So, I just finished the privacy audit and had some issues...surprise. Anyway, the Privacy Officer does not beleive that the Data Classification issues belong in his audit report. They have been in there before, it is just that there are some repeat issues which makes his audit rating worse. Now, in order for me to revise the report so that he can't argue with me I need some further information.
Is information security training REQUIRED? I know privacy training is suggessted to be ongoing...but we have not had info security/ data classification training in quite some time. Regular Reg. P training has occurred.
I am starting to get really frustrated with this audit. I am tired of management constantly dancing around repeat issues and then saying that it shouldn't be a MAJOR FINDING. Our grading policy states that a major finding is anything that is repeat, includes violations of bank policy, improper accounting procedures, violations of internal control and security problems, violations of regulations, potential loss of income, extreme deviations from the expected error rate on sample testing, and wasteful use of assets. The PO is arguing that this is NOT a violation of law and therefore should not be repeat!
Sorry for the rant.......but thanks for listening.