General Information System Controls Review
|
|
- Elfrieda Sutton
- 6 years ago
- Views:
Transcription
1 General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No Office of the County Auditor Evan A. Lukic, CPA County Auditor
2 Executive Summary This report provides the results of our review of general information system (IS) controls over ECHO application software used by the Human Services Department s (HS) Broward Addiction Recovery Division (BARC). General IS controls are the structure, policies and procedures that apply to an entity s overall computer operations and help ensure their proper operation. Accordingly, our objective was to evaluate general IS controls over the integrity, confidentiality, and availability of the ECHO system and data maintained in ECHO. We identified the following general IS control weaknesses: 1. User access accounts are not maintained in accordance with established HS security policies and best practices for a secure environment. Access controls help ensure computer resources, such as the ECHO system, are protected from unauthorized changes, loss, disclosure or impairment. 2. Automated password control features of the ECHO software were not implemented to enforce criteria set forth in HS IT Security Policy. Password controls are essential to access controls, which help promote user accountability, data integrity and confidentiality. 3. System administrator access is not appropriately restricted to promote system and data integrity. Inadequate separation of incompatible duties increases the risk of compromised system and data integrity. 4. Backup resources to support and maintain ECHO have not been established, increasing the risk of system unavailability. 5. A maintenance agreement is not in place to ensure continued availability of vendor support for the ECHO software. To improve controls over system and data integrity, confidentiality, and availability, we have included specific recommendations to address the control weaknesses identified above. Background Established in 1973, the BARC Division of the Human Services Department provides medical and clinical treatment, substance abuse and nutrition education and support services to Broward County residents and homeless individuals who are chemically dependent and 18 years or older. BARC acquired and implemented ECHO software in 2003 at a cost of $461,482 to automate, track and manage operations. BARC utilizes two ECHO software modules, Clinician Desktop (CDT) and Revenue Manager (RM), for scheduling, tracking, reporting, and management of client demographic and clinical records, authorizations, assessments, treatment plans and outcomes, Office of the County Auditor 2
3 and billing. ECHO also facilitates electronic submission of activity reports to the Department of Children and Families to obtain reimbursement for eligible services. ECHO was developed and is supported by the vendor, The ECHO Group at an annual maintenance cost of $40,628. Maintenance includes upgrades, problem resolution and other support services. Customization and modification services are available from The ECHO Group for additional fees. There is one BARC staff member who is responsible for supporting 155 ECHO users (80% of BARC staff). This individual is also the administrator for security, the underlying database, and operating system. Over the past two years Human Services and BARC have undergone several organizational changes, which have affected staffing of HS Information Technology (IT) roles. During our review, HS IT staff and services were in the process of combining with the County s Enterprise Technology Services Division. Objectives, Scope and Procedures General information system (IS) controls are the policies and procedures that apply to an entity s information systems and help ensure their proper operation. Effective general IS controls help safeguard data, protect software programs, prevent unauthorized access, and ensure continued computer operations in case of unexpected interruptions. 1 Accordingly, our objective was to evaluate general IS controls over the integrity, confidentiality, and availability of the ECHO system and data maintained in ECHO. To accomplish our objective, we: Reviewed applicable HS policies, procedures and forms. Interviewed BARC staff responsible for information system technology. Reviewed internal controls over system access, including system roles, user accounts, and security configuration settings. Reviewed management processes for the support and maintenance of ECHO and the underlying database (SQL). Observed management processes to evaluate compliance with documented policies, procedures, and controls for system access, use, support, maintenance and processing. 1 Federal Information System Controls Audit Manual: Volume I Financial Statement Audits. United States Government Accountability Office, GAO/AIMD January Office of the County Auditor 3
4 In the performance of our review, we referenced criteria from Control Objectives for Information and related Technology (COBIT) published by the Information System Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT provides generally applicable and accepted measures, indicators, processes and best practices to assist organizations in the sound use and management of information technology. Findings and Recommendations Finding 1 User access accounts are not maintained in accordance with established HS security policies and best practices for a secure environment. Access controls should provide reasonable assurance that computer resources, such as the ECHO system, are protected from unauthorized changes, loss, disclosure or impairment. Inadequate access controls diminish the reliability of data and increase the risk of destruction or inappropriate disclosure of data. Although Human Services IT Security Policy includes criteria for creating and maintaining user ID's and profiles; the stated policy is not being effectively followed. Our review of internal controls