TxDOT Internal Audit Consulting Engagement Report
Data Classification
Objective
Provide recommendations for the establishment of a department-wide data
classification policy, based on industry best practices and regulatory considerations.
Conclusion
The creation and implementation of a data classification policy by the Information
Technology Division (ITD) would help protect and manage data, increase efficiency,
optimize security resources, reduce risk and loss of data, and continue their
progression towards becoming best in class.
Statement of Work
The Chief Information Officer and the Chief Audit Executive agreed for the Audit Office
to facilitate the Data Classification consulting engagement.
Engagement team members included Julie Atchison, Milan Hawkins, Robert Juarez,
Sabra Vaughan and Raymond Martinez (Engagement Lead). Work was performed
during the period from April to June 2013.
Work agreed to be performed included a review of 1) current department policies and
regulations and 2) external data classification articles and benchmarking information
to help in the establishment of the recommended criterion to develop a data
classification policy. The engagement also included the collaborative development of a
training shell that could be used promote the awareness and education of the policy.
Background
This report has been prepared for the Chief Information Officer and the Chief Audit
Executive based upon the agreed-upon objectives and procedures to be performed.
This consulting engagement is part of the FY 13 Annual Audit Plan.
All work was conducted in accordance with the International Standards for the
Professional Practice of Internal Auditing. Safeguards were also implemented by the
Audit Office to eliminate or reduce threats to independence as they related to
Generally Accepted Government Auditing Standards (GAGAS) for the non-audit
(advisory) services work performed. The nature and scope of the engagement have
been agreed upon with management and are sufficient to achieve the agreed upon
objectives. Results of the review, including governance, risk management, and
internal controls were considered as part of the ongoing risk assessment.
The Texas Government Code (TGC) and Texas Administrative Code (1 TAC Chapter 202)
require the department to protect its data from unauthorized use and disclosure. The TAC
also requires the department to perform a risk assessment to identify the level of risk
associated with the data (e.g. high, medium or low). The department has policies in place to
meet these requirements; however, the department does not have a department-wide policy
Data Classification
TxDOT Internal Audit - Consulting Engagement
for classifying data into established categories to help all employees properly manage and
protect the data.
Results
The engagement team reviewed the TxDOT Information Security Manual, TGC, and
TAC (1 TAC Chapter 202) to identify the requirements associated with the
management and protection of data. The team performed industry research which
included analysis of data classification publications from various computer and audit
resources and a review of twenty sample data classification policies from other state
agencies, a Department of Transportation, institutions of higher education, and private
sector companies.
Independent research demonstrated the potential financial impacts of data
management, such that data breach incidents in 2012 cost companies in the United
States $194 per compromised record, and the average total cost per company that
reported a data breach was $5.4 million. Further research showed that a leading
provider of storage and information management services found that even a modest
improvement in information management can return an average of $42,000 in annual
savings.
The engagement team, in collaboration with ITD, developed a recommended data
classification policy and training shell. This policy includes the following elements that
are considered best practices – benefits, classification categories, security, roles and
responsibilities, risk analysis, training and education, records management, and
governance. The training shell created can be used to develop a training class to help
promote the awareness and education of the policy. Both of these documents were
provided to the Chief Information Officer.
Recommendations
We recommend that the Chief Information Officer work with the TxDOT Administration
to champion an effort to develop a data classification policy for all of TxDOT. The
recommended data classification policy and training shell developed can be used to
initiate this effort across other districts, divisions, and offices.
Closing Comments
The engagement team would like to thank those individuals from the Information
Technology Division for their time and cooperation.
2 of 2
August 21, 2013