Data Assurance and Attestation Services

Effective data assurance involves managing the full life cycle of data to meet business process needs, while minimizing costs of storage and retrieval and minimizing risks of data leakage from both internal and external threats. It also often involves a new management paradigm, one of data ownership, and a process and procedures for every aspect of the data life cycle. Of course, technology is fundamental to data assurance, and we have extensive experience helping companies streamline business processes through leveraging document management technologies while also minimizing data leakage risks. We also help companies deploy a full range of monitoring solutions, from policy and procedures, to data loss prevention utilities that help monitor for and anticipate data loss scenarios.

Several prominent studies have recently shown that the volume of data in businesses is growing an average of 60% per year. Research also shows that relatively few businesses have established comprehensive approaches to controlling their data flow, and that most businesses do not really know what data they possess, where it is stored, and who can access it. As a result, sensitive data is more vulnerable than ever. IP theft has more than doubled in recent years. Theft and misuse comes from both inside the company (fueled in part by the down economy and employee turnover) and increasingly from a more sophisticated hacking community motivated by the commercial value of the data.

The following summarily describes our scalable, sustainable, cost-effective approach to data assurance:

Inventory - A significant challenge for many firms is locating unstructured data. Our experts will combine interviews with data governance tools to help uncover unstructured data often lost in vast crevasses prevalent on most networks today. A regulatory nexus is used against the resulting inventory identifying state, country or industry regulations.

Classification – The results of the inventory will be analyzed to determine document data classifications. These data classifications are used to help identify, secure, share, retain and securely destruct your data.

Mapping data flow – Upon gaining an understanding of the systems used, along with the associated access, our experts can map the flow of data in / around / out of your organization, resulting in the pinpointing of the inherent risks.

Risk assessment – Risk comes in a variety of forms (e.g., IP theft, regulatory, reputation, litigation, etc.) all of which must be evaluated when considering the proper controls required for mitigation. Prioritized risk maps are used to illustrate assessed risk, taking into account the data sensitivity, regulations and how the data is accessed, stored and shared.

Technology assessment – Armed with a keen understanding of your business, workflow and technology, our team is in a strong position to recommend technology improvements to both enhance security and improve efficiencies, including data loss prevention and document management.

Remediation – Our team will guide firms through the remediation of all the required elements that make up a quality data management program including, but not limited to: policies and procedures, technology / infrastructure changes and training programs.

Monitoring – we help our clients design and deploy a full complement of manual and system based monitoring controls, tailored to inherent risks for their various data stores. This includes leveraging system controls from your present infrastructure when possible and/or identification of data loss prevention utilities and applications.

Attestation (optional for service providers) – many service providers have custody of data that is considered to be sensitive, confidential, and/or personal in the context of personally identifiable information, “PII.” Service providers often need to provide independent reporting to their clients and prospects that provides assurances that they have deployed and effectively manage controls to safeguard the data. We have extensive expertise in AICPA Service Organization Controls and can provide guidance as to how your service organization can leverage these reporting options to improve their own governance and provide the reporting their clients and prospects need.

• Click here for information on SOC 3

Daniel Schroeder CPA, MBA, CISA, CIA, CISM dan.schroeder@hawcpa.com