Delivering on Specific Audit Requirements

Test to Ensure Records are Correctly Located

Target Behaviour

Compliance to written policies for record location is not being actively monitored.

Directive

Tests must be performed to confirm that users and Data Stewards are correctly locating files containing PII or PCI data according to standards.

Policy Requirements

Tests must be performed on a weekly basis to ascertain if files suspected to contain PII or PCI data is being stored in SharePoint sites or OneDrive for Business file stores.
Presence of ‘customer numbers’, ‘employee numbers’, ‘supplier numbers’, social security numbers, credit card numbers will signify a failed test.
Results of each test are sent to Records Managers.
Tests will be performed on a monthly schedule and available to Record Managers and Data Security personnel to run on an adhoc basis.

Workflow for Responding to Legal Hold Requests

Target Behaviour

Requests to place data related to specific people, projects, products or cases on Legal Hold are being poorly fulfilled. A lack of sufficient insight into data content is leading to unnecessarily large volumes of data being quarantined and to relevant data being excluded.

Directive

A scientific method of identifying files that should be subject to legal hold is required. The organization is exposed to unnecessary (and significant) infrastructure and services costs when excessive data is placed on legal hold. Similarly, the organization is failing to fulfil its legal obligations when relevant files are missed. The ability to query file content and identify the presence of relevant strings is necessary.

Policy Requirements

Legal announces that all data connected to a person, company, case, etc. should be placed on legal hold.
IT identifies the Data Stewards (Business Unit Managers, Department heads, Records Managers, etc.) that should be involved, and creates the quarantine location with relevant permissions, retention policy, etc.
Data Stewards provide lists of the data repositories that should be scanned (text-mining) for files connected to the person, company, case, etc. Scans are configured and executed.
Data Stewards receive notification when data is collected and review file lists – moving relevant files to quarantine.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.