组织审查第三方(如云服务提供商)的现有方式缺少了一个关键因素. They lack a barometer that shows the corporate culture, the tone at the top or the organizational leadership’s attitude toward internal controls. 用于审查第三方组织的常用工具,例如审查文档化的信息安全和隐私政策和程序, a review of the organization’s past breach history as reflected in public disclosures, a review of security certifications, a review of questionnaire responses, 对问卷(有时)中提供的回答的审计和对参考资料的审查并不能表明组织领导是否真正致力于一个强大的信息安全和隐私计划.
高层的这种态度是至关重要的,因为它决定了组织其他成员的态度和方法, 及其附属机构, 将使用. 高层语气的重要性在2002年《澳门赌场官方下载》(由安然和世通丑闻引发)的美国国会听证会上得到了体现。. 独立的第三方可以通过合规性审计流程迅速审查高层的语气.
这种遵从性审计流程可以生成一种新的信任货币——一种快速而明确地让第三方对组织管理和治理信息安全和隐私的整体能力充满信心的方法. This audit process involves the use of an independent attorney. 这样的律师, 律师审计师, first compiles an independent collection of all the laws, 规定, 有关组织的董事和高级职员须遵守的法院判决和合同. 然后,该律师审计师确定被审计组织的董事和高级管理人员是否履行了法律和这一系列要求所要求的最低信义义务. The evidence examined is at a high level, and it typically includes the crisis management system, the third-party breach-related communications system, the internal compliance reporting system and the risk management system. The result of this type of compliance audit, 我称之为职责审计, 一份一页的专业意见是否表明董事和高级职员是否在所有重要方面都遵守规定.
At least the first time it is performed, this type of a compliance report can be used strictly for internal purposes, 例如,告知董事和高级职员,为了在未来获得完全合规的专业意见,仍需采取补救行动. 除了, 在内部使用这种审计程序可以产生证据,这些证据以后可能在法庭上用作证明组织或董事和高级职员无罪的证据.
然而, when shared with third parties, this type of audit also is a powerful way to obtain trust. Such a compliance audit is warranted for any high-impact value transaction (mergers and acquisitions, major infusions of capital and major loans), high-criticality relationship establishment and renewal (outsourcing contract signing, 商业伙伴合同的签订和此类合同的年度续签)以及高后果的数据交换(在处理国家安全信息时向第三方披露商业秘密或将信息系统连接到外部组织). Such an audit can be performed in a few weeks, so it can readily be built into the process for closing a major transaction, 例如,一家风险投资公司在考虑向一家澳门赌场官方下载投资数百万美元时,会将其纳入尽职调查程序.
这种审计过程是信任货币的绝佳候选——信任货币是一种得到广泛认可和标准化的令牌,通过它可以衡量特定组织中的信任. 因为它是按照注册会计师(cpa)审查上市澳门赌场官方下载财务状况时使用的现有流程设计的, this new process benefits from the decades of practical experience surrounding the financial audit process, and it can therefore be placed into service immediately.
Such a duties audit is also universally applicable. 每个组织都必须满足法律的最低要求,因此需要满足用于这种遵从性审核过程的审核标准. This means that the results can be used as a universal threshold condition for decision-making purposes (e.g., whether to enter into, or perhaps renew, a contract with a certain organization).
职责审计的结果也很容易理解,因为任何人都很容易理解遵守法律义务的概念. The rating system employed (basically compliant versus noncompliant) is simple and does not require training, explanation or supplemental caveats.
To further foster trust in the process, the lawyer auditor performing the compliance audit process must be truly independent. They must meet the highest independence screening criteria set by both CPAs and attorneys. Since so much is at risk personally for the lawyer auditor (i.e., they could lose their license to practice law if there was an ethics violation), 这种独立性很重要.
职责审计方法也标准化了,因为它使用了律师必须遵循的现有程序来提供专业意见书. Because the duties audit process is standardized, the people receiving the report can readily determine what steps were taken to generate the professional opinion. 这个标准化的过程, accompanied by a standardized professional opinion, 能够依赖专业意见作为智能合约的触发器,生成累积证明. 例如, 单个外包组织可以向其客户提供专业意见,其中包括来自其分包商和业务合作伙伴的类似专业意见,所有这些意见都汇总为法律遵从性的统一声明.
然而, 重要的是,这样的审计报告的生成不会危及业务决策或不适当地更改业务流程. Because businesses should be compliant with the minimum required by law anyway, all that this audit process does is bring third-party scrutiny to internal activities related to compliance. Although anticipatory changes may be made before such a compliance audit is performed, these changes only bring the auditee organization to where it should be anyway. 一个相关的有益副作用是,它激励董事和高级管理人员年复一年地保持完全合规, 在这方面, helps make sure that information security and privacy budgets are adequate (at least in the eyes of the law). 这是因为审计过程的结果作为一个平衡因素,抑制了财务指标的主导力量.
这种信任货币审计过程还必须避免可能危及被审计组织系统或数据的活动. 例如, the audit activities must not crash production systems that generate revenue for the organization. 职责审计过程符合这一要求,因为所有围绕第三方风险评估的常规控制都适用(例如.g.、保密协议). But there are special additional benefits to using an attorney as the lawyer auditor. 当律师做这项工作时, they also bring attorney-client privilege and attorney work product doctrine to the project, 这些作品可以结构化,这样法律保护就可以防止作品的细节被泄露给任何人, 即使是在法庭上.
出于这些原因, 将法律要求的最低限度作为对董事和高管在信息安全和隐私领域采取的行动进行合规审计的晴雨表,是一种新的信任货币的不错选择.
编者按: For further insights on this topic, read 查尔斯·克里森伍德’s recent Journal article, “Adding a New KPI to Determine Whether Directors and Officers Have Met Their Legal Duties,” ISACA杂志,第6卷2022.
