The Security Self-Assessment appended to this publication addresses key areas of IT internal controls such as policy, training, access and contingency planning. Several of the main questions include follow-up questions that will elicit information helpful for evaluating the answers. For example, one of the questions is, “Were all computer users provided IT security training?” The question is followed by a prompt to record the date(s) of training and who attended, if applicable. If all computer users were provided with IT security training but that training occurred six years ago, the governing board may want to consider arranging for additional training or a refresher in the near future. Likewise, if only a small handful of computer users have received IT security training, the governing board should be aware of that as well.
Some questions are followed by a suggested step you can take to verify and better understand the answer provided. For example, if an up-to-date list of computer hardware is maintained, you could obtain a copy of the inventory listing and review it for reasonableness (i.e., does the inventory make sense given what you know about the local government or school and its operations). This would help you assess whether the list is truly up-to-date. For example, if the inventory of computer hardware does not include any laptop computers, yet you have observed staff working on laptop computers, you may want to ask a follow-up question about the apparent omission from the records.
Similarly, when completing the access controls section of the assessment, you could review a current list of authorized computer users and their levels of access. If names on the list are unrecognizable or if the list contains individuals no longer employed by the local government or school, you could ask appropriate follow-up questions. In addition, questions about access to particular software applications may arise. For example, a member of the governing board may notice that someone with no accounting responsibilities has access to the local government or school’s accounting program.
The following guidance will help you to understand each internal control on the Security Self-Assessment and why it is important to the security and oversight of your IT systems. It should be noted that the manner in which the answers to the questions are obtained is up to the governing board. Board members could interview appropriate responsible parties such as the IT manager or IT vendor (if applicable) in person and ask follow-up questions or obtain additional information for clarification purposes at that time. Alternatively, the governing board could give the self-assessment to the appropriate responsible parties and ask that they complete and return it. In any event, the governing board will probably need to speak with IT personnel and other key staff who play critical roles in the IT internal control environment to ask additional questions, obtain more details regarding the answers provided and discuss the next steps to be taken. Because computing environments and operations change over the course of time, governing boards should periodically review IT controls. We recommend that this be done at least once a year.
The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf