Common Audit Recommendations—Information Systems
- Align the department’s strategic plan with business and computing objectives.
- Define the current capabilities and future needs for information technology.
- Perform a risk assessment to identify the impact and likelihood of threats and vulnerabilities to business processes and goals.
- Develop an action plan to ensure cost-effective controls and security measures minimize risks to an acceptable level.
- Ensure that performance and capacity meet department computing objectives.
- Adopt hardware acquisition standards to provide cost efficient and stable platforms for distributed applications
- Provide consistent system administration.
- Monitor and re-evaluate security of all information systems
- Configure operating systems and anti-virus software for the timely application of patches and updates.
- Implement procedures for detecting, reporting, and responding to security threats
- Ensure host based firewalls are active and limit internet protocols permitted through the firewall.
- Restrict physical access to information technology facilities and equipment to individuals with a business need for accessing the systems.
- Protect servers from physical and environmental damage.
- Develop, document, and implement backup procedures, disaster recovery plans, and cross-training for key information technology personnel.
- Store backup media in a secure offsite location that meets all archival, backup, and recovery needs for University systems.
- Test backup media on a regular basis to verify the ability to restore critical systems and data.
Service provider contracts
- Establish a comprehensive data sharing agreement for sensitive and confidential information on systems managed or owned by vendors
Implement access controls for department critical systems.
Promptly issue, alter, and revoke user access, and periodically review and verify that user access aligns with current job duties.
Document and retain authorizations for access.
Use unique user names and strengthen password controls to identify and authenticate system users.
Perform periodic reviews of user access rights to ensure appropriateness
Discontinue the use of default passwords, improve the communication method for issuing access credentials, and ensure initial login passwords are changed in a timely manner.