Vision & Mission

Our Charter

Organization Chart

Contact Information

Ask the Auditors

Affiliations & Links

Publications
Audit Manual
Function & Services
Audit Process
Internal Controls
Computers
Control Workbook

CPE Resource

Audit Terms

Feedback Form

IU Home

Search

Protecting Departmental Computing Resources

What are departmental computing resources and why protect them?
Backup Procedures
Physical Security
Data Security
Documentation
Continuity Planning

Information created and processed by computers, and the hardware itself, are valuable assets. This brochure presents a brief discussion of the ways to protect both of these important assets.

What are departmental computing resources and why protect them?

Departmental computing resources, such as local area networks (LANs), minicomputers, and workstations (personal computers, RS/6000, etc.), represent significant financial investments for Indiana University departments. The information each department creates and uses is important to their operation (academic and administrative functions) and is also a valuable asset of the University. This brochure provides guidance to departments on controls they can use to protect their computing resources. Examples of controls discussed include backup procedures, physical security, data security, documentation, and continuity planning.

There are many ways departmental computing resources could be vulnerable. For example, LANs usually house all the data available to users, as well as information about which users can access that data and how they can use it. Controls should be in place to prevent unauthorized access to the LANs. Other potential hazards include the possibility of data destruction from virus infection, human error, computer breakdown, environmental hazards, and theft.

Top of Page

Backup Procedures

What are backup procedures and why do we need them?

Backup procedures refer to scheduling times to backup the information, performing the actual backup, and storing copies of files on alternate storage media (tape, disk, CD-ROM, optical disk). Backing up files safeguards data from hardware failure, environmental hazards, or unintentional deletion.

When should backups be performed?

Usually, this is a judgment decision based on your assessment of how critical the data is to your operations. Also, the timing of backups depends greatly on the frequency of changes to the data compared to the resources required to perform the backup. Generally, frequent backups are necessary if data on your system changes significantly each day.

When to backup data should be tailored to the specific needs of your environment. Periodically, schedules should be reviewed to ensure they represent current needs. Good business practices for departmental systems include daily backup of that day's activity and weekly backup of the entire system.

Where should the backups be stored?

It is a good idea to store at least one copy of the backup off-site. This will safeguard a copy of your backups in the event on-site backups are destroyed. Both on-site and off-site backups should be protected from unauthorized access.

Top of Page

Physical Security

What is physical security and why do we need it?

Physical security involves the protection of computing resources from unauthorized access and from environmental hazards such as fire, water, and power failure. Inadequate protection of computer hardware and software can limit its life, lead to system failures, and most important, result in loss of data.

What can you do to limit your exposure to environmental and physical threats?

Perform a review of the physical and environmental threats that reside in your department. Generally, a casual walk-through of your department will detect the more obvious threats. Procedures that can limit your environmental and physical exposures include:

• Place computer hardware in a clean environment, away from radiators, direct sunlight, and windows
• Connect all computer hardware to surge protectors and/or uninterruptible power supplies
• Ensure there are sufficient electrical outlets
• Ensure the file server or minicomputer is in an area not accessible by the public and lock the system console when not in use
• Inventory hardware and software periodically

Top of Page

Data Security

What is data security and why is it important?

Data security consists of procedures that prevent unauthorized access to your computer resources. Appropriate security procedures should not significantly hinder a person from performing their work. Security procedures should, however, protect data from unintentional acts, as well as intentional ones. Examples include:

• Select appropriate password safeguards

• A hard to guess password

• Periodic password changes

• Seven or more alphanumeric characters per password

• Passwords kept confidential

• Screen-saver passwords

• Assign each user a unique user ID (no shared user IDs)

• Limit user access to system software

• Control access to specific applications and data files

• Limit access to what is required to perform a person's job function and to allow for appropriate segregation of duties

• Review security logs

• Limit concurrent logins

• Activate intruder detection and prevention mechanisms

• Implement adequate virus protection procedures

What level of data security should exist?

An assessment similar to the one discussed for continuity planning will help determine the level of data security necessary for your operations. Often, an assessment of data security is part of continuity planning (for further discussion see continuity planning).

Top of Page

Documentation

What type of documentation do I need and why?

Documentation includes written procedures and instructions related to the administration, operation, and security of your department's computing resources. Inadequate documentation can lead to:

• Over reliance on knowledge of key employees

• Lost time and effort

What types of information should be documented?

• Backup procedures (including restart and recovery procedures)

• Installation, specific operational procedures and configuration settings that affect your primary system (LAN, minicomputer)

• Program and application change control documentation where appropriate

Top of Page

Continuity Planning

What is continuity planning and why do we need it?

Continuity planning is a plan of action to be implemented upon loss of computing resources. Lost resources could be hardware, data, or a person's time.

At Indiana University, many departments and individuals rely on computer resources to perform their everyday duties. Computers greatly assist our productivity and our reliance on them is significant. If your workstation or your department's LAN was unavailable for an extended period, you could not use word processing, read e-mail, or perform your research or administrative activities. If data or applications on your workstation or LAN are destroyed, valuable time and assets may be lost. You must take precautions to minimize the loss of these resources.

Why should you assess your departments computing environment?

An assessment of your computing environment will determine how various processing disruptions could impact your operations. Examples include interruptions in teaching and administrative activities, damage or loss of data (including research data), vandalism, and the ineffective and inefficient use of resources. Brainstorming sessions that include both management and employees provide a good tool to identify potential exposures and assist in building awareness between management and employees.

This assessment is then used to develop a plan based on the different threats and their level of impact to your operations. Steps taken to minimize the impact of various threats could include use of uninterruptible power supplies, surge protectors, off-site storage of backups, extra work stations, use of passwords, and procedures to limit the unintentional destruction of data.

What should a continuity plan contain?

The success of the continuity plan is directly related to the quality of the documentation and the participants understanding of their roles. Periodically, management should update the plan and review it with all participating parties to emphasize its importance. A continuity plan should, at a minimum, include the following:

• Off-site storage of critical forms used in the day-to-day operations of the office

• Off-site storage of computer backups for data and other software

• A comprehensive software and hardware inventory

• Written procedures and guidelines that describe each person's roles and responsibilities

• A list of functions that can be performed temporarily on computer resources that reside at another location

• A listing of contacts needed to reestablish computing resources

Last revised July 2000

Top of Page

Other Internal Audit materials include:

• Internal Audit Functions, Services, and Scheduling (brochure)

• The Audit Process How We Work With You (brochure)

• Internal Controls A Guide for Managers (brochure)

• Internal Controls (video and booklet)

  Internal Audit is committed to serving the University community.
  For more information, contact us at:

  Internal Audit
  Poplars 319
  Bloomington Campus
  (812) 855-3361

  E-mail: teradke @ indiana.edu