Most auditors and security analysts have never performed a wastebasket audit. Why do a trashcan audit?
- Low cost (free)
- Quick & easy
- Easy to perform (even junior auditors can find this evidence)
- You always learn something (e.g., this payroll clerk really likes bananas)
- Most people are careless with data and secrets
- It’s a good way to take the pulse of a person, department, or company
Warning: Depending on your company, you should probably get permission (always the safest route). Is it covered tangentially in your audit charter? Do you have a GOOJ card (see item #3)?
Privacy Issue? Sneaky?
To those of you who think this is an invasion of privacy or underhanded (it’s actually under desk), don’t your company policies state that you should expect no privacy for anything stored online or company premises? If not, you should investigate why.
As for being underhanded, it is. So what? Do those committing fraud post a notice on the company intranet? Does the person in Marketing who is probing the web server embed his name in each malicious packet? If someone threw it away, doesn’t that tell you what she thought of the data? So you think you should protect what others carelessly discarded? Or should you protect the company?
Top Trashcans to Audit
Conference rooms – they are more “public” areas, location of many highly confidential meetings, and are visited by customers and vendors. [Safest area to audit, just close the door]
Lobby area – heavy visitor area, where people who are waiting toss previous drafts of presentations, clean out their briefcases, and–interestingly enough–it’s an employee’s last chance to throw something out as they leave the premises.
Print/copy room – Paper is laying around everywhere, in and out of the trashcan. Just put a few papers under yours, and walk back to your desk.
Areas or staff under audit – Immediately prior and during an audit, people tend to throw a lot of stuff out for some reason (hmmmm). I always start my wastebasket audit at least 2 weeks before the audit kickoff, and don’t end until 2 weeks after the final report is issued.
One nice thing about these types of audits is that you don’t have to tell anyone how you got the information (say “it was provided to me and my source is confidential”). If the original evidence is crumpled, smooth it out and make a copy. Put the focus on what the data reveals, not the source; that’s secondary.
Finally, whatever personal information you learn about employees, keep it confidential, and forget it as fast as you can.
Update 1–
One reader, Audit Monkey, stated that these audits are a waste of time (see his Comment and my reply). I realized that I neglected to note that I’m not suggesting formal audits of wastebaskets–just do them as you perform your other duties (e.g., as you use the print/copy room and on special occasions (which a future post will explain further)).
Update 2 — Recycle Bin
Another reader, A Cow in Willesden, suggested going through recycle bins on auditee computers, which is a great suggestion if you can pull it off. Check out the comment here.
Any other dissenting opinions or other comments?
——————–
You might also be interested in Another One’s Treasure.
Or even Easiest Way to Steal Confidential Data.
ITauditSecurity 
An utter waste of time. If you are doing these audits, you not got a clue what is going on in your firm, the risks and what you ought to be auditing.
LikeLike
Audit Monkey,
Thanks for your comment. I think I understand where you’re going, but I need to clarify something that I did not note in my original post–I’m not talking about doing formal audits, but spot checks here and there (e.g., when you’re in the print/copy room and when you pass through the lobby on occasion, perhaps after a large vendor meeting). Or specifically when something doesn’t smell right (See Surprising Survey Results in WasteBasket Audit Findings). What people throw away, leave in the print room, or recycle can give you a pulse on what’s going on. A pulse that you could not otherwise determine.
I know from experience that you can discover a lot of information that isn’t normally given to you. Not only is it not given to you, it is thrown out for others to stumble upon. If trash wasn’t a risk, why do many companies have locked recyle bins? What I’m suggesting is that you occasionally review whether people are throwing away to determine whether sensitive IT or financial data or intellectual property is laying around or gone.
In talking to auditors and security analysts, almost no one does this type of review. So are you telling me that’s because companies know most everything that is going on in their business, what all the risks are, and exactly what they should be auditing?
I disagree. Not only has Elvis left the building, but so has a lot of data. You just don’t know about it.
LikeLike
I think we need to differentiate between a ‘clear desk review’ against a ‘waste bin’ review. Purely looking in waste-bins for discarded confidential information in isolation doesn’t achieve very much except that some employees may have been sloppy. Personally a clear desk review is more encompassing as you are reviewing compliance with policy. My hatred of waste bin reviews stems from my previous work experience where it was used a substitute to avoid doing some proper audit work and reviewing core processes.
LikeLiked by 1 person
Audit Monkey,
I disagree that discarded confidential information only indicates employees (as well as vendors, partners, and visitors) may have been sloppy.* I’ve found via these audits on several occasions that dishonest activities are occurring behind the scenes. Or that conditions exist that should not, but no one realized it.
I’m not suggesting that these audits are substitutes for proper audit work, but are supplementary to other audits, and in some cases, find things that regular audits don’t.
* If all you DO find is that employees are being sloppy, is that not a risk that needs to be identified and managed? In my experience, if employees are careless in what they throw away, they are also careless in daily operations, simply because they are not cognizant of the value of data in the first place.
LikeLike
I would prefer to do a clear desk review. Note, this is often performed after hours when the majority of staff have gone home. However, I think that doing trash can reviews lowers the standing of the auditor as it does seem to verge on snooping on people.
LikeLike
Audit Monkey,
I agree with you! It does seem to lower the standing of the auditor. But, I ask, is the auditor’s job to determine whether risk is managed or to maintain his standing? Audit is about risk, not pride.
Again, in my experience, a critical piece of evidence was found by bending over and snooping. I don’t have a problem with snooping, especially when privacy policies state that no privacy should be assumed. I know that some countries, and especially Europe, have stricter privacy policies. Snooper beware.
Furthermore, if someone is doing something illegal or fraudulent, a clear desk review won’t catch it. For some reason, people think trashcans are safe, and in most companies, they are! All I’m suggesting is to take (often overlooked evidential) matters in your own hands.
LikeLike
I thought I’d note that the 2009 CISA manual (spiral bound version) from ISACA mentions wastebasket auditing. At the bottom of page 444, under the heading, “Logon IDs and Passwords,” it states:
“Another source of confidential information is the wastebasket. The IS auditor might consider going through the office wastebasket looking for confidential information and passwords.”
LikeLike
I guess that makes it official! Thanks, Marie.
:)
LikeLike
I’d consider adding a step of work to an audit, probably towards the end, to look in the recycle bin on the machines of audit clients, especially those in a coordination role. Would be interesting to review the list and see whether previous versions of documents provided to audit were discarded, or whether documents which couldn’t be located were in fact in the trash. I imagine it could be a pretty targeted and temporary step, probably just for a handful of audits over a year maybe.
I don’t think I’ll be digging through real-life bins though, but I can see how it might be a good piece of work if you have the right kind of motivation and outlook.
LikeLike
Cow,
Nice suggestion. I updated the post above to refer to your comment. Thanks!
LikeLike
This is where CISSP knowledge kicking in. Good example about how cissp cert training helps IT auditor understand IT security.
risk of social engineering/dumpster diving —-> controls —> wastebasket audit.
LikeLike
Pingback: New IT Auditors Should Start Here | ITauditSecurity