Office of Internal Audit

Information Technology

1. Does each person with system access have a unique (not shared) user ID?
  • Ideal Answer: YES. Anyone needing access to any IT system must have their own personal ID, which must be obtained through coordination of the offices of Human Resoure Services (HRS) and Information Technology Services (ITS).
2. Are user ID's and passwords kept secret?
  • Ideal Answer: YES. User ID's and passwords should be kept confidential and never shared with anyone.

3. Are user passwords composed of a unique 8 to 30 alpha/numeric characters and changed at least every 90 days?

4. Are files of personal computers, including laptops and notebooks, backed-up on a regular basis?
  • Ideal Answer: YES. Files stored on personal computer local drives should either be backed-up to a network drive or to a disk media (floppy/CD-R/DVD-R) on a regular basis.
5. Does the department maintain individual/site license documentation for all software installed or used on departmental PS's?
  • Ideal Answer: YES. Documentation showing proof of purchase/license for all departmental software should be maintained in a central file. Any software installation media should be centrally secured and controlled to avoid unauthorized installation and use.
6. Is the level of IT system access assigned to each staff member regularly reviewed by management to assure that there is still a continuing need for it?
  • Ideal Answer: YES. User access right to information and systems should be periodically reviewed to make sure a valid job-related need still exists for the access.
7. Does department management review and approved the request for access by any University employee to the University systems for which the department is responsible?
  • Ideal Answer: YES. Management should sign all access requests only after verifying that it is necessary for the staff member to perform their job duties.
8. Is the required paperwork notification completed and filed before a staff member removes any IT equipment from campus for an extended period of time?
9. Are the hard drives of computers being disposed of, over-written to Department of Defense (DOD) standards or physically destroyed prior to be sent to Surplus?
  • Ideal Answer: YES. In order to prevent the compromise of confidential data or violation of software licensing agreements, all computer hard drives should either be overwritten using a software utility that meets DOD standards, or physically disassembled and destroyed. Please note that the standard "Format" command is not sufficient, and does not prevent data recovery. See ITS article on Effectively Erasing Data for more information.
10. Does the department have a documented disaster recovery/business continuation plan?
  • Ideal Answer: YES. All departments should document the process they would follow to restore operation in the event of a local disaster. The recovery plan should be tested on at least an annual basis.