over access to ECHO revealed the following: A periodic and comprehensive review of ECHO access accounts has not been performed to ensure continued effectiveness of account restrictions. In reviewing the 160 ECHO user accounts in conjunction with HS IT staff, HS IT staff identified 16 accounts which required removal of some or all of the user s access, due to changes in employee status. User accounts were created without evidence of a request form and/or proper authorization for access. In our review of twenty user accounts added since January 2008, only 8 out of 20 user accounts were supported by a user access form. Further, only 2 out of the 8 user access forms were properly authorized by a supervisor. Best practices 2 for user account management suggest the following processes be established for effective internal controls over access to systems: Periodic management review of all accounts and related privileges to ensure removal or reallocation of system rights upon change in employee status. Formal user account management procedures for requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges (profiles). An approval procedure which outlines the data or system owner responsibilities for granting access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. 2 Control Objectives for Information and related Technology (COBIT) section 4.1 Deliver and Support section 5.4 Office of the County Auditor 4
5 User acknowledgement of rights and obligations relative to access. Recommendation: To ensure effective access security controls, we recommend the Board of County Commissioners direct the County Administrator, within ninety days, to: 1. Comply with the HS security policy and best practices for access controls by implementing the following controls: Requiring completed, authorized access request forms prior to granting or modifying access to ECHO. Timely action on requested changes to users access: new, expand, reduce, suspend and revoke. Retention of access authorization forms to enable periodic review of ECHO accounts for compliance with HS authorized access permissions. Automated account lock-out features for dormant accounts (e.g., accounts that do not login after a specified period of time). 2. Revise the existing user access procedures to define management s responsibility for requesting, approving and granting access to ECHO for all classes of users Finding 2 Automated password control features of the ECHO software were not implemented to enforce criteria set forth in HS IT Security Policy. User IDs in conjunction with corresponding passwords are a fundamental control over access to systems. Effective access controls help promote user accountability, data integrity and confidentiality. To ensure effective access controls, best practices recommend that organizations establish a password policy. HS s IT Security Policy establishes the following password criteria, which meets suggested best practices for a secure environment: May not contain any part of the user's account name. Must be least 8 alpha-numeric characters long. Only 5 failed attempts will be allowed before account is locked. A user will not be allowed to reuse the password for 15 consecutive change cycles. While ECHO access requires a valid account and corresponding password, ECHO does not automatically enforce the password criteria from the HS IT Security Policy. HS staff report that password security features are available, but they were not configured during ECHO implementation. Office of the County Auditor 5
6 Since the stated password criteria are not being enforced, either manually or automatically, the effectiveness of access controls is diminished. Recommendation: 3. To ensure effective access control over user accountability, data integrity and confidentiality, we recommend the Board of County Commissioners direct the County Administrator to evaluate and report on the feasibility of implementing automated password control features for the ECHO application, within ninety days of adoption. Finding 3 System administrator access is not appropriately restricted to promote system and data integrity According to best practices for internal controls over systems, work responsibilities should be separated so that one individual does not control all stages of a critical process. For example, the ability to maintain or update software and databases should not be paired with access to the application, or the ability to administer application security. Inadequate separation of incompatible duties provides the administrator with the access to perform and conceal improper activities. As the sole IT staff for ECHO support, the IT Manager is responsible for system maintenance, processing, user support, and security administration. Upon review of ECHO account privileges we found that the IT Manager had unmonitored, unrestricted access to 17 out of 18 available ECHO privileges (profiles). In addition to ECHO application access, the IT Manager has powerful administrator access to the ECHO database and server. The size of the HS IT function does not allow appropriate separation of responsibilities for maintaining software/databases and providing user support. Access controls could be improved by the removal of ECHO sign-on accounts from core IT staff and adoption of system activity monitoring procedures. Recommendation: To mitigate the exposure of inadequate separation of conflicting responsibilities, we recommend the Board of County Commissioners direct the County Administrator to (within ninety days of adoption): 4. Remove transaction responsibilities from IT staff. The IT Manager should not be assigned to input, adjust, or void transaction data in ECHO. 5. Require supervisors (other than the IT Manager) to monitor daily transactions and reconcile system reports of BARC activity to source documents. 6. Request ETS to perform a routine review of the database and Microsoft server configurations to ensure HS is maintaining the ECHO infrastructure in compliance with established County standards for operations and security. Office of the County Auditor 6
