原标题：内部审计人员从Facebook数据泄露中应吸取的教训

曾几何时，作为社交媒体的宠儿，Facebook在用户和投资者眼中几乎永不犯错。然而，继去年的数据丑闻后，最近遭遇了又一次挫折。一家网络安全公司的研究人员发现，在亚马逊(Amazon.com)运行的云计算服务器上，Facebook的用户信息很容易获取。

大约一年前，Facebook因剑桥分析公司(Cambridge Analytica)数据泄露丑闻而受到热议，当时一名应用程序开发商与一家政治咨询公司共享了数百万Facebook用户的数据。尽管Facebook首席执行官马克•扎克伯格(Mark Zuckerberg)保证公司将采取更多措施保护用户数据，但今天涉及亚马逊(Amazon)云数据的失误仍被曝光。

从内部审计的角度来看，Facebook的困境提供了一个清晰而令人信服的教训：数据曾经被看作一种可以加杠杆的资产，如今也必须被视为一种潜在的负债或风险。越来越多的人要求加强对数据的保护，或者更准确地说，要求保护个人可识别的信息，因为这些信息成为市场营销人员、零售商、政治活动人士以及其他想要影响公众想法和行为的人的宝贵财富。

越来越多的政府正在考虑立法，要求数据收集者保护数据及其隐私。IBM商业价值研究所(IBM Institute of Business Value)最近的一项调查清楚地表明，公众也有这种要求。

IBM上述调查的四分之三的对象表示，他们不相信公司能够保护他们的数据。此外，87%的人认为政府应该对管理个人数据的公司进行监管，40%的人认为如果高级管理人员不能保护他们的数据，就应该被罚款或监禁(见“消费者的数据焦虑”)。

简而言之，数据呈现出两面性。数据挖掘和数据分析是战略业务决策的基本步骤。它帮助企业和组织建立基于历史信息的模型来预测未来的行为。但糟糕地管理数据和错误地理解数据，将会导致风险。当未能保护数据而损害组织的声誉时，这种风险变得更加明显和复杂。事实上，在回应IIA 2019年内部审计脉冲调查的首席审计执行官中，70%将数据泄露造成的声誉损害列为他们对网络安全的最大担忧。

组织是如何收集、管理、保护、使用和共享数据的呢？他们是如何处理过去和当前的数据使用和存储实践的呢？对这些问题，内部审计人员必须培养并保持敏锐的理解。可以肯定的是，列出一个内部审计能够为数据提供确认服务领域的清单是很重要的。

遵循情况

从欧洲的《全球数据保护条例》(Global Data Protection Regulation)，到将于明年生效的《加州消费者隐私法》(California Consumer Privacy Act)，新的数据保护法规正迅速形成一个复杂的合规风险网络。内部审计必须跟上这些规定，以及任何潜在的新规定，并就组织必须采取的步骤提供洞察力和远见。

运营和流程

处理如何收集、管理和保护数据的策略和流程提供了许多确认业务的机会。与数据保护相关的一个关键领域是如何在内部和外部共享数据。对于许多组织来说，旨在保护数据的政策和流程是次要的，而那些旨在将数据货币化的政策和流程则会增加数据泄露的风险。

战略

董事会和高管层根据包括数据分析在内的许多因素做出战略决策。内部审计必须对数据的准确性和分析过程本身提供确认。

文化

这是数据风险中更具挑战性且最不明显的方面之一。内部审计必须了解组织对数据的处理方法和决策如何影响日常运营。更重要的是，内部审计人员需要理解组织为适应不断变化的数据需求所拥有的能力。文化通常被定义为“在这里我们如何做事”。如果“我们如何做事”忽视了保护数据的需要，那么我们就面临着一个文化问题。

分析机构Gartner在2018年的一项调查发现，87%以上的组织被归类为商业智能和分析成熟度较低的组织。这不仅给那些想要增加数据资产价值并利用新兴分析技术的公司制造了障碍，还表明它们对数据使用的法律和伦理含义知之甚少。

显然，内部审计可以提供很多与数据相关的信息。CAEs应向董事会和行政管理部门坦率地说明在这里列出的每一个领域中确认业务的价值，并准备在机会出现时提供这种保证。

我一如既往地期待着您的真知灼见。

【原文】

FacebookData Exposure Offers Critical Lesson for Internal Auditors

Richard Chambers April08, 2019

Facebook, once the social media darling that could do nowrong in the eyes of users and investors, was hit with another setbackrecently. Researchers at a cybersecurity firm discovered Facebook userinformation readily available on cloud computing servers runby Amazon.com.

