Visit
Apply
Give

Department of Internal Audit and Compliance

Information Technology - Data Security

Effectiveness and efficiency of operations 

A. Physical and logical security measures are implemented.

  1. Have security guidelines been established that detail the responsibilities of management, security administration, resource (data, programs or assets) owners, computer operations, system users, and internal auditors?
  2. Have guidelines been established that address issues such as: ownership of resources; procedures for granting access; procedures for establishing users' access privileges; required authorizations; security monitoring; the consequences of non-compliance with policy, standards, and procedures; and the security implementation plan, if applicable?
  3. Has an information security officer (ISO) been appointed to be responsible for creating and maintaining IT security policy and procedures, reporting security issues to management, and ensuring policies and procedures are current and operating as designed?

B. Physical security exists for computer resources.

  1. Have electronic systems been established that monitor physical access to computer rooms or other restricted areas by sensing information, which is coded in devices such as magnetic cards or keys, that uniquely identifies the individual requesting access and creates an audit trail of granted or denied access requests?
  2. Is a key card employed to open office suites after-hours and during weekends and holidays, and manual sign-in required in off-peak hours to track individuals that are onsite in case of an emergency?

C. Security exists for all software and data.

  1. Is each new user required, prior to receiving IDs and passwords, to complete a data sheet that enables the division manager to determine appropriate access and levels of security before forwarding access approval to the system administrator?
  2. Have two levels of passwords been established? One for regular accounts (long-term employees with approved access to certain systems) and a second for privileged accounts (temporary users with access to a system for a defined time limit)?
  3. Is the IT security function required to provide the functional and business managers with a list of personnel in their areas who have access to restricted applications and databases every 6 months?  Is each manager entrusted with the responsibility to communicate to the IT security personnel any necessary modifications to the approved access list?
  4. Is data classified according to whether it is highly restricted with high disclosure risks and, thus, confidential; moderately restricted with moderate to high risks and available only to internal audiences; or unrestricted with no risk and freely disclosed to any interested party?  These classifications drive security parameters to protect the data.

D. Security exists for communications (networks, intranets, Internets)

  1. Is all network documentation created, published, and kept current, including: documentation of schematics of networks and connections; user documentation; system documentation and configuration; problem reporting procedures and contingency plans; and operations documentation?
  2. Is intranet/Internet access provided through the user or user's manager submitting an access request form to the IT department along with an attached copy of a signed form acknowledging intranet and Internet security coverage?
  3. Is specific information prohibited from being sent over the intranet/Internet including data classified as confidential, such as: personnel information; payroll information; systems access passwords; information file encryption keys; and sensitive customer or supplier information?
  4. Is a business implementation and maintenance plan prepared when developing a web site, and the marketing or University communications group required to approve all content for the site before it is published?

    Back

Last Updated: 1/3/23