SECTION 15 INFORMATION TECHNOLOGY



Similar documents
IT Disaster Recovery Plan Template

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

Offsite Disaster Recovery Plan

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan

Information Systems and Technology

INFORMATION TECHNOLOGY CONTROLS

PART 10 COMPUTER SYSTEMS

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

Disaster Recovery Planning

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Operational Risk Publication Date: May Operational Risk... 3

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

General IT Controls Audit Program

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

NCUA LETTER TO CREDIT UNIONS

INFORMATION TECHNOLOGY SECURITY STANDARDS

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security Alert

HIPAA Information Security Overview

IT - General Controls Questionnaire

Information Resources Security Guidelines

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Internal Control Guide & Resources

Ohio Supercomputer Center

Supplier Security Assessment Questionnaire

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

DETAIL AUDIT PROGRAM Information Systems General Controls Review

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

State HIPAA Security Policy State of Connecticut

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Information Systems Security Assessment

Volume UC DAVIS HEALTH SYSTEM. HIPAA Security Compliance Workbook. Multi User Guide

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Circular to All Licensed Corporations on Information Technology Management

Disaster Preparedness & Response

Disaster Recovery Plan Checklist

Music Recording Studio Security Program Security Assessment Version 1.1

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Hong Kong Baptist University

ISO Controls and Objectives

Information Security Policies. Version 6.1

MARQUIS DISASTER RECOVERY PLAN (DRP)

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Service Children s Education

Business Continuity Planning in IT

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

University of Aberdeen Information Security Policy

Montclair State University. HIPAA Security Policy

California State University, Chico. Information Security Incident Management Plan

VMware vcloud Air HIPAA Matrix

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

Continuity Planning and Disaster Recovery

Information Security Policy

How To Protect Decd Information From Harm

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

ISO27001 Controls and Objectives

INFORMATION SECURITY PROGRAM

Data Management Policies. Sage ERP Online

Administrators Guide Multi User Systems. Calendar Year

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

TECHNICAL SECURITY AND DATA BACKUP POLICY

Network & Information Security Policy

The Ministry of Information & Communication Technology MICT

Birkenhead Sixth Form College IT Disaster Recovery Plan

DRAFT Disaster Recovery Policy Template

Business Unit CONTINGENCY PLAN

BME CLEARING s Business Continuity Policy

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

ICT & Communications Services Disaster & Recovery Plan

Disaster Recovery Planning Process

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Main Reference : Hall, James A Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications

PBGC Information Security Policy

Union County. Electronic Records and Document Imaging Policy

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

California State University, Sacramento INFORMATION SECURITY PROGRAM

Supplier IT Security Guide

Final Audit Report -- CAUTION --

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

General Computer Controls

Transcription:

SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP)

15.1 PURPOSE The Navajo County Information Technology (IT) Policy is established to ensure that information systems and financial data are adequately safeguarded. Secure systems and data are achieved through the establishment of general and application controls. General controls apply to all IT functions and should achieve the following objectives: A. Effective management of IT resources. B. Adequate segregation of duties and responsibilities. C. Identification of hardware or system software malfunctions. D. Prevention of accidental record destruction. E. Restriction of access to IT resources, such as equipment, files, programs, documentation, and telecommunications. F. Effective systems and programs to prohibit unauthorized program change. G. Detection or prevention of accidental errors occurring during processing. H. Development and modification of IT-based accounting systems according to management and user reporting requirements. I. Consistent and reliable operation of the IT function. J. Adequate documentation and control of systems, programs, and instructions. Application controls are categorized as input, processing, and output controls and should achieve the following objectives: A. Maintain an adequate audit trail so transactions can be traced from inception to final disposition through the IT process and vice versa. B. Input date is appropriately authorized. C. Transactions are recorded accurately on the computer files. D. Data on files remains correct and current over an extended period. E. Computer-generated output is reconciled, checked for validity, and distributed to the appropriate recipients.

To properly prepare for a disaster policies and procedures should include the following: A. Formally assign disaster recovery coordinators from applicable departments to form a disaster recovery team. B. Require the creation and preservation of back-up data. C. Make provisions for the alternative processing of data following a disaster. D. Provide detailed procedures for restoring data files. E. Establish guidelines for the immediate aftermath of a disaster. 15.2 AUTHORIZATION A. Ensure security over computer systems and the data they contain to prevent or detect unauthorized use, damage, loss, or modification of programs, and misuse of information. 1. Limit logical access to authorized users of the County systems. 2. Use a standardized access request form for approval for access to the systems, and retain all access request forms with the supervisor s approval. 3. Eliminate access to computer systems promptly when an employee separates employment with the County. 4. Require users to change passwords at regular intervals, e.g., every 3 months, and to set passwords that include special characters and minimum length. 5. System controls to lock out users after more than three failed access attempts. 15.3 INTERNAL CONTROLS A. Internal controls support IT activities and help Navajo County to achieve the following objectives: 1. Effective management of computer resources. 2. Adequate segregation of duties and responsibilities. 3. Identification of hardware and system software malfunctions.

