f IS AUDITING GUIDELINE

PRIVACY
DOCUMENT G31

The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply
specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association (ISACA) is to advance globally
applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA
professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance:
„ Standards define mandatory requirements for IS auditing and reporting. They inform:
– IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA
Code of Professional Ethics
– Management and other interested parties of the profession’s expectations concerning the work of practitioners
® ®
– Holders of the Certified Information Systems Auditor (CISA ) designation of requirements. Failure to comply with these standards
may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee
and, ultimately, in disciplinary action.
„ Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve
implementation of the standards, use professional judgement in their application and be prepared to justify any departure. The objective
of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.
„ Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide
information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS
Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.

COBIT resources should be used as a source of best practice guidance. The COBIT Framework states, "It is management's responsibility to
safeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve its expectations, management must establish
an adequate system of internal control." COBIT provides a detailed set of controls and control techniques for the information systems
management environment. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the
choice of specific COBIT IT processes and consideration of COBIT information criteria.

As defined in the COBIT Framework, each of the following is organised by IT management process. COBIT is intended for use by business and
IT management, as well as IS auditors; therefore, its usage enables the understanding of business objectives, communication of best
practices and recommendations to be made around a commonly understood and well-respected standard reference. COBIT includes:
„ Control objectives—High-level and detailed generic statements of minimum good control
„ Control practices—Practical rationales and “how to implement” guidance for the control objectives
„ Audit guidelines—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and
substantiate the risk of controls not being met
„ Management guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical
success factors. They provide a management-oriented framework for continuous and proactive control self-assessment specifically
focused on:
– Performance measurement—How well is the IT function supporting business requirements? Management guidelines can be used
to support self-assessment workshops, and they also can be used to support the implementation by management of continuous
monitoring and improvement procedures as part of an IT governance scheme.
– IT control profiling—What IT processes are important? What are the critical success factors for control?
– Awareness—What are the risks of not achieving the objectives?
– Benchmarking—What do others do? How can results be measured and compared? Management guidelines provide example
metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of IT
processes, and the key performance indicators assess how well the processes are performing by measuring the enablers of the
process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management to
measure control capability and to identify control gaps and strategies for improvement.

Glossary of terms can be found on the ISACA web site at www.isaca.org/glossary. The words audit and review are used interchangeably.

Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful
outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests
that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls
professional should apply his/her own professional judgement to the specific control circumstances presented by the particular systems or
information technology environment.

The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures.
Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards
Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The
Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to
identify emerging issues requiring new standards. Any suggestions should be e-mailed (standards@isaca.org), faxed (+1.847. 253.1443) or
mailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research standards and
academic relations. This material was issued 15 April 2005.
 1. BACKGROUND

1.1 Linkage to Standards

1.1.1 Standard S1 Audit Charter states, "The purpose, responsibility, authority and accountability of the information systems audit
function or information systems audit assignments should be appropriately documented in an audit charter or engagement
letter.”
1.1.2 Standard S5 Planning states, “The IS auditor should plan the information systems audit coverage to address the audit objectives
and to comply with applicable laws and professional auditing standards.”
1.1.3 Standard S6 Performance of Audit Work states, “During the course of the audit, the IS auditor should obtain sufficient,
reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by
appropriate analysis and interpretation of this evidence.”

1.2 Linkage to COBIT

1.2.1 High-level control objective PO8, Ensure compliance with external requirements, states, “Control over the IT process of ensuring
compliance with external requirements that satisfies the business requirement to meet legal, regulatory and contractual obligations
is enabled by identifying and analysing external requirements for their impact, and taking appropriate measures to comply with
them and takes into consideration:
„ Laws, regulations and contracts
„ Monitoring legal and regulatory developments
„ Regular monitoring for compliance
„ Safety and ergonomics
„ Privacy
„ Intellectual Property”
1.2.2 Detailed control objective PO8.4, Privacy, intellectual property and data flow states, “Management should ensure compliance with
privacy, intellectual property, transborder data flow and cryptographic regulations applicable to the IT practices of the organisation.”

