Question:
What are common audit recommendations on Information Systems?
Answer:
Strategic planning
- Align the department’s strategic plan with business and computing objectives.
- Define the current capabilities and future needs for information technology.
Risk assessments
- Perform a risk assessment to identify the impact and likelihood of threats and vulnerabilities to business processes and goals.
- Develop an action plan to ensure cost-effective controls and security measures minimize risks to an acceptable level.
Technology infrastructure
- Ensure that performance and capacity meet department computing objectives.
- Adopt hardware acquisition standards to provide cost efficient and stable platforms for distributed applications
- Provide consistent system administration.
Systems security
- Monitor and re-evaluate security of all information systems
- Configure operating systems and anti-virus software for the timely application of patches and updates.
- Implement procedures for detecting, reporting, and responding to security threats
- Ensure host based firewalls are active and limit internet protocols permitted through the firewall.
Physical security
- Restrict physical access to information technology facilities and equipment to individuals with a business need for accessing the systems.
- Protect servers from physical and environmental damage.
Disaster recovery
- Develop, document, and implement backup procedures, disaster recovery plans, and cross-training for key information technology personnel.
- Store backup media in a secure offsite location that meets all archival, backup, and recovery needs for University systems.
- Test backup media on a regular basis to verify the ability to restore critical systems and data.
Service provider contracts
- Establish a comprehensive data sharing agreement for sensitive and confidential information on systems managed or owned by vendors
Access
- Implement access controls for department critical systems.
- Promptly issue, alter, and revoke user access, and periodically review and verify that user access aligns with current job duties.
- Document and retain authorizations for access.
- Use unique user names and strengthen password controls to identify and authenticate system users.
- Perform periodic reviews of user access rights to ensure appropriateness
- Discontinue the use of default passwords, improve the communication method for issuing access credentials, and ensure initial login passwords are changed in a timely manner.
References
faqtype:
Standard