Using the salient points below, you can establish an internal
control checklist or statement of policy for your company’s Information
Technology
General
• Procedures should be defined and documented to ensure the security
and proper maintenance of notebooks, computers and computer-related
equipment.
• Usage of pirated software within the office premises should not be permitted at all times.
Logical Security
• Access should only be permitted by the use of a valid and unique identity (ID) and password combination.
• Log-on IDs should be automatically disabled after three log-on failures.
• Log-on IDs and passwords should be revoked when employees leave the
organisation. HR should inform the IT department via the resignation
form timely.
• Log-on IDs should be automatically disabled after three minutes of inactivity.
• User access rights should be restricted to those required for the
users’ normal duties and in line with approved standard group profile.
• Request for non standard user profile should be documented and approved by respective Functional Managers.
• Changes to user access rights should be based on written approvals.
• Password confidentiality should be controlled as follows:
– Compulsory change of passwords every six months
– Minimum password length of six characters
• Virus scan utilities should be automatically invoked at every log-on.
Application Controls
• Access security matrix/policy which identifies users to each
application they should be granted access to and their access rights
within that application should be documented and updated every six
months.
• All violations and security activities must be logged, reported,
reviewed and appropriately escalated to identify and resolve incidents
involving unauthorised activities.
Physical Security
• Network Servers should be located away from hazardous operations and in a clean and stable environment.
• There should be fire detection and extinguishing equipment near the Network Servers.
• Access to the Network Server room should be restricted to authorised officers with access cards.
• All computer equipment should be tagged and accounted for in the Fixed Assets Register.
• All commercial software in the computers must be licensed.
Continuity Planning
• Data should be backed up daily and stored in a fire proof safe.
• There should be weekly data back-ups and these backup media should be stored offsite.
• An Uninterrupted Power Supply (UPS) equipment should be installed.
• Contingency plans should be established and tested annually.
• The contingency plans should:
– Identify key personnel and their responsibilities
– List emergency phone numbers
– Detail arrangements for immediate replacements of essential hardware
– Restoration of backed up data (ensure integrity of both media and disks)
User Request Management
• User request for modification on application and output should be approved by the respective Functional Managers.
• Monthly meetings with respective division should be conducted to
consolidate and prioritise user requests and update the status of
request.
Segregation of Duties
• There should be segregation of duties between the following functions:
– Maintenance of computer systems
– Computer programming
– Normal operations and accounting