1.3 Reference to COBIT

1.3.1 The COBIT reference for the specific objectives or processes of COBIT that should be considered when reviewing the area
addressed by this guidance. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is
based on the choice of specific COBIT IS processes and consideration of COBIT control objectives and associated
management practices. In a privacy issue, the processes in COBIT likely the most relevant to be selected and adapted are
classified as primary and secondary in the following list. The process and control objectives to be selected and adapted may
vary depending on the specific scope and terms of reference of the assignment.
1.3.2 Primary:
„ PO8—Ensure compliance with external requirements
„ DS5—Ensure systems security
1.3.3 Secondary:
„ PO7—Manage Human Resources
„ DS1—Define and manage service levels
„ DS2—Manage third-party services.
„ DS10—Manage problems and incidents
„ DS11—Manage data
„ DS13—Manage operations
„ M1—Monitor The process
„ M2—Access internal control adequacy
„ M3—Obtain independent assurance
„ M4—Provide for independent audit
1.2.4 The information criteria most relevant to a privacy review are:
■ Primary—Effectiveness, compliance, confidentiality and integrity.
■ Secondary—Reliability and availability.
1.4 Purpose of the Guideline
1.4.1 The purpose of this guideline is to assist the IS auditor to appreciate privacy and appropriately address the privacy issues in
carrying out the IS audit function. This guideline is aimed primarily at the IS audit function; however, aspects could be
considered for other circumstances.
1.4.2 This guideline provides guidance in applying IS Auditing Standards. The IS auditor should consider it in determining how to
achieve implementation of the above standard, use professional judgment in its application and be prepared to justify any
departure.

1.5 Guideline Application

1.5.1 When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA standards and
guidelines.

Page 2 Privacy Guideline

1.6 Definition of Privacy in an IS Auditing Context—Limits and Responsibilities
1.6.1 Privacy means adherence to trust and obligation in relation to any information relating to an identified or identifiable
individual (data subject). Management is responsible to comply with privacy in accordance with its privacy policy or
applicable privacy laws and regulations.
1.6.2 Personal data is any information relating to an identified or identifiable individual.
1.6.3 The IS auditor is not responsible for what is stored in the personal databases, he/she should check whether personal data
are correctly managed with respect to legal prescriptions by adoption of the correct security measures.
1.6.4 The IS auditor should review management’s privacy policy to ascertain that it takes into consideration the requirements of
applicable privacy laws and regulations including transborder data flow requirements, such as Safe Harbor and OECD
Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (see reference section).
1.6.5 IS auditors should review the privacy impact analysis or assessment carried out by management. Such assessments
should:
■ Identify the nature of personally identifiable information associated with business processes
■ Document the collection, use, disclosure and destruction of personally identifiable information
■ Provide management with a tool to make informed policy, operations and system design decisions based on an
understanding of privacy risk and the options available for mitigating that risk
■ Provide reasonable assurance that accountability for privacy issues exists
■ Create a consistent format and structured process for analysing both technical and legal compliance with relevant
regulations
■ Reduce revisions and retrofit the information systems for privacy compliance
■ Provide a framework to ensure that privacy is considered starting from the conceptual and requirements analysis stage
to the final design approval, funding, implementation and communication stage
1.6.6 IS auditors should determine whether these assessments are conducted as part of an initial privacy review and on an
ongoing basis for any change management project, such as:
■ Changes in technology
■ New programs or major changes in existing programs
■ Additional system linkages
■ Enhanced accessibility
■ Business process reengineering
■ Data warehousing
■ New products, services, systems, operations, vendors and business partners
1.6.7 In assessing applicable privacy laws and regulations that need to be complied with by any particular organisation,
particularly for organisations operating in different parts of the globe, IS auditors should seek an expert opinion as to the
requirement of any laws and regulations and should carry out the necessary compliance and substantive tests to form an
opinion and report on the compliance of such laws and regulations.
1.6.8 Data controller is a party who is competent to decide about the contents and use of personal data regardless of whether or not
such data are collected, stored, processed or disseminated by that party or by an agent on its behalf.

