Compliance and data: allies or foes?
Data is at the heart of business activities because it represents the foundation of all functions. Whether it is workforce data in the human resources department, sales figures for accounting purposes, market data for the management of investor portfolios or manufacturing plans in factories. Also, their integrity, completeness, availability and confidentiality are therefore structuring elements for companies. How then to ensure that the processing of data, regardless of its nature, remains an engine of business performance without risking harm to its activity?
Data quality and compliance
The compliance function is not spared and remains at the center of a system ensuring data quality. First, note that each level of control usually defined in organizations can only be exercised through, at least partially, data analysis. Whether it concerns operational staff by carrying out their first level controls, management control via the performance of second level controls or even internal audit for third level controls. The "quality" of the data is therefore critical in order to ensure that the controls carried out are relevant and allow their objectives to be achieved.
Let us take the example of the accounting control procedures required by article 17 of the Sapin 2 law. If incomplete or incomplete data are used during controls, bad decisions will be made, both by operational staff and by managers. listeners. The quality of the controls also lies in the raw material used, ie the data, in addition to the quality of the control procedures of course.
In addition, let's not forget that the data itself can also be subject to specific regulations. Take the General Data Protection Regulation (GDPR) for example. The protection of personal data, i.e. confidentiality, completeness, integrity and availability of data, is at the heart of the regulation, and requires those who process them to take special precautions. Here again, the role of compliance is to ensure that its company complies with the rules that apply to them in this area.
Finally, data specific to your company and your employees, such as emails, financial data, could be entered by regulatory authorities, such as the Autorité des marchés financiers, during an investigation. The famous audit trail, touted by so many publishers of compliance support solutions, which can meet the requirements of traceability of actions requested by regulators, is also, in the end, a set of data.
In these three situations, the issue of data quality for companies is omnipresent. One of the solutions to respond to this is based on the implementation of a suitable internal control system for information systems (IS). Which will provide reasonable assurance on the integrity, completeness, confidentiality and availability of your data.
First of all, it will be necessary to set up an internal control system concerning the management of access to your IS. This is the principle of confidentiality. Or to restrict access to the systems only for employees requesting it within the framework of their responsibilities.
To do this, it will be necessary to set up an access management process, comprising, at a minimum, a separation of tasks between the approver of the request and the one granting the access. For example the hierarchical superior and the collaborator of the IT department. These same controls will have to be carried out in an equally rigorous way for the administrators of the systems. Even if they are part of the DSI. Indeed, their access being particularly extensive, and therefore more risky for the IS and by extension for the company, it is necessary to control them well. The goal here is to ensure that the data is complete and complete by protecting the IS from malicious intentional access or handling errors. That would result in unexpected data changes or deletions.
IS Security also encompasses the implementation of the proper separation of “business” tasks. The ISD is the function that manages access to the IS. This segregation of duties matrix, which distinguishes the authorized accesses according to the positions and employees, must be defined by the business lines. This matrix will be valuable during a periodic access review (for example annually) to ensure that users' access privileges remain in line with their responsibilities. Indeed, during internal mobility, access privileges are not always correctly adjusted, creating conflicts of separation of duties.
On the other hand, these accesses will not be sufficient to protect your IS when your front door is not locked or is not poorly protected. The standard requires the creation of unique accounts for each user. To ensure accountability of actions in the systems, which combined with a password setting according to market standards, or more restrictive, will partially lock breaches. Likewise, strong authentication devices, with 3 factors, should be implemented for administrators.
Finally, when technically possible, it will be necessary to activate the logging of security events. However, in order not to be drowned in a tsunami of events to review, the CISO will have to carry out an exercise to identify the critical security events for which a proactive investigation will be necessary, and distinguish them from those that he can afford to review periodically.
Take the example of creating an administrator account. This type of event, deemed critical, if it is properly traced in the access management process, will give rise to an immediate and reactive review, made possible by its low probability of occurrence.
Patch installations, software updates to later versions, or system changes must also be subject to processes bounded by controls. Indeed, the changes to the applications imply changes in the rules of data processing. It is therefore important to ensure that the changes proposed by the editors are necessary. And that these changes do not alter what already exists and do not lead to side effects, called “regression”.
To do this, there are several levels of testing. (unitary, integration, non-regression, SSI and user acceptance tests). Ensuring that the change that will be implemented in the production environment corresponds to expectations. Each critical decision in the change management process will require formal approval to ensure that each milestone in the process has been studied and taken into account. Development, migration to production environment, etc.
The principles of segregation of duties must also be respected, between those who request the change. (eg trades). Those who develop (for example, studies at ISD / service providers, publishers). And those who approve the release (the change management committee).
Finally, another aspect of data management is its availability. We are talking about backups, or the replication of production environments in real time, for example. These devices help ensure that data is available in a timely manner and that data can be restored when necessary. The controls to be put in place can correspond to the monitoring of backups, to ensure that they are running smoothly. As well as failover or data restoration tests, to ensure that the production environment can be reassembled in the event of an incident.
Obviously, the nature and extent of the controls to be put in place within the system should depend on the criticality of the systems and data in question and implemented as much on the applications as on the databases and systems. operating. This system of controls for the IS will participate not only in achieving the company's compliance objectives, but also in its operational efficiency objectives by protecting its systems and data.
This ultra-digital world in which we operate, where data is omnipresent and IS critical, has not yet finished its transformation: it is expected that in 2022 5G will revolutionize the performance of the digital world, responding to the challenge of Machine to Machine technologies by connecting factories, empowering car driving or generalizing tele-surgery. At the dawn of its advent, which is also the subject of a passionate debate within our political class, it is imperative to put in place the measures and elements that will allow us to take the good decisions about the management of our data given its pervasiveness.