4. Restriction of access to IT resources, such as equipment, data, programs, documentation, and communication systems. 5. Effective systems and programs to prohibit unauthorized program change. 6. Adequate documentation and control of systems, programs, and instructions. 7. A periodic review of user access is conducted to ensure segregation of duties. 8. Elevated access as related to job duties is monitored electronically on an ongoing basis. B. Organization and operation controls provide segregation of functions, duties, and responsibilities so that no one individual performs incompatible duties. C. Navajo County has controls for the development and modification of each application system. IT systems are developed or modified according to management and user requirements. Requirements for systems development involve: 1. User representatives and designated management employees evaluate proposed systems at critical stages. 2. Segregation of duties for: a. Developing, implementing changes and testing. b. Authorizing and approving changes. 3. IT personnel will obtain final approval from users before placing a system into operation. 4. IT will establish procedures to authorize, test, implement, and document program changes after implementing the system to maintain its integrity. D. Maintain hardware and system software controls to identify malfunctions that occur in both the hardware and software. E. Access controls provide safeguards that allow only those individuals designed by management to use hardware, files, or programs. 1. Access to production data and program files will be controlled and limited where possible.

2. Management will limit computer hardware access to operators and assign hardware to specific employees. This data is maintained and verified in accordance with the capital asset policy 3. Access to hardware, files, and programs is limited and monitored through the following safeguards: a. Physical Security Devices b. Logical Security Techniques F. Data and procedural controls provide a framework for controlling daily operations and establishing safeguards against processing errors. 1. Written documentation of the various IT systems is maintained for users as applicable. 2. IT functions are reviewed and tested periodically to monitor the effectiveness of data and procedural controls. G. Contingency planning controls are designed to safeguard against the accidental loss or destruction of records, and to prevent interruption of IT operations. 1. Backup controls. Files, programs, and documentation are physically safeguarded by maintaining backup copies in an off-site storage facility. 2. Environmental controls. The storage site will be protected against safety hazards and environmental damage, as well as unauthorized access. 3. Disaster recovery controls. Navajo County has outlined disaster recovery controls extensively in the Information Technology Disaster Recovery Plan, a section in the Emergency Operations Plan. 15.4 COMPUTER RESOURCES A. The following general controls are implemented for personal computers, laptops, and tablets. 1. Physical security. In a personal computer environment, personal computers and equipment should be adequately protected against theft, unauthorized use, and environmental hazards. 2. Backup and recovery. Data files are mirrored daily so that at least a second copy is available for processing if the original file is lost or

destroyed. Backup copies of critical data files are stored in safe locations that are secure from hazards, such as fire or extreme heat. B. Virus Prevention and Detection The IT Department routinely evaluates network security and attempts to identify potential areas that are susceptible to threats. 15.5 NETWORK/SYSTSEMS ACCESS Network/systems access is requested, approved and granted through a formal process using the Systems Access Request Form in the appendix of this manual. This process applies to new employees or changes to access for existing employees. 15.6 DISASTER RECOVERY PLAN (DRP) A. Purpose. Governments provide many essential services to their citizens. The disruption of these services following a disaster could result in a significant harm or inconvenience to those whom government serves. State and local government have a duty to ensure that disruptions in the provision of essential services are minimized following a disaster. 1. Risk Assessment. All County systems are essential but are prioritized in the event of a disaster recovery. 2. Applicability. The Disaster Recovery Plan covers all essential and critical infrastructure elements, systems and networks. 3. Testing. The DRP is periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed. 4. Communication. All staff must be made aware of the disaster recovery plan and their own respective roles. Copies of the DRP are distributed to appropriate personnel. A copy is kept electronically at the Alternate Data Center. B. Objectives. The principal objective of the disaster recovery program is to develop, test and document a well-structured and easily understood plan which will help the county recover as quickly and effectively as possible from an unforeseen disaster or emergency which interrupts information systems and business operations. Additional objectives include the following: 1. The need to ensure that all employees fully understand their duties in implementing such a plan. 2. The need to ensure that operational policies are adhered to within all planned activities.

3. The need to ensure that proposed contingency arrangements are costeffective. 4. The need to consider implications on other county sites. C. Disaster recovery capabilities as applicable to key customers, vendors and others. Key Personnel Contact Info and the notification list are documented in the Emergency Operations Plan (EOC). D. Plan Updating. It is necessary for the DRP updating process to be properly structured and controlled. Whenever changes are made to the plan they are to be fully tested and appropriate amendments should be made to the training materials. This will involve the use of formalized change control procedures under the control of the IT Director. E. Backup Strategy. Navajo County has a fully mirrored recovery site at a remote location. The site is a fully mirrored duplicate site which will enable instantaneous switching between the live site (Holbrook Complex) and the remote backup site. F. Emergency Response. 1. Plan Triggering Events. In the event of the primary facility and/or normal operations failure the disaster recovery plan will be activated 2. Assembly Points. Where the premises need to be evacuated, the alternate data center is the assemble point G. Exercising/Testing. Plan exercising ensures that emergency teams are familiar with their assignments and that systems can be restored as planned. Random periodic testing of systems is performed and results of the testing are documented electronically.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information