2. AUDIT CHARTER

2.1 Privacy in the Connected World

2.1.1 The advancement of communication technology such as the World Wide Web and electronic mail allows the efficient
dissemination of information on a global scale. Controls should be in place to ensure the ethical use of this technology and
the projection of electronic/digitalised and hard copy personal information. Furthermore, the global promulgation of
legislation requires that organisations implement controls to protect individual privacy. This guideline provides a common set
of criteria that the IS auditor can apply to assess the effectiveness of security controls designed to ensure personal privacy.

3. INDEPENDENCE

3.1 Sources of Information

3.1.1 The auditor should consider local regulations about privacy and, after that, global regulations that the organisation is
adopting. If the organisation is international, it should consider that local regulations take precedent over enterprise policies,
but in this case, the organisation additionally must comply with both (i.e., Sarbanes Oxley for EEUU companies).

4. PROFESIONAL ETHICS AND STANDARDS

4.1 Need for Personal Data Protection

4.1.1 An increasing number of connections between internal and external registries/data sources and use of the Internet increases
the need for privacy in both public and private enterprises. Information regarding life, health, economy, sexual predilection,
religion, political opinion, etc., may, if exposed to unentitled people, cause irretrievable harm for individuals.
4.1.2 Laws and regulations regarding privacy exist in many countries, but these are often not well known or specific enough.
Therefore, an IS auditor must have a basic knowledge of privacy matters and, when necessary, be aware of the basic
differences between various countries' regulations to evaluate the level of protection regarding personal information in an
enterprise.

