I’ll never forget the phone call after a district’s administration building was destroyed one weekend. The chief financial officer was rushing to prioritize crucial tasks due to the lack of a robust business continuity capability, in other words all data backups were gone. This story illustrates one reason why technology service controls are essential to helping ensure that the delivery of programs, activities and services will go “according to plan.” Because technology services are the backbone to the entire organization, system performance issues will affect most if not all employees. Insufficient controls can very quickly introduce undesirable levels of avoidable risk that can have significant monetary consequences. All districts need to periodically take an inventory of the district’s documentation of various basic technology service controls including:
- Technology service portfolio or protocols for delivering requested services according to needs/priorities
- Access controls: including approval of new/initial, changes to, and deletions for logons by someone other than the person that is assigned to implement these access control changes
- Continuation plans including: cross functional training; external consulting resources; critical activities; processes backup files; programs; and server replication capabilities in addition to tests
- Change management procedures for software version changes and upgrades
- Data quality checks related to application performance
- System security and application access log reviews
- Password change schedules and strong password rules
- Procedures for modification and removal of access to IT systems for employees that terminate their employment or have changed job responsibilities
- Access controls according to segregation of duties
- Prohibitions on sharing account and passwords
- Acceptable use of equipment and systems
- Limited administrator logon access for various systems
- Communication alerts based upon access and use
- Security issue protocols regularly reviewed and updated
- Uniform installation of security and program updates and patches
- Laptop encryption and location controls
- Reporting protocols for IT security issues, including missing/stolen laptops and equipment at a minimum
- Periodic risk assessments
After taking an inventory of these basic controls, you should attempt to quantify the scope and depth of potential impacts. To read a related article on assessing potential impacts click on the link below.
http://connect.tasbo.org/blogs/thomas-canby/2016/11/23/internal-control-tip-of-week-use-a-visual-matrix-to-strike-the-right-balance