7 Finding 4 Backup resources to support and maintain ECHO have not been established, increasing the risk of system unavailability One individual has supported ECHO since the 2003 implementation. No other staff member has been trained to fulfill the role of application support. BARCs' reliance on one individual to support ECHO increases the risk of system unavailability. Should ECHO become unavailable and ECHO support staff not be accessible, recovery and ongoing problem resolution would be hampered. Recommendation: To mitigate the exposure to system unavailability, we recommend the Board of County Commissioners direct the County Administrator to (within ninety days of adoption): 7. Identify and train a backup resource for the BARC IT Manager. 8. Maintain ECHO system and database documentation as systems updates/upgrades are implemented, to facilitate backup administration, support and maintenance of ECHO. Finding 5 A maintenance agreement is not in place to ensure continued availability of vendor support for the ECHO software. In lieu of a software maintenance agreement, BARC paid vendor invoices for annual software maintenance using the direct payment voucher process. The amount paid for annual maintenance in 2009 was $40,628. This practice does not comply with established internal controls 3 for vendor payments, and exposes BARC to a potential loss of vendor support. Without a software maintenance agreement, there is no contractual obligation from the vendor to continue to support and maintain ECHO. The vendor has submitted an agreement renewal form letter each year; however, BARC staff did not negotiate the terms of the agreement and the agreement was not executed. Without an effective support agreement, BARC has no recourse from the vendor for non-performance or protection provided under the standard terms of a properly executed software maintenance agreement. Recommendation: To ensure compliance with the County's Administrative Code and provide for continued maintenance/support of ECHO, we recommend the Board of County Commissioners direct the County Administrator, within ninety days, to: 9. Re-evaluate vendor supplied support terms and process maintenance agreements and payments as required by Administrative Code, purchasing ordinance and Broward County procedures. 3 Volume 6, Accounting, Payroll & Tangible Property Procedures, Chapter 3, Payment Process, Section II. Documentation Required for Payment Section IV. Payment Requests Direct Voucher Payment Office of the County Auditor 7
REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009
APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto
More informationData Processing Agreement
In accordance with the European Parliament- and Council s Directive (EU) 2016/679 of 27th April 2016 (hereinafter GDPR) on the protection of physical persons in connection with the processing of personal
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationREPORT 2015/010 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/010 Audit of information and communications technology strategic planning, governance and management in the Investment Management Division of the United Nations Joint
More informationSTAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:
STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationTexas A&M University: Learning Management System General & Application Controls Review
Overall Conclusion Overall, the controls established over the primary learning management system at Texas A&M University, Blackboard Learn (ecampus), are effective in providing reasonable assurance that
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More informationPeopleSoft Finance Access and Security Audit
PeopleSoft Finance Access and Security Audit City of Minneapolis Internal Audit Department September 20, 2016 1 Contents Page Background... 3 Objective, Scope and Approach... 3 Audit Results and Recommendations...
More informationCritical Cyber Asset Identification Security Management Controls
Implementation Plan Purpose On January 18, 2008, FERC (or Commission ) issued Order. 706 that approved Version 1 of the Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1.
More informationCell Phone Policy. 1. Purpose: Establish a policy for cell phone use and compensation allowance.
Cell Phone Policy 1. Purpose: Establish a policy for cell phone use and compensation allowance. 2. Authority: The Clinton County Board of Commissioners. 3. Application: This Cell Phone Policy (the Policy)
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationSaba Hosted Customer Privacy Policy
Saba Hosted Customer Privacy Policy Last Revised 23 May 2018 1. Introduction Saba is committed to protecting information which can be used to directly or indirectly identify an individual ( personal data
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationAuditing IT General Controls
Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationSTATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY
STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY INFORMATION TECHNOLOGY GENERAL CONTROLS INFORMATION SYSTEMS AUDIT JANUARY 2016 EXECUTIVE SUMMARY PURPOSE
More informationUniversity of Wyoming Mobile Communication Device Policy Effective January 1, 2013
University of Wyoming Mobile Communication Device Policy Effective January 1, 2013 Introduction and Purpose This policy allows the University to meet Internal Revenue Service (IRS) regulations and its
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationContracting for an IT General Controls Audit
Contracting for an IT General Controls Audit Lori Schubert, C.P.A. Internal Audit Manager age Waukesha County (WI) lschubert@waukeshacounty.gov Overview of Presentation Description of Waukesha County Information
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationDocument Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.