Privacy Guideline Page 3

 5. COMPETENCE

5.1 Approach for Personal Data Protection

5.1.1 There must be requirements and rules for treating digitalised and hard copy personal information to secure confidentiality,
integrity and availability of personal information. Every organisation must have an approach for protecting all types and
forms of personal information and should consider:
■ Privacy management—The chief executive officer or the person in charge of the organisation should have the primary
responsibility for privacy. The objective and superior guidelines for the use of personal information should be described
in security objectives/policy and strategy. There should be formalised routines for frequent evaluation to provide
reasonable assurance that use of personal information is compliant with the needs of the organisation and public rules
and regulations. The results of the evaluation should be documented and used as the basis for possible change in
security policy and strategy.
■ Risk assessment—The organisation should have an overview of the various kinds of personal information in use. The
organisation must also determine the criteria for acceptable risk connected to treatment of personal information. The
responsibility for personal information should be attached to a “data controller.” The data controller is responsible for
execution of risk assessments to identify probability for, and consequences of, security incidents. New risk
assessments should be carried out according to changes of significance for information security. The result of the risk
assessments should be documented.
■ Security audit—Security audit regarding use of information systems should be carried out on a regular basis. Security
audit should encompass the organisation, security efforts and cooperation with partners and vendors. The results
should be documented.
■ Deviation—Any use of information systems that is not compliant with formalised routines and which may cause security
breaches should be treated as a deviation. The objective of deviation treatment is to reestablish normal conditions,
remove the cause that lead to the deviation and prevent recurrence. If deviations have caused unauthorised release of
confidential information, the local authorities may need to be notified. The results should be documented.
■ Organisation—Responsibility for use of the information systems should be established and documented. The
responsibility should be unchangeable without authorisation from appropriate management. The information system
should be configured to achieve satisfactory information security. Configuration should be documented and only
changed with authorisation from appropriate management.
■ Staff—Employees should use personal information according to their tasks and have the necessary authorisation.
Furthermore, employees should have the necessary knowledge to use the information system according to formalised
routines. Authorised use of information systems should be registered.
■ Professional secrecy—Employees should sign a formal agreement to not disclose any kind of personal information
where confidentiality is necessary. This professional secrecy should also encompass other information of importance
for information security.
■ Physical security—The organisation should implement measures to prevent unauthorised access to technical
equipment in use to process personal information. Security measures should also encompass other equipment of
importance for information security. Equipment should be installed in a way that does not affect the treatment of
personal information.
■ Confidentiality—The enterprise should take measures to prevent unauthorised access to personal information where
confidentiality is necessary. Security measures should also prevent unauthorised access to other information of
importance for information security. Confidential personal information that is being transferred electronically to external
partners should be encrypted or secured in another manner. Stored information containing confidential personal
information should be marked appropriately.
■ Integrity—Measures should be taken against unauthorised change of personal information to provide reasonable
assurance of integrity. Security measures should also prevent unauthorised changes of other information of importance
for information security. Furthermore, measures should be taken against malicious software.
■ Availability—Measures should be taken to provide reasonable assurance of access to personal information. Security
measures should also encompass other information of importance for information security. Backup and recovery
routines should be in place to provide reasonable assurance of access to information in situations when normal
operations fail. Proper backup routines should be established.
■ Security measures—Security measures should be in place to prevent unauthorised use of information systems and
make it possible to discover unauthorised access attempts. All unauthorised access attempts should be logged.
Security measures should encompass efforts that can not be influenced or bypassed by staff, and should not be limited
to legal actions taken against individuals. Security measures should be documented.
■ Security toward external partners—The data controller is responsible for clarifying responsibility and authority toward
external partners and vendors. Responsibility and authority should be formalised in a written document. The data
controller must have proper knowledge about the security strategy of partners and vendors, and on a regular basis
ensure that the strategy gives satisfactory information security.
■ Documentation—Routines for use of information systems and other information of relevance for information security
should be documented. Documentation should be stored according to national laws and regulations. Incident logs from
information systems should be stored for at least three months. Policy, standards and procedures should be deployed
to specify approved use of personal information.
■ Awareness and training sessions—These should be implemented to communicate the privacy policy to employees and
providers, especially to those persons handling the personal information of customers (i.e., customer service).

Page 4 Privacy Guideline

6. PLANNING

6.1 Overview of Privacy Laws in Various Countries Principles and Main Differences
6.1.1 Most countries have already issued their own privacy regulations. The principles are basically the same, but with significant
differences in terms of definition of personal data, basic security measures to adopt, etc. These differences can affect the IS
auditor’s role, especially when the assignment involves more than one country and/or data repositories are located in
another area.
6.1.2 Table 1 lists general principles from “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal
Data,” published by the Organisation for Economic Co-operation and Development (OECD) in 1980 and 2002.

Table 1—GENERAL PRINCIPLES

N° PRINCIPLE
1 Collection limitation
2 Data quality
3 Purpose specification
4 Use limitation
5 Security safeguards
6 Openness
7 Individual participation 1
8 Individual participation 2
9 Individual participation 3
10 Individual participation 4
11 Individual participation 5
12 Accountability of data
controller
EXPLANATION
The collection of personal data is possible with the (explicit) consent and knowledge of the
data subject.
Personal data are relevant to the purposes for which they are to be used and, to the extent
necessary for those purposes, are accurate, complete and kept up-to-date.
The purposes for which personal data are collected, are specified not later than the time of
data collection and the subsequent use is limited to the fulfilment of those purposes or such
others as are not incompatible with those purposes and as are specified on each occasion of
change of purpose.
Personal data cannot be disclosed, made available or otherwise used for purposes other
than those specified above (except with the consent of the data subject or by the authority of
law).
Personal data should be protected by reasonable security safeguards against risks, such as
loss or unauthorised access, destruction, use, modification or disclosure of data.
There should be a general policy of openness about developments, practices and policies
with respect to personal data. Means should be readily available to establish the existence
and nature of personal data, the main purposes of their use, and the identity and usual
residence of the data controller.
An individual has the right to obtain from a data controller, or otherwise, confirmation of
whether or not the data controller has data relating to him/her.
An individual has the right to have communicated to him/her, data relating to him/her:
„ Within a reasonable time
„ At a charge, if any, that is not excessive
„ In a reasonable manner
„ In a form that is readily intelligible to him/her
An individual has the right to be given reasons if a request, such as those in principles 7 and
8, is denied, and to challenge such denial.
An individual has the right to challenge data relating to him/her and, if the challenge is
successful, to have the data erased, rectified, completed or amended.
Specific procedures must be established so that the individual can communicate to the
company if he/she changes his/her mind about the use and disposal of his/her personal
information, and these changes must be reflected in all systems and platform where his/her
data is used.
The data controller is accountable for complying with measures that give effect to the
principles stated above.

