|
Risks |
Controls |
|
Employees are not aware of the need to maintain secure data. |
- Information security policies should be defined and communicated to employees.
|
|
Private, sensitive, or confidential data is disclosed to unauthorized individuals. |
- Computer access should be restricted by job requirements.
- Passwords should be protected. Click here for more information about password management.
|
|
Computer records are subject to unauthorized access. |
- Formal procedures for adding, changing, and deleting access to systems including appropriate authorizations and documentation should be developed. Click here for more information about access controls.
|
|
Erroneous transactions are entered into a system. |
- Ensure that the same person does not initiate, authorize, and process a transaction.
|
|
Computer systems cannot be restored and University processes cannot be performed. |
- A comprehensive disaster and recovery plan should be documented, tested, and communicated to all employees.
|
|
Key employees are not available due to illness or a decision to leave the University. |
- Staff and executives should be appropriately cross-trained. Roles and responsibilities should be defined, documented, and communicated to applicable personnel.
- Appropriate documentation should exist to run systems and key programs.
|
