What are common audit recommendations on Information Systems?

Strategic planning

  • Align the department’s strategic plan with business and computing objectives.
  • Define the current capabilities and future needs for information technology.

Risk assessments

  • Perform a risk assessment to identify the impact and likelihood of threats and vulnerabilities to business processes and goals.
  • Develop an action plan to ensure cost-effective controls and security measures minimize risks to an acceptable level.

Technology infrastructure

  • Ensure that performance and capacity meet department computing objectives.
  • Adopt hardware acquisition standards to provide cost efficient and stable platforms for distributed applications
  • Provide consistent system administration.

Systems security

  • Monitor and re-evaluate security of all information systems
  • Configure operating systems and anti-virus software for the timely application of patches and updates.
  • Implement procedures for detecting, reporting, and responding to security threats
  • Ensure host based firewalls are active and limit internet protocols permitted through the firewall.

Physical security

  • Restrict physical access to information technology facilities and equipment to individuals with a business need for accessing the systems.
  • Protect servers from physical and environmental damage.

Disaster recovery

  • Develop, document, and implement backup procedures, disaster recovery plans, and cross-training for key information technology personnel.
  • Store backup media in a secure offsite location that meets all archival, backup, and recovery needs for University systems.
  • Test backup media on a regular basis to verify the ability to restore critical systems and data.

Service provider contracts

  • Establish a comprehensive data sharing agreement for sensitive and confidential information on systems managed or owned by vendors

Access

  • Implement access controls for department critical systems.
  • Promptly issue, alter, and revoke user access, and periodically review and verify that user access aligns with current job duties.
  • Document and retain authorizations for access.
  • Use unique user names and strengthen password controls to identify and authenticate system users.
  • Perform periodic reviews of user access rights to ensure appropriateness
  • Discontinue the use of default passwords, improve the communication method for issuing access credentials, and ensure initial login passwords are changed in a timely manner.

References

University of Washington, Administrative Policy Statement, 2.3 Policy on Information Technology, Telecommunications and Networking Projects and Acquisitions

Information Systems Audit and Control Association, Control Objectives for Information and related Technology

Information Technology Infrastructure Library