Generally, when executives are discussing the company’s internal safeguards, they look to controls within the accounting department such as segregation of duties, dual check signors and purchase order matching. But what about safeguards within the information technology environment? As the role of IT continues to grow in the business world, your company should continue to ensure there are sufficient resources allocated for the IT environment and its necessary safeguards.
The most important safeguard that you should implement are scheduled system backups. A company should be ensuring that the accounting system and other operating systems are backed up routinely and stored in off-site facilities. Off-site facilities will be beneficial if your company experiences a flood, fire or other disaster that could compromise the IT system. In addition, you should test the backups in a “sandbox” – or virtual environment – to validate that the backups are operating effectively and can also give you a rough calculation of downtime. Backups should be tested routinely and upon application changes such as new software releases or software patches installed. A backup that doesn’t work is useless.
In addition to backups, there are other physical and logical access controls that can be implemented to safeguard the IT environment. While physical access control limits access to buildings, rooms and IT assets, logical access control limits connections to computer networks, system files and sensitive data. Examples of physical and logical access controls include:
- Locked server/IT rooms – You should monitor the unrestricted access to the rooms/areas with critical equipment.
- Passwords – You should implement user passwords to allow only authorized access to systems. To take this further, you may require the passwords are changed at regular intervals (for example, every six months)
- Two-factor authentication – This takes password security to the next level where a user is required to use a security token, fingerprint or other methods such as a security code sent via email or text message.
- User account monitoring
- New or modified rights – You should monitor your software and systems to ensure that users are removed upon termination, but should also be reviewed to ensure each user has the correct access restrictions
- Infrastructure and application change controls – You should implement controls to limit unauthorized modification to the infrastructure or applications.
In summary, as IT can be the backbone to the operation of your company, executives, finance and IT departments should work together to effectively implement physical and logical access controls to safeguard the IT environment.
Kevin C. Bach, CPA, CVA