Good governance and accountability require an organization to adopt policies and procedures related to IT to provide criteria and guidance for the company’s computer-related operations. To effectively protect computing resources and data, companies should have an acceptable use policy to inform users about appropriate and safe use of company computers, a hardware sanitization policy to ensure that equipment is not discarded with sensitive data, and a breach notification policy in the event that sensitive data is compromised. These policies should be reviewed periodically and updated, as necessary, to reflect changes in technology or an organization’s computing environment.
Management and the Board are responsible for creating policies and procedures to properly safeguard PII or PPSI against unauthorized access, misuse, or abuse. This includes data that resides on all types of computing devices from laptops to cell phones. Therefore, policies should also define which devices are covered (e.g., company-owned or personally-owned), and should indicate the procedures for reporting lost or stolen devices, as well as the process employees must adhere to before connecting a new device(s) to the system.
Lastly, all information, whether in printed or electronic form, should be classified by assigning a level of risk to various types of information. The risk level assigned should be based on the criticality of the information and the need for appropriate security protocols. Once classified, the data should be labeled in a consistent manner to ensure data confidentiality, integrity, and availability. This is especially important if there is a data breach due to unauthorized system access or theft of equipment.
The following is a list of sample policies related to IT and their purpose:
Acceptable Use of Computer Equipment and Internet:
Describes how staff can and cannot utilize the School’s computer related technology. Defines the IT security protocols, how often passwords should be changed and the complexity of such passwords, what rights employees have within the various systems, the back-up protocols, and recovery testing requirements.
Information Security Breach and Notification Policy:
This policy would detail how an organization would notify an individual(s) whose private information was or is reasonably believed to have been compromised.
Cybersecurity Policy for Remote Users:
This policy would stipulate guidelines for complying with security protocols when working remotely or when traveling. The policy may include the expected use of approved messaging programs with encryption, such as Signal or WhatsApp, updating and patching computer security schedules, like updating antivirus or anti-malware software, and protocols on remotely wiping devices if lost.
Document Retention and Destruction:
States that the School will adhere to State and/or Federal documentation retention requirements (the amount of time specific documents should be retained should be documented in the procedures). The policy should also state that the School will comply with any State/Federal requirements regarding the destruction of records.
Data Classification and Confidentiality:
Describes what information is considered confidential and defines that the School will ensure such information is not to be shared (specific procedures should describe how information is to be disseminated and protocols for handling sensitive information).
Electronic Mail and Monitoring:
Notes that the organization’s email system is intended for business use only and describes specific instances of prohibited email usage. In addition, the policy states that management has the right to enter, search and/or monitor emails of any employee without advance notice and as consistent with applicable state and federal laws.
Internet Usage and Monitoring:
Describes the restrictions of Internet usage by employees including personal communication, purchasing personal items, gambling, and using the Internet for displaying, transmitting and/or downloading sexually explicit content. The policy further states that Internet use will be logged, and that management can investigate such usage.
Social Media Policy:
As many organizations rely on social media to promote awareness of its programs. Many cyberattacks are conducted through the use of social media. Along with Internet usage, this policy would describe what content is deemed appropriate and prohibits the posting of any confidential information.
Shari Diamond, CIA
Partner
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.
