senses; (2) Informational : restriction on searching for
or revealing facts that are unknown or unknowable to others; (3)
Decisional : restriction on interfering in decisions that are
exclusive to an entity; (4) Dispositional : restriction on attempts
to know an individual's state of mind. (Source:
http://www.businessdictionary.com/definition/privacy.html) CISB424,
Sulfeeza
Slide 43
Four Types of Invasion of Privacy Intrusion When a person
invades another person's private affairs Public Disclosure When
someone publishes hurtful, embarrassing or offensive facts about a
person's private life False Light When someone produces false
statements about a person or depicts that person in a false manner
Appropriation of name or likeness The unauthorized commercial use
of a person's name or image without his knowledge or approval.
(Source:
http://www.ehow.com/info_8068982_four-types-invasion-privacy.html)
CISB424, Sulfeeza
Slide 44
Privacy and Organizations A corporate classification program
for privacy-protected data will assist organization in prioritizing
the data as well as assigning sensitivity level such as
proprietary, confidential, or public to data, in assisting in
evaluating the appropriateness of the controls over the technology
and business processes that handle the data It is critical that the
organization implements an effective privacy program that includes:
a) A privacy statement. b) Written policies, procedures, controls,
and processes. c) Roles and responsibilities. d) Employee training
and education. e) Monitoring and auditing. f) Information security
practices. g) Incident response plans. h) Privacy laws and
regulations. i) Plans for responding to detected problems and
corrective action. (Source: ITAudit, CAE Bulletin, IIA, 2006)
CISB424, Sulfeeza
Slide 45
IT Auditors Role in Privacy IIA released Global Technology
Audit Guide (GTAG) 5 Managing and Auditing Privacy Risks to provide
internal auditors and management with insight into privacy risks
that the organization should address when it collects, uses,
retains and discloses personal information According to GTAG 5,
good governance include: a) Identifying significant risks to
organization; b) Ensuring appropriate controls are in place to
mitigate these risks What are the benefits of good governance to
organization? a) Protecting the organizations public image and
brand b) Protecting valuable data on the organizations customers
and employees c) Achieving competitive advantage in the marketplace
d) Enhancing credibility and promoting confidence and goodwill
(Source: ITAudit, CAE Bulletin, IIA, 2006) CISB424, Sulfeeza
Slide 46
IT Auditors Role in Privacy Specific activities that auditors
can perform: 1. Work with legal counsel to determine what privacy
legislation and regulations would be applicable to the
organization. 2. Work with IT management and business process
owners to assess whether information security and data protection
controls are in place and are reviewed regularly. 3. Conduct
privacy risk assessments, or review the effectiveness of privacy
policies, practices, and controls across the organization. 4.
Identify types of personal information collected, the collection
methodology used, and whether the organization's use of the
information is in accordance with its intended use. 5. Review
policies, procedures, and guidelines governing data flows and
handling procedures 6. Conduct an assessment of service providers'
interactions, including a review of procedures and controls over
providers who manage personally identifiable information or
sensitive data on behalf of the organization. 7. Review current
training practices and materials, and takes inventory on the
privacy awareness and training materials available and needed. 8.
Perform a gap analysis of data flows and handling procedures
against relevant policies, laws, regulations, and best practices
for consistency and compliance (Source: ITAudit, CAE Bulletin, IIA,
2006) CISB424, Sulfeeza
Slide 47
IT Auditors Role in Privacy GTAG 5 provides 10 privacy
questions internal auditors should ask during a privacy assessment:
1. What privacy laws and regulations impact the organization? 2.
What type of personal information does the organization collect? 3.
Does the organization have privacy polices and procedures with
respect to collection, use, retention, destruction, and disclosure
of personal information? 4. Does the organization have
responsibility and accountability assigned for managing a privacy
program? 5. Does the organization know where all personal
information is stored? 6. How is personal information protected? 7.
Is any personal information collected by the organization disclosed
to third parties? 8. Are employees properly trained in handling
privacy issues and concerns? 9. Does the organization have adequate
resources to develop, implement, and maintain an effective privacy
program? 10. Does the organization complete a periodic assessment
to ensure that privacy policies and procedures are being followed?
(Source: ITAudit, CAE Bulletin, IIA, 2006) CISB424, Sulfeeza
Slide 48
Example of Privacy Frameworks 1) Organization for Economic
Co-operation and Development (OECD) Privacy Principles 2)
Asia-Pacific Economic Cooperation (APEC) Privacy Framework 3)
United States Department of Commerce Safe Harbor Privacy Principles
4) Generally Accepted Privacy Principles (GAPP) CISB424,
Sulfeeza