TxDOT Internal Audit Consulting Engagement Report Data Classification Objective Provide recommendations for the establishment of a department-wide data classification policy, based on industry best practices and regulatory considerations. Conclusion The creation and implementation of a data classification policy by the Information Technology Division (ITD) would help protect and manage data, increase efficiency, optimize security resources, reduce risk and loss of data, and continue their progression towards becoming best in class. Statement of Work The Chief Information Officer and the Chief Audit Executive agreed for the Audit Office to facilitate the Data Classification consulting engagement. Engagement team members included Julie Atchison, Milan Hawkins, Robert Juarez, Sabra Vaughan and Raymond Martinez (Engagement Lead). Work was performed during the period from April to June 2013. Work agreed to be performed included a review of 1) current department policies and regulations and 2) external data classification articles and benchmarking information to help in the establishment of the recommended criterion to develop a data classification policy. The engagement also included the collaborative development of a training shell that could be used promote the awareness and education of the policy. Background This report has been prepared for the Chief Information Officer and the Chief Audit Executive based upon the agreed-upon objectives and procedures to be performed. This consulting engagement is part of the FY 13 Annual Audit Plan. All work was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing. Safeguards were also implemented by the Audit Office to eliminate or reduce threats to independence as they related to Generally Accepted Government Auditing Standards (GAGAS) for the non-audit (advisory) services work performed. The nature and scope of the engagement have been agreed upon with management and are sufficient to achieve the agreed upon objectives. Results of the review, including governance, risk management, and internal controls were considered as part of the ongoing risk assessment. The Texas Government Code (TGC) and Texas Administrative Code (1 TAC Chapter 202) require the department to protect its data from unauthorized use and disclosure. The TAC also requires the department to perform a risk assessment to identify the level of risk associated with the data (e.g. high, medium or low). The department has policies in place to meet these requirements; however, the department does not have a department-wide policy Data Classification TxDOT Internal Audit - Consulting Engagement for classifying data into established categories to help all employees properly manage and protect the data. Results The engagement team reviewed the TxDOT Information Security Manual, TGC, and TAC (1 TAC Chapter 202) to identify the requirements associated with the management and protection of data. The team performed industry research which included analysis of data classification publications from various computer and audit resources and a review of twenty sample data classification policies from other state agencies, a Department of Transportation, institutions of higher education, and private sector companies. Independent research demonstrated the potential financial impacts of data management, such that data breach incidents in 2012 cost companies in the United States $194 per compromised record, and the average total cost per company that reported a data breach was $5.4 million. Further research showed that a leading provider of storage and information management services found that even a modest improvement in information management can return an average of $42,000 in annual savings. The engagement team, in collaboration with ITD, developed a recommended data classification policy and training shell. This policy includes the following elements that are considered best practices – benefits, classification categories, security, roles and responsibilities, risk analysis, training and education, records management, and governance. The training shell created can be used to develop a training class to help promote the awareness and education of the policy. Both of these documents were provided to the Chief Information Officer. Recommendations We recommend that the Chief Information Officer work with the TxDOT Administration to champion an effort to develop a data classification policy for all of TxDOT. The recommended data classification policy and training shell developed can be used to initiate this effort across other districts, divisions, and offices. Closing Comments The engagement team would like to thank those individuals from the Information Technology Division for their time and cooperation. 2 of 2 August 21, 2013