6.1.3 Based on the aforementioned principles, the checklist in table 2 should help to build a comparison between various
countries’ regulations and represent a rough indicator of how those principles are actually applied. The “ref” column is the
reference number to the principles listed in Table 1.

Table 2—CHECKLIST
N° REF. Questions
1 1 Is collection of personal data regarding an individual, for any kind of processing, NOT possible without either the
unambiguous consent of the individual or for the fulfillment of a contract with the individual or in accordance with other
condition explicitly permitted by law? Except for special cases such as public security or national security, which should
be done by the authority of law and authorised by an entity different from the collector.
2 1 Is consent to collecting and/or processing personal data necessary for any third party who needs to access/manipulate
them (e.g., outsourcing) and must it be exploited by the data subject by written consent, distinct from the one given to
the main contractor (in other words, no data controller can give access to any third party to data without unambiguous
explicit authorisation of the data subject)?
3 2 Are data controllers compelled to periodically verify the accuracy of data, and to update or delete
irrelevant/excessive/outdated (for the scope of processing) information?
4 3 Are data controllers compelled to communicate the scope of collecting data to the data subject(s)?
5 3 Are data controllers compelled to limit the use of data to those communicated to the data subject(s) when the data were
collected?
6 3 Are data controllers compelled to communicate any change of purpose of collecting/processing data to the data

Privacy Guideline Page 5

 Table 2—CHECKLIST
N° REF. Questions
subject(s) and to obtain his approval?
7 4 Are there limitations to the use of data which forbid any utilisation/disclosure not explicitly authorised by the data
subject(s)?
8 5 Are there requirements about minimum security safeguards requested of the data controllers to protect data against
unauthorised disclosure/utilisation?
9 5 Must data controllers prepare and periodically update a security plan?
10 5 Must data controllers periodically conduct a risk assessment?
11 5 Are there requirements that make any individual (belonging to data controller’s organisation) uniquely identifiable and
accountable for access to any subject(s) data?
12 6 Is the identity of the data controller (as an individual or an organisation) necessarily communicated to the data subject(s)
as well as the nature of data collected/processed?
13 6 Are there any training or awareness programs in place to alert staff to the requirements of personal information
protection?
14 7 Can a data subject(s) ask the data controller for information regarding the existence or nature of data pertaining
him/her?
15 7 Can a data subject(s) obtain his/her data from the data controller and verify them?
16 8 Is there a maximum period of time fixed to answer questions 15 and 16? Yes, the information should be provided in a
reasonable manner and ion an intelligible form.
17 9 Can a data subject(s) challenge any denial by the data controller to communicate to him/her the existence of
data/processing pertaining to him/her?
18 10 Can a data subject(s) have the data pertaining him/her erased by the data controller? Yes.
19 11 Can a data subject deny at any time to anyone (even if authorised before) the consent to collect data regarding him/her?
20 12 Are there sanctions against data controllers who are not compliant to the above stated principles?
21 12 Are there organisations that have a duty to verify compliance of a data controller to the above stated principles?

