Data under surveillance: a government agency blends technology, audit, and investigative techniques to protect confidential information

Internal Auditor, April, 2007 by John F. Moynihan

"INSIDER THREAT" EVOKES A VARIETY OF menacing images for internal auditors and others responsible for protecting organizations from malicious or irresponsible acts. With the implementation of new technologies and the expanding dependence on data collection in the public and private sectors, this vulnerability has increasingly become an information security and privacy issue. Recognizing the value of customer data, organizations have focused significant resources on securing the perimeter of their information systems from unauthorized intrusions by implementing sophisticated controls, or firewalls.

Although these data collection innovations have improved efficiency, customer service, and productivity, they also have had unintended consequences. Employees are now able to access vast amounts of highly sensitive financial, medical, education, or credit information for unauthorized, and potentially malicious, reasons. An internal data breach can cause immeasurable damage to an organization's reputation. As custodians of this information, organizations must implement standards governing data access and controls to detect abuse.

Data surveillance is a strategy that allows organizations to safeguard the confidential data critical to their success, without restricting access to information that would impede the key business processes for which it was collected. Data surveillance is the systematic monitoring of information maintained in an automated environment. Internal auditors at the Massachusetts Department of Revenue (MDOR)--which administers the tax and child support laws of the Commonwealth of Massachusetts--use a combination of automated and manual data surveillance techniques to proactively monitor, evaluate, and test individual accesses of confidential financial information stored in databases. MDOR's data surveillance function, referred to as "Transaction Tracking," is a continuous process performed by the Office of Internal Audit's Information Security Unit (INFOSEC), which is part of MDOR's Inspectional Services Division.

Data surveillance programs are not limited to maintaining a record of database transactions. Instead, the surveillance process must be structured, ongoing, and proactive--similar to an audit program of continuous transaction testing and sampling. To be effective, surveillance programs must encompass policy and awareness; monitoring, detection, and investigation; and a structured disciplinary process.

POLICY AND AWARENESS

Before implementing a data surveillance program, it is critical that organizations establish a clear data access policy and notify all employees that violations will result in disciplinary action. Although most organizations currently have policies prohibiting the nonbusiness use of workplace technologies and systems, a separate policy is needed to address access of confidential information for personal reasons. The policy must set forth the prohibitions against accessing data for nonbusiness reasons, provide specific examples of accesses that are prohibited, and emphasize that violations will result in discipline, including termination and potential criminal prosecution.

During the orientation process at MDOR, each new employee is required to review the department's confidentiality policy, sign an acknowledgment that they understand it, and view a "Protecting Privacy" video detailing the consequences of data access violations. The video and other training sessions also inform employees that the monitoring process is ongoing and that they may be randomly required to provide an explanation for accessing a certain account. All employees must also sign an annual reminder acknowledging that they understand the prohibitions and penalties regarding nonbusiness data access. Further, employees are reminded when they log into the network that their activities are being monitored and must be directly related to their official responsibilities.

Implementing a data surveillance program without a well-defined policy and an ongoing awareness program will ultimately breed distrust and cause employees to be apprehensive when using the data systems that are required to perform their functions. The ultimate goal of a surveillance strategy is to deter misuse of personal data and create a culture that promotes maintaining the privacy of information, not to ambush unsuspecting employees who haven't been notified of the relevant prohibitions and system monitoring capabilities. Inadequate notification and awareness measures are serious pitfalls for privacy protection and data surveillance programs. In the early stages of MDOR's monitoring program, independent arbitrators hearing disciplinary appeals were sympathetic to employees disciplined for clear violations of the confidentiality policy on the basis that the agency lacked an ongoing reinforcement of the policy. With increased emphasis on employee awareness and continuous reinforcement, arbitrators have consistently upheld the discipline imposed for access violations.