The revelation comes about a year after Facebook waspilloried for the Cambridge Analytica scandal, where an app developer shareddata on millions of Facebook users with a political consulting firm. Despiteassurances from Facebook CEO Mark Zuckerberg that the company would do more toprotect user data, lapses such as the one involving Amazon continue to come tolight.

From an internal audit perspective, Facebook's woes offer aclear and compelling lesson: Data, once viewed solely as an asset to beleveraged, now must be viewed as a potential liability or risk, as well. Demandis growing for greater protection of data, or more precisely, protecting thepersonally identifiable information that makes such information a treasuretrove for marketers, retailers, political campaigns, and others who want toinfluence what the public thinks and does.

More governments are considering legislation requiring dataaggregators to protect data and ensure privacy. A recent survey from the IBMInstitute of Business Value makes it clear that the public also is demandingaccountability.

Three quarters of respondents to the IBM survey said theydon't trust companies with their data. Additionally, 87 percent saidgovernments should regulate companies that manage personal data, and 40 percentsaid C-level executives should be fined or imprisoned for failing to doso (see  "The Consumer's Data Anxiety" ).

In short, data has taken on a Dr. Jekyll and Mr. Hydepersona. Mining and analyzing data is a fundamental step in strategic businessdecisions. It helps businesses and organizations build models based onhistorical information to predict future behavior. But poor data management anda failure to understand what it tells us is a risk. That risk becomes moredistinct and complex when failing to protect data damages the organization'sreputation. Indeed, 70 percent of chief audit executives responding to TheIIA's  2019 Pulse of Internal Audit  survey listed reputational damage from a data breach astheir biggest cybersecurity concern.

Internal auditors must cultivate and maintain a keenunderstanding of how their organizations collect, manage, protect, use, andshare data. They also must have a handle on past and current practices on datausage and storage. To be sure, the list of areas where internal audit canprovide assurance on data is significant.

Compliance . New data-protection regulations — from the Global DataProtection Regulation in Europe to the new California Consumer Privacy Act setto go into effect next year — are quickly creating a complex web of compliancerisks related to data protection. Internal audit must stay abreast of theseregulations, as well as any potential new regulations, and provide insight andforesight on steps that organizations must take to comply.

Operational.  Policies and processes addressing how data is collected,managed, and protected offer many opportunities to provide assurance. One keyarea relating to data protection is how it is shared internally and externally.For many organizations, policies and processes designed to protect data aresecondary to those designed to monetize it, which heightens the risk of databreaches.

Strategic.  Boards and C-suites make strategic business decisions basedon many factors, including data analytics. Internal audit must provideassurance on the accuracy of the data and on the analysis process itself.

Culture.  This is one of more the challenging and least obvious aspectsof data risk. Internal audit must understand how an organization's approach toand decisions made about data influence day-to-day operations. What's more,auditors need to grasp the organization's capacity to adapt to changing dataneeds. Culture is often defined as "how we do things around here." If"how we do things" disregards the need to protect data, then we havea cultural problem, too.

A 2018 Gartner survey found more than 87 percent oforganizations are classified as having low business intelligence and analyticsmaturity. This not only creates obstacles for organizations that want toincrease the value of their data assets and exploit emerging analyticstechnologies, it also suggests there is little understanding of the legal andethical implications of data usage.

Clearly, there is much internal audit can offer relating todata. CAEs should speak candidly to boards and executive management on thevalue of assurance in each of the areas outlined here and be prepared toprovide that assurance when the opportunity arises.

As always, I look forward to your comments.