Computer Security Auditor
Get to know this occupation
Other denominations
Computer security and personal data protection auditor
Description
Computer security auditors verify that security and control measures for computer systems comply with regulations on data protection. These professionals must identify deficiencies and propose corrective or supplementary actions. To practise this profession, professionals must have extensive knowledge of information and communications technology (ICT) and know legislation: Organic Law 15/1999, of 13 December, on the Protection of Personal Data (Personal Data Protection Act) and regulations derived therefrom. Auditors are obliged to keep everything they see confidential, and they may not audit a company with which they have any sort of business, family or other relationship.
Tasks
Of the various tasks performed by computer security and personal data protection auditors, the main two are: verifying data protection systems using the procedures used to manipulate them; and verifying the security of logical systems (software) and physical systems (hardware, computers, premises, etc.). It should be noted that, although tasks are the same for any information system, the difficulty lies in the specific characteristics of every system (number of users, work platform, number of records).
Thus, computer security and personal data protection auditors:
Thus, computer security and personal data protection auditors:
- Verify compliance with laws applicable to the computer field, with regard to protection of personal data, of email, of certification service suppliers, etc.
- Verify that procedures required by the data protection system requested by legally applicable regulations have been completed and are applied correctly.
- Confirm that files held at the Data Protection Agency have been reported .
- Verify the level of security assigned to the information system in connection with data it stores.
- Check that the security document has been developed and implemented. Regulations stipulate that security standards (such as requests for access, rectification or cancellation of data) should be contained in this document.
- Confirm that consent is obtained from persons providing data. Persons providing data to the company must be informed and their permission must be requested.
- Verify that data is communicated to third parties. Regulations stipulate how data held may be transferred to third parties (natural or legal).
- Verify that records are kept of incidents that have occured with the company's information system. For example, monitor if a person requests that his or her data be erased from the database, if he or she requests to consult his or her data or if he or she wants to modify them.
- Check the security of data. Auditors check that the information system organised by the company guarantees the security and integrity of data and, in particular, verify that data cannot be altered, lost, processed or accessed by unauthorised parties. To do so:
Analyse the type of system used (network, servers, personal computers, etc).
Check the security of remote connections to the system. If done by a communications network, access to data should guarantee a level equivalent to local access.
Verify that security measures associated with each file security level are suitable and fulfill planned functions, such as:
The procedure to assign passwords to staff authorised to work with the system.
Controlling access to data of the people in the company based on what has been defined in the security document.
Management of technical supports like tapes, disks, CD, DAT tapes, etc. where information is kept on hand.
The system for backups and data retrieval. Must guarantee data is retrieved if there is an incident with the information system.
The record system required depends on the security level. - Compare the situation of the audited company with the jurisprudence of sanctions applied by Data Protection Agencies.
