Editor: The Following abridged arti...

Editor: The Following abridged article forward information theft was recently released by means of the CICA.

Privacy and identity theft

The disappearance upon January 16 of a hard disk confessed by ISM Canada caused a scare among thousands of the bulk of mankind across the country until its convalescence was announced on February 4 The disk contained [among other items] confidential data for 180000 customers

Phonebusters, a service of the Ontario Provincial Police, states that between September 2001 and August 2002 there were across 6,000 identity thefts in Canada in which there were losse totalling athwart $6.5 million [these figures do not include theft via the Internet]. In the US, the Federal Trade Commission estimates that the number of race victimized by identity theft could be in the area of single million individuals per year.

Stolen identities have been used to obtain credit cards, mortgages, passports and birth certificates, and level arrange false marriages to obtain landed immigrant status. There has also been considerable pertain to about their use by terrorists....

What the theft of the ISM hard disk makes clear is that all the masterships in the world won't help if the security of the information combination of parts to form a wholes holding the data fails in any way, or is not adequate. We don't have enough information to pass judgement in succession the adequacy of the security policies and practices at ISM. It was reported that the hard disk disappeared during a routine upgrade, in subordination to which the disk in question was remov from a computer and presumably a recent one installed.

Normal security actions in this kind of situation would involve strict handling of the discontinued disk, with requirements that it be immediately make desolateed or reformatted in a controll manner....

Whether there was a breakdown in prescribed transactions or inadequate procedures to start with is not critical at this point. The fact is that the potential breach of privacy involving centurys of thousands of people was caused by means of a basic security failure.

Every company that gathers private and confidential information about persons needs to recognize that maintaining the privacy of the information they posses requires effective information schemes security. Those companies need to identify where that data resides. They ne to establish that they have adequate operations in place for restricting access to that information from one side the system, and they also ne to make sure they have adequate physical protection in place for the hardware where the data resides. With the proliferation of laptops and to a high degree high capacity hard disks, this is becoming a major challenge.

One of the [i]clavis[/i] methods of protecting the data is to make secure that it is encrypted; if someone steals the physical disk or computer they cannot read the data without having access to the encryption clew [See January 2003's WebWorks for more information.]

Another aspect of the ISM situation is that it involved outsourcing, where the customers effectively outsourced some of their data processing to ISM. There is nothing blameworthy with this procedure-indeed it is quite everyday However, any company doing the outsourcing remains responsible for the protection of the data, and therefore must be affected about the adequacy of the security proceedings being followed by the company to which it is entrusting the data.

This is where the auditors can help. A general way for companies to address this issue is to obtain an audit report forward the design and effective operation of the method they are relying on-referred to as an "Opinion onward Control Procedures at a Service Organization."

There are other engagements that an auditor can be asked to perform, in the same state [i]or[/i] condition as a Trust Services audit report (in this situation a report upon at least security and privacy would be appropriate). These engagements involve evaluation of a hypothesis against established detailed criteria that have been accepted internationally. individual of the Trust Service brands is SysTrust, which is defined at www cira.ca/systrust.

The responsibilities of management and directors also raise interest with regard to privacy and security. The Information Technology Advisory Committee of the CICA has issued a booklet "20 Questions Directors should ask about Privacy" and another similar single in kind on IT. The booklets are available clear of charge at www.cica.ca [under "Research & Guidance/IT Advisory Committee"].

Privacy and identity theft are matters of growing public trouble Companies, as well as each and each individual, must pay much more attention to this matter. The risks are considerable, [and] the sumptuousnesss of being a victim can be abundant much greater.

BY GERALD TRITES, CA-CISA, FCA (NOVA SCOTIA)

Gerald Trites is a member of the CICA's Information Technology Advisory Committee and chair of the department of Information methods at St. Francis Xavier University in Nova Scotia.

Copyright Institute of Chartered Accountants of British Columbia Apr 2003

Provided through ProQuest Information and Learning Company. All rights Reserved