7. PERFORMANCE OF AUDIT WORK

7.1 Reviewing an Organisation’s Privacy Practices and Procedures

7.1.1 The IS auditor should have a good understanding of the audit planning process. An audit program should be developed
including the scope, objectives and timing of the audit. Reporting arrangements should be clearly documented in the audit
program.
7.1.2 Consideration should be given to the nature and size of the organisation and its stakeholders. Knowledge of transborder
relationships (both within the country and internationally) is important and will help determine the scope and time required for
the audit.
7.1.3 The IS auditor should gain an understanding of the organisation’s mission and business objectives, the types of data
collected and used by the organisation and the legislation applicable to the organisation, which may include privacy
requirements. Also, an understanding of the organisational structure, including roles and responsibilities of key staff
including the information managers and owners is needed.
7.1.4 A primary objective of the audit planning phase is to understand the risks to the organisation in the event of nonadherence to
privacy legislation/regulations.

7.2 Steps to Perform

7.2.1 The IS auditor should conduct a preliminary privacy assessment to help determine the impact on the organisation if
compliance with the relevant privacy legislation is not achieved. This helps to define the scope of the review and should also
take into account factors such as the type of information collected, stored and used for various purposes within the
organisation.
7.2.2 The IS auditor should determine whether the organisation has the following in place:
■ Privacy policy
■ Privacy officer
■ Data controller
■ Training and awareness plan in relation to privacy
■ Privacy complaint management process
■ Regime of privacy audits conducted against the privacy legislation
■ Privacy requirement for outsourced and contractors
These, if available, should be assessed by the IS auditor to ensure they are in line with the relevant privacy legislation and/or
regulations.
7.2.3 The IS auditor should conduct a privacy impact analysis. This involves:
■ Identifying, analysing and prioritising the risks of nonadherence to privacy legislation
■ Understanding the various privacy measures currently in place in the organisation
■ Assessing the weaknesses and strengths
■ Recommending strategies for improvement

Page 6 Privacy Guideline

7.2.4 A report should be written by the IS auditor that documents the results of the privacy review. The report should include an
outline of the objectives and scope and provide a summary of the type of data and information collected, stored and used by
the organisation.
7.2.5 The report should include information on the privacy related risks that face the organisation and a summary of the risk
reduction measures or privacy protection strategies that exist.
7.2.6 Weaknesses identified in the privacy review either due to an absence of risk reduction measures or inadequate measures
should be brought to the attention of the information owners and to the management responsible for the privacy policy.
7.2.7 Where weaknesses identified during the privacy review are considered to be significant or material, the appropriate level of
management should be advised to undertake immediate corrective action.
7.2.8 The IS auditor should include appropriate recommendations in the audit report to provide management with opportunities to
strengthen the organisation’s privacy controls.

8. REPORTING

8.1 Security Measures Verification Regulations

8.1.1 Local privacy regulations may require that some security measure are in place to ensure personal data are properly
protected against risks of unauthorised access, improper disclosure, modification and/or loss.
8.1.2 The following is a list of key controls to help provide reasonable assurance that local privacy requirements are satisfied.
Please note that local laws or regulations can impose additional measures. The IS auditor should check the applicability and
completeness of this table before starting the audit, as stated in table 2 of section 6.1.3.

8.2 Media Reuse

8.2.1 A formal procedure to provide reasonable assurance that due care is taken by all personnel with custody of media and
documentation containing personal data should exist and be verified.
8.2.2 Before reusing media (e.g., electronic/digitalised or paper) that previously contained personal data reasonable assurance
should be provided that all information has been deleted. Sometimes, according to data sensitivity or media nature, it is
necessary to destroy the media itself.