Document Cloud (including Adobe Sign) Additional Terms of Use Last updated June 5, 2018. Replaces all prior versions. These Additional Terms govern your use of Document Cloud (including Adobe Sign) and
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationInternal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit
Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based
More informationIMPORTANT INSTRUCTIONS:
IMPORTANT INSTRUCTIONS: PLEASE MAIL THIS FORM ALONG WITH YOUR AUTHORIZATION AGREEMENT BACK TO US AT: THE POLYCLINIC ATTN: EHR/MYCHART 1145 BROADWAY SEATTLE, WA 98122 PLEASE ALSO PROVIDE US WITH A PHONE
More informationData Backup and Contingency Planning Procedure
HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationStandard CIP Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-1 3. Purpose: Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationBring Your Own Device Policy
Title: Status: Effective : Last Revised: Policy Point of Contact: Synopsis: Bring Your Own Device Policy Final 2017-Jan-01 2016-Nov-16 Chief Information Officer, Information and Instructional Technology
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationWIRELESS DEVICES: ACCEPTABLE USE AND GUIDELINES
Goodhue County Education District #6051 WIRELESS DEVICES: ACCEPTABLE USE AND GUIDELINES Procedures Manual Updated January 2016 Table of Contents Overview 3 Definitions 3 General Guidelines 4 Eligibility
More informationStandard CIP 007 4a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for
More informationA. Facilities and critical systems employees subject to afterhours call out.
ADMINISTRATIVE PROCEDURE 6450: Mobile Communication Devices and Cellular Phones Purpose To establish procedures for the assignment of an allowance for cellular telephones and other wireless, handheld mobile
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationElectronic Network Acceptable Use Policy
Electronic Network Acceptable Use Policy 2016-2017 www.timothychristian.com ELECTRONIC NETWORK ACCEPTABLE USE POLICY Electronic Network This Policy is intended to serve as a guide to the scope of TCS s
More informationAccess to University Data Policy
UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More information2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY
2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY Purpose: The purpose of this policy is to provide instruction and information to staff, auditors, consultants, contractors and tenants on
More informationICT OPERATING SYSTEM SECURITY CONTROLS POLICY
ICT OPERATING SYSTEM SECURITY CONTROLS POLICY TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIM OF THE POLICY... 4 5. SCOPE... 4 6. BREACH OF POLICY...
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationWireless Communication Device Policy Policy No September 2, Standard. Practice
Standard This establishes the business need and use of cellular phones (hereinafter referred to as wireless communication devices ) as an effective means of conducting City of Richland business, and to
More informationBuilding Information Modeling and Digital Data Exhibit
Document E203 2013 Building Information Modeling and Digital Data Exhibit This Exhibit dated the day of in the year is incorporated into the agreement (the Agreement ) between the Parties for the following
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More information1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.
Document Cloud (including Adobe Sign) Additional Terms of Use Last updated June 16, 2016. Replaces the prior version in its entirety. Capitalized terms used in these Document Cloud Additional Terms ( Additional
More informationDepartment Of Public Utilities Multi Vendor Reading System (MVRS) 12 Months ended December 31, 2011
REPORT # 2012-12 AUDIT Of the Department Of Public Utilities Multi Vendor Reading System (MVRS) 12 Months ended December 31, 2011 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations.
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationRed Flag Policy and Identity Theft Prevention Program
Unified Government of Wyandotte County and Kansas City, Kansas Adopted: 5/11/2011 Red Flag Policy and Identity Theft Prevention Program Authority: The Mayor and the Board of Commissioners are responsible
More informationState of West Virginia Department of Health and Human Resources (DHHR) Office of Management Information Services (OMIS)
1.0 PURPOSE Periodic security audits, both internal and external, are performed for the benefit of the and its employees to: (1) identify weaknesses, deficiencies, and areas of vulnerability in operations;
More informationState of Colorado Cyber Security Policies
TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief
More informationA full list of SaltWire Network Inc. publications is available by visiting saltwire.com.
