What every internal auditor should know about assessing plans for what to do when there's a data breach


No organization is 100 percent safe from hacks, cybercrime, or boneheaded employee actions that can expose the company to data breaches. Most companies have shifted from a purely prevention mindset to one of a risk-based approach to cybersecurity with a robust incident response plan. Yet too often that plan isn't updated, assessed, and regularly tested for effectiveness. That's where internal audit comes in. Internal auditors have a large role to play in ensuring that the incident response plan is up to snuff and functioning properly.

In this podcast, Joseph McCafferty, head of audit content at MIS Training Institute, talks with Jose Tabuena, a former compliance and internal audit executive at such companies as Orion Health and Texas Health Resources who now consults on data privacy and security. 

According to Tabuena, companies are relying on internal audit to bring its assessment and evaluation skills to the incident response planning process. "Internal audit should play a larger role in providing assurance over incident response. It needs to be more than assuring an incident response plan is in place and that it has been tested," he says. "I think internal audit can play a more critical role in evaluating the details of the plan and looking at whether it is going to operate as effectively as the information security folks say that it does."

Tabuena says that internal audit can also provide more input up front in the development of the plan and leverage its planning, project management, and process-building skills. "They may be involved in development of the plan, but at a minimum, they must be more critical in reviewing whether or not the plan is effective the way it is written and the way that it is intended to operate," he says.

He adds that even if internal audit doesn't lead the testing of the company's incident response plan, that it should be making sure those tests are taking place and observing them to ensure that the plan is working well. "My overall experience is that many organizations haven't really tested the plan fully," says Tabuena. "They may have a good plan in place, but without testing it fully there is no way to know how it will work when something happens and the company needs to put it in action."

To hear Tabuena's views on how internal audit can do more to ensure that a good incident response plan is in place and functioning well, click on the link below.


Length: 20 min. 40 sec.
size: 18.09 MB