8.3 Training
8.3.1 Security training should be scheduled regularly for all personnel dealing with personal data.

8.4 Access Control

8.4.1 As a general principle, the “need-to-know” philosophy must be enforced (i.e., any person should be granted access only to
the files and archives necessary to perform his/her work).
8.4.2 Access privileges and user IDs should be assigned according to this policy.
8.4.3 A written procedure to immediately update/delete user IDs when an employee leaves or is assigned to another
department/function should exist and be verified.
8.4.4 Proper instructions regarding the use of personal computers should be provided and verified. They must include every
aspect of individual data security, such as the necessity of performing regular data back-up, that workstations should not be
left unattended, etc.
8.4.5 The internal network should be adequately protected by the use of security devices, such as firewalls.
8.4.6 The existence of a contingency plan to restore personal data archives within defined time limits should be verified.

8.5 Maintenance and Support

8.5.1 Every maintenance and support access should be logged and monitored.

8.6 Data Integrity

8.6.1 Reasonable assurance that the antivirus software is installed in every workstation and that it is regularly updated by
subscription to the selected antivirus company should be provided.
8.6.2 The operating system and any applicable software vendors should be checked regularly for patches/updates availability.
8.6.3 Data back-up should be scheduled regularly, on servers, mainframes and personal computers.

8.7 Access Control to Facilities

8.7.1 Any person entering the organisation facilities should be registered. Employees coming to work during off-hours should sign
a logbook.

8.8 Risk Analysis

8.8.1 A risk analysis aimed to identify personal data risks and exposures should be carried out on a regular basis.

9. EFFECTIVE DATE
9.1 This guideline is effective for all information systems audits beginning 1 June 2005. A full glossary of terms can be found on
the ISACA web site at www.isaca.org/glossary.

APPENDIX

Privacy Guideline Page 7

 References
“AICPA/CICA Privacy Framework,” American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Certified
Accountants (CICA), 2003
“Guidelines for the Regulation of Computerized Personal Data Files,” Office of the United Nations High Commissioner for Human Rights,
1990
“The International E-commerce Standard for Security, Privacy and Service (Business to Business),” International Standards
Accreditation Board (ISAB), IES: 2000 (B2B), 2000
“The International E-commerce Standard for Security, Privacy and Service (Business to Consumer),” International Standards
Accreditation Board (ISAB), IES: 2000 (B2C), 2000
“OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” Organisation for Economic Co-operation and
Development (OECD), 2002, 1980
“Privacy : Assessing the Risk,” The Institute of Internal Auditors (IIA) Research Foundation, April 2003
“Safe Harbor Privacy Principles,” US Department of Commerce, USA, 21 July 2000
“US Department of Commerce Safe Harbor,” US Department of Commerce, USA, www.export.gov/safeharbor

Information Systems Audit and Control Association 2004-2005 STANDARDS BOARD

Chair, Sergio Fleginsky, CISA ICI Paints, Uruguay
Svein Aldal Aldal Consulting, Norway
John Beveridge, CISA, CISM, CFE, CGFM, CQA Office of the Massachusetts State Auditor, USA
Claudio Cilli, Ph.D., CISA, CISM, CIA, CISSP Tangerine Consulting, Italy
Christina Ledesma, CISA, CISM Citibank NA Sucursal, Uruguay
Andrew MacLeod, CISA, CIA, FCPA, MACS, PCP Brisbane City Council, Australia
V. Meera, CISA, CISM, ACS, CISSP, CWA Microsoft Corporation, USA
Ravi Muthukrishnan, CISA, CISM, FCA, ISCA Ikanos Communications, India
Peter Niblett, CISA, CISM, CA, CIA, FCPA WHK Day Neilson, Australia
John G. Ott, CISA, CPA AmerisourceBergen, USA
Thomas Thompson, CISA Ernst & Young, UAE

 Copyright 2005
Information Systems Audit and Control Association
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Telephone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: standards@isaca.org
Web site: www.isaca.org

Page 8 Privacy Guideline