Governing information security? Five questions you should ask
by Robert Zaher – KPMG Advisory Manager
20th November 2013
Perhaps you serve on the board of an organisation. Maybe you are a CFO who has inherited an IT oversight role, or a
Chief Executive trying to meet customer and government expectations around privacy and security. Below are five basic
questions you should ask your technical staff. If they struggle to answer, your organisation may be taking on more risk
than it should be. And you are not alone: many New Zealand businesses, large and small, public sector and private, are
wrestling with these questions; some as a result of major privacy or security breaches, and some due to the maturing of
their approach to information management.
Fortunately, there are “quick wins” to improve information security without a great deal of effort or expense. Other
fixes may require a more in-depth and sustainable approach.
Question # 1: What information do we have?
It’s a very basic question, but one some organisations have not taken the time to answer. As an organisation grows, it
accumulates vast quantities of information: on paper, on share drives, in databases, in applications.
Most information is meant to be destroyed after a certain period of usefulness. New Zealand organisations are reasonably
good at arranging for the destruction of their paper records, but many are tempted by the prospect of letting the
electronic information live on forever. After all, electronic storage capacity is getting less expensive all the time.
Somewhere in this massive sea of information is your sensitive information, which the next question addresses. However,
it can be a challenge to locate your sensitive information without a comprehensive understanding of what you have.
Recommendation: Invest in conducting an information inventory to get a high-level understanding of what paper and electronic
information you have. Use the results of this activity to inform your information security strategy. Are you collecting
or retaining any information you don’t need?
Question # 2: What sensitive information do we have?
There are two types of sensitive information you hold: information your organisation generates, and information
entrusted to you by others. When asked what sensitive information they have, New Zealand organisations quickly finger
the usual suspects: HR records, financial data and executive information. However, sensitive information can hide out in
many other corners of the business.
Some information is commercially sensitive. It is information your organisation should hold close to the vest to
maintain its competitive advantage and achieve its objectives in the marketplace.
Some information is private. Any information that personally identifies an individual should be treated like gold, and
this is where many New Zealand organisations struggle to make the grade. Why would an organisation keep personal details
of its own staff under heavy guard in the HR department, while allowing employees to carry around the personal details
of customers on an unencrypted USB stick? Or send them over personal email? Or store them using personal cloud based
services?
New Zealand’s Privacy Act applies to both public and private sector organisations, as well as individuals. It’s
everyone’s responsibility to ensure that the private information they have been entrusted with is safeguarded.
Recommendation: Know what sensitive information you have. Make sure it is classified to the proper level. If you are a custodian for
information that is not yours (e.g. customer details, or the commercial information of partner organisations), treat it
like gold. Understand your requirements under the Privacy Act and, if applicable the Public Records Act. Government
organisations also have to consider their obligations under the New Zealand Information Security Manual (NZISM) and the
Security in Government Sector (SIGS) guidance.
Question # 3: Who has access to our information?
Even for small organisations, this is not an easy question to answer. Although IT and recordkeeping teams might be able
to advise you who has access to sensitive information, and facilitate periodic reviews of access, authorising and
periodically confirming access is a key business function.
Your information is vulnerable to hacking or inappropriate access either from inside or outside your organisation. As
such, at a minimum you should require periodic testing of all your sensitive systems to ensure that they are secured.
Examples of this are vulnerability testing or penetration testing.
When you entrust your information to third-parties, the risks of inappropriate access are increased, which is addressed
with the next question.
Recommendation: Make sure your organisation is using information technology and good recordkeeping practices to restrict access to the
information to those with a need to know. See that it’s the business owners who are responsible for authorising access
and periodically checking that access is correct.
Question # 4: A third party has access to our information: is it safe?
You will need to ask this question of the third party, and make sure the answer you get is satisfactory. If you don’t
understand the answer, get a technical, independent opinion on it.
Whether you store your information in the cloud halfway across the world, or at a third party data centre down the
street, you have the same responsibility for it as if it were within the walls of your own building. No matter what the
contracts say, or what third parties promise you, you cannot outsource your responsibility for information security.
Third parties have a commercial interest in getting you to trust them. Beware of third parties who try to convince you
your information is secure, without being able to answer basic questions such as Question #3. You can have
confidentiality clauses in the contract, but that’s not enough. The best validation is independent validation. Has the
third party gone through any independent testing for security? Can they show you the results? Can they provide you with
a certification or assurance opinion, such as the type issued under a standard like ISAE NZ 3402, to demonstrate that
they are managing controls effectively?
If the third party is a cloud provider, there is an even greater risk. Do you know what country your information is
being sent to? Who can access it there? What laws apply to it? Is it going to be available when you need it?
If you hire contractors who have access to your information, make sure they follow the same security procedures as your
own staff.
Recommendation: If you are entrusting your information to a third party, make sure they prove to you they meet your standards for
security. Ask third parties to provide you with assurance from an independent, credible source that your information is
secure.
Question # 5: What’s our culture of information security?
Ask whether information security is part of your organisation’s culture. Are there policies and procedures covering the
security of both paper and electronic records? Does management have a strategy for how it uses and protects information?
Are information risks managed properly?
You can simply walk through your workplace and look around to get a feel for the security culture. Are staff walking
away from their computers without locking the screen? Are they sending information over personal email? Are they walking
out the door with files or USB sticks containing sensitive information? Are they using unapproved smart phones or cloud
services to store or transfer information?
Examine how your employees handle passwords. Do you see any passwords on sticky notes attached to monitors or desks? Is
the wireless password posted where customers can see it?
Expect that staff and contractors will treat information casually unless they are told how they are expected to secure
it.
Recommendation: Make sure management sets expectations for security through policy and procedures and recurring security training.
Don’t be hesitant to enforce these expectations. See that IT is working with the business to provide solutions that work
for their business needs, but that still provide for security.
In summary:
While there are many technical guides on how to best implement information security, the fundamental principles of
effective information security management are based on common sense. If you can ask, and get reasonable answers to the
five basic questions above, you will have gone far in ensuring that your organisation does not make the headlines for
the wrong reasons.
Robert Zaher (CISA, CFE, CIA) is a Manager in KPMG’s Advisory division, based in Wellington. He has 19 years combined
experience in regulation, investigations and internal audit. He specialises in helping private and public sector clients
secure their information assets.
About KPMG New Zealand
KPMG is focused on fuelling New Zealand’s prosperity. We believe by helping New Zealand’s enterprises succeed, the
public sector do better and our communities grow, that our country will succeed and prosper.
KPMG is one of New Zealand’s leading professional services firms, specialising in Audit, Tax and Advisory services. We
have close to 900 professionals and 72 partners who work with a wide range of New Zealand enterprises – from privately
owned businesses, to publicly listed companies, government organisations, and not-for-profit bodies. We have offices in
Auckland, Wellington, Christchurch, Hamilton, Tauranga and Timaru.
Globally, KPMG operates in 156 countries; employing 152,000 people in member firms around the world. The independent
member firms of the KPMG network are affiliated with KPMG International Cooperative (”KPMG International”), a Swiss
entity.
ENDS