Concept and Framework
Guidelines and Best Practices:
Authorization
Documentation
Reconciliation
Security
Separation of Duties
Resources
Resources for Internal Controls
|
|
|
Security
Definition:
The security of University assets and records includes three
types of safeguards; Administrative, Physical and Technical.
Administrative security: This focuses on the
departmental
and University processes put in place to protect assets and
records. This includes the above mentioned processes of
authorization and reconciliation.
Physical security: This is the protection of physical
records and assets from loss by theft or damage.
Technical security: This is the protection of
electronic
records from loss by theft, damage, or loss in transport.
Purpose:
Assets and records should be kept secure at all times to
prevent unauthorized access, loss or damage. The security
of assets and records is essential for ongoing operations,
accuracy of information, privacy of personal information
included in some records and in many cases is a state or
federal law.
Concepts and Best Practices
|
Key Concept
|
Best Practice
|
|
Designate a point person
|
Designating a point person for all areas or individually for
the 3 types of security provides an established
responsibility and accountability for proper security
procedures.
|
|
Administrative organization
|
Keep an up-to-date organizational chart that defines the
reporting relationships as well as responsibilities,
including back-up responsibilities, regarding internal
controls within the unit.
Document such processes as opening and distributing mail,
administration of keys, access to documents and other
administrative controls.
|
|
Access to electronic records:
Limit access to records and assets to those who have been
authorized and have a business need for them.
|
Establish and communicate unit standards for screensavers
and password protected screens.
Setup password protected access to electronic records.
For more see Information
Security Program
|
|
Physical access to records:
Limit access to records and assets to those who have been
authorized and have a business need for them.
|
Do not allow electronic records to be downloaded to mobile
workstations and transported outside of the office.
Keep important records in lockable, fireproof storage
|
|
Employee Turnover:
Limit access to records and assets to those who have been
authorized and have a business need for them.
|
Develop a checklist for removing access to records upon
separation of an employee or upon transfer out of the unit.
Develop a process and assign a point person the
responsibility of administering the process for deleting
access to records.
|
|
Passwords:
|
Have a prescribed standard for departmental passwords. Make
them complex and enforce a policy for changing passwords
periodically.
|
References:
|
