Purpose
Compliance with this Policy and related USG BPM sections can be subject of institution, system, or state audit. Georgia Tech must maintain records not only of documentation explicitly referenced in the Policy and the corresponding guidelines, procedures, and resources but also general evidence that Georgia Tech is in compliance.
Go to Procedures
Go to Resources
Related Policies
Data Governance and Management Policy
Related Guidelines, Procedures and Resources
- Data Governance and Management Policy Guideline
- Data Governance Structure
- Data Domains
- Data Management Categorization
- Data Protection Categorization
- Data Regulation Categorization
- Data Protection Safeguards
- Protected Data Practices
- Systems Inventory
- Data Element Dictionary
- Access Procedures
- Separation of Duties
- Regulatory Compliance
- Training
- Monitor
Definitions
Capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Data Governance and Management Policy
Audience
| Responsible | Internal Auditing |
|---|---|
| Accountable | Data Governance Committee |
| Support | Associate Data Trustee Data Steward Associate Data Steward System Owner Technical Manager Data Administrator Data User |
| Consulted | Data Governance team Cyber Security General Counsel |
| Informed | Data Domain & Technology Sub-Committees |
Procedures
- Audit Roles and Responsibilities
-
- The Chief Audit Executive (or their appointed designee) may conduct internal audits and may facilitate external audits of this Policy and corresponding guidelines, procedures, and resources.
- The Data Governance Officer, the Chief Information Security Officer (or their appointed designee), and the General Counsel and Vice President for Ethics & Compliance (or their appointed designee) may consult with Internal Auditing on both internal and external audits.
- The roles indicated in the “Support” section of the “Audience” list above shall support audits by participating in surveys, interviews, and review of documentation that supports compliance with the Policy and the corresponding guidelines, procedures, and resources.
- Internal Audit
-
- Internal audits may be prioritized based on feedback by the Data Governance Committee, the Data Governance Officer, the Chief Information Security Officer, and the General Counsel and Vice President for Ethics & Compliance.
- Internal audits will be conducted at a frequency determined by Internal Auditing.
- Internal audits may be conducted through the use of surveys, interviews, and review of documentation that supports compliance with the Policy, guidelines, procedures, and resources.
- Internal audits may be conducted with a sampling of Associate Data Trustees, Data Stewards, Associate Data Stewards, System Owners, Technical Managers, Data Administrators, and Data Users. Internal audits may be conducted with the Data Governance Committee, the Data Management Committee, and the Data Domain & Technology Sub-Committees.
- Internal audit results will be documented and retained in accordance with GT and USG Records Retention and Disposition schedules. A summary of findings and recommendations will be provided by the Chief Audit Executive to the Chair of the Data Governance Committee, highlighting areas of concern, improvement, and success.
- Internal Auditing and the Data Governance Committee will communicate any areas of concern to the Data Trustees and Data Owner as appropriate.
- External Audit
-
- Internal Auditing may facilitate an external audit.
- The Data Governance Officer, the Chief Information Security Officer (or their appointed designee), and the General Counsel and Vice President for Ethics & Compliance (or their appointed designee) may consult with Internal Auditing during an external audit.
- External audit results will be documented and retained in accordance with GT and USG Records Retention and Disposition schedules. A summary of findings and recommendations will be provided by the External Auditors to the Chair of the Data Governance Committee, highlighting areas of concern, improvement, and success.
- External Auditor and the Data Governance Committee will communicate any areas of concern to the Data Trustees and Data Owner as appropriate.
Resources
- When will auditing efforts begin?
- The USG expects all institutions to have a Data Governance and Management Program in place by June 2021. Internal and external auditing of this Program may begin as early as the second half of 2021.
| Revision Date | Author | Description |
|---|---|---|
| 2021-07-27 | Zachary Hayes, Data Governance | New |