Introduction Effective January 1, 2004, private sector organizations must follow a code for the protection of personal information in accordance with the Personal Information Protection and Electronic
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationInformation Security for Mail Processing/Mail Handling Equipment
Information Security for Mail Processing/Mail Handling Equipment Handbook AS-805-G March 2004 Transmittal Letter Explanation Increasing security across all forms of technology is an integral part of the
More informationAcceptable Use Policy
Acceptable Use Policy POLICY 07.01.01 Effective Date: 01/01/2015 The following are responsible for the accuracy of the information contained in this document Responsible Policy Administrator Information
More informationThe University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems
The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationStandard CIP Cyber Security Electronic Security Perimeter(s)
A. Introduction 1. Title: Cyber Security Electronic Security Perimeter(s) 2. Number: CIP-005-2 3. Purpose: Standard CIP-005-2 requires the identification and protection of the Electronic Security Perimeter(s)
More informationLakeshore Technical College Official Policy
Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director
More informationUse of Mobile Devices on Voice and Data Networks Policy
World Agroforestry Centre Policy Series MG/C/4/2012 Use of Mobile Devices on Voice and Data Networks Policy One of the policies on information security and business continuity which will be audited by
More informationSCALARR PRIVACY POLICY
SCALARR PRIVACY POLICY Updated: May 31, 2018 Scalarr, Inc. ( Scalarr or We ) respect your privacy and is committed to protecting your privacy and ensuring you have a positive experience on our website
More informationFSC STANDARD. Standard for Multi-site Certification of Chain of Custody Operations. FSC-STD (Version 1-0) EN
FOREST STEWARDSHIP COUNCIL INTERNATIONAL CENTER FSC STANDARD Standard for Multi-site Certification of Chain of Custody Operations FSC-STD-40-003 (Version 1-0) EN 2007 Forest Stewardship Council A.C. All
More informationProcess Document. Scope
Process Document Subject: BCIT Access Management Process Process Number: I.0.02.00.01 Department Name: Information Technology Version: 1.4 Original Issue Date: Revision Date: 03/22/2010 Process Owner:
More informationMIS5206-Section Protecting Information Assets-Exam 1
Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines
More informationAdopter s Site Support Guide
Adopter s Site Support Guide Provincial Client Registry Services Version: 1.0 Copyright Notice Copyright 2016, ehealth Ontario All rights reserved No part of this document may be reproduced in any form,
More informationThe City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.
Policy Number: 10-09-02 Section: Roads and Traffic Subsection: Traffic Operations Effective Date: April 25, 2012 Last Review Date: Approved by: Council Owner Division/Contact: For information on the CCTV
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More information26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Office of the Secretary Public
More informationINFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010
INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK Presented by Ronald E. Franke, CISA, CIA, CFE, CICA April 30, 2010 1 Agenda General Accountability Office (GAO) and IT Auditing Federal
More informationFrequently Asked Question Regarding 201 CMR 17.00
Frequently Asked Question Regarding 201 CMR 17.00 What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009? There are some important differences in the
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationMobile Communication Devices. 1.0 Purpose. 2.0 Policy NO Virginia Polytechnic Institute and State University
Mobile Communication Devices NO. 3960 Policy Effective Date: 3/8/2016 Last Revision Date: Policy Owner: Dwight Shelton Policy Author: (Contact Person) Savita Sharma Affected Parties: Faculty Staff 1.0
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationWireless Communication Stipend Effective Date: 9/1/2008
Category: Financial Policy applicable for: Faculty/Staff Policy Title: Policy Number: Wireless Communication Stipend Effective Date: 9/1/2008 Enabling Act(s) IRS rule 2.1.7 Policy Owner: Sr. VP for Administration
More informationPrivacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information
Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.
More informationEnterprise Income Verification (EIV) System User Access Authorization Form
Enterprise Income Verification (EIV) System User Access Authorization Form Date of Request: (Please Print or Type) PART I. ACCESS AUTHORIZATION * All required information must be provided in order to be
More informationPrivacy Policy Effective May 25 th 2018
Privacy Policy Effective May 25 th 2018 1. General Information 1.1 This policy ( Privacy Policy ) explains what information Safety Management Systems, 2. Scope Inc. and its subsidiaries ( SMS ), it s brand
More informationWeb Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012
Web Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012 Table of Contents 1 General Overview... 2 2 Service Description... 2 2.1 Service Scope... 2 2.1.1 Eligibility Requirements... 2 2.1.2
More informationPart 11 Compliance SOP
1.0 Commercial in Confidence 16-Aug-2006 1 of 14 Part 11 Compliance SOP Document No: SOP_0130 Prepared by: David Brown Date: 16-Aug-2006 Version: 1.0 1.0 Commercial in Confidence 16-Aug-2006 2 of 14 Document
More information