Effective IT Controls Ease Computing, Communications and Security Concerns

Public CIOs Develop Manual and Automated Processes to Improve Services and Build Trust.

by / January 31, 2008

When a tornado, flood or other catastrophe strikes, residents seek immediate emergency aid and the rapid resumption of ongoing government services. Emergency management officials must implement plans that meet the most pressing demands, with assistance from environmental protection, fire, health, law enforcement and other public agencies and departments, including those for transportation and schools.

During an emergency situation, generators provide electricity, if necessary, to power IT hardware. Backup files archived by an offsite data storage vendor provide access to critical information if it cannot be retrieved from local servers. IT disaster recovery plans - devised as part of general IT control planning - help public leaders quickly address citizen needs when catastrophes occur.

General IT controls are the foundational controls within an organization that cover computing, communication and security concerns. Perhaps the greatest measure of their effectiveness is that they typically do not call attention to themselves when functioning properly. Controls enable various agencies, departments and other public-sector organizations to concentrate solely on providing necessary services while also promoting confidence and trust among constituents.

Benefits of General IT Controls
Effective general IT controls help the public sector operate as efficiently and productively as possible. They automate processes that had been performed manually, accommodating larger workloads without hiring additional personnel. 

General IT controls help maintain the balance between accessibility and security. They control make it possible, for example, to archive meeting minutes and other documents online for 24/7 public review. Such controls also keep Social Security numbers, college transcripts, health-care treatment records and other personal information safe from unauthorized use.

Public-sector entities face considerable fiduciary responsibilities and greater media scrutiny than their private-sector counterparts. The damage that follows disclosure of a costly and poorly planned IT system migration or a potential incident of embezzlement is severe and difficult to overcome. General IT controls uphold fiduciary standards by deterring ill-advised or illegal activities. Preventive measures provide the greatest protection against reputational risks.

In all that they do, general IT controls enable public-sector leaders to serve their constituents more effectively and continually enhance trust among all stakeholders.

Elements of IT Controls
IT infrastructure provides the foundation for the applications and automated processes used by various public-sector functions. That infrastructure is composed of three layers: databases and the database management system, the operating system and the network. The applications reside atop the databases and database management system, with the operating system and the network layers serving as the base of that infrastructure.

General IT controls support that infrastructure. System controls, for example, support application controls used for protective services or regulatory oversight processes. Controls for the database management system and crucial databases ensure the integrity of data exported to applications for generating property tax assessments, motor vehicle registration renewal notices and water utility bills.

General IT controls also provide critical deterrents against improper activities. Gaining unauthorized entry into the IT system or a particular application is a common first step for individuals intent on committing fraud or identity theft. Network access controls, change management policies and other general IT controls offer continual defense against these problems.

Determining Scope
Public entities vary in the specific technologies they deploy and the resources they can commit to general IT controls. Applying effective oversight, however, is more dependent on identifying and addressing specific concerns than on funding or staffing levels. Mapping the processes involved in various functions illustrates areas of dependence on the IT infrastructure and specific need for general IT controls.

The COBIT (Control Objectives for Information and related Technology) and ITIL (Information Technology Infrastructure Library) frameworks provide CIOs the direction they need for devising effective general IT controls. Both are open, customizable frameworks that enable technology departments to address specific IT control issues.

General IT controls may include manual and automated processes. Specific controls, on the other hand, may include preventative measures such as access restrictions based on passwords, or detective measures such as reviewing logs of actual users to determine whether access authorizations were properly granted and documented.

This type of IT oversight requires a balance of preventive and detective controls. Preventive controls function as deterrents and safeguards while detective controls monitor the effectiveness of preventive controls and highlight vulnerabilities.

Crucial Areas Addressed
Elected officials and other public leaders establish an environment conducive to the effectiveness of general IT control by emphasizing the importance of ethical behavior and adhering to control procedures and standards. Through continual communication, leaders enable individuals to recognize the importance of general IT controls and their relationship to public service.

Technology planning acknowledges that all IT elements, including applications, workstations, servers, routers or other network components, need periodic major upgrades or replacements to promote efficiency and sustain data integration and interoperability with public-sector entities.

That planning also acknowledges public organizations operate from annual budgets, and that funds for upgrades and replacements must be secured within yearly spending constraints.

Technology planning is typically based on a three-year cycle, with major upgrades or replacement slated on that timeline. Planning allows technology managers and CIOs to determine which IT items require funding for upgrades or replacement in a given year.

The scope of IT plans can vary immensely. A state university system, for example, may require IT infrastructure comparable in size and cost to that used by a massive corporation. A rural public library serving only several thousand residents has far less expansive IT needs. Technology planning principles and methodology are scaled to meet those diverse needs and budgetary limitations.

Monitoring of general IT controls is crucial. An IT department should test, document and identify key controls throughout the year. Key general IT control areas include: 

  • Physical Security: Limits access to areas housing general IT systems that support critical activities and controls. Security measures include equipping restricted entryways with magnetic card scanners and installing surveillance cameras in corridors.
  • Data and Program Security: Protects data, applications, databases, operating systems and other IT infrastructure from unauthorized access. Control measures include firewalls, password protections and user provisions.
  • Technical Rotation Planning: Enables technology departments to plan for and procure necessary investments and upgrades within annual budgetary processes.
  • Change Management: Addresses the processes associated with selecting, implementing and modifying applications, servers, workstations and other IT elements.
  • Systems Software Support: Assures timely, required vendor and in-house enhancements, patches, service packs and technical support as they apply to servers, operating systems, and database management systems, as well as specific applications.
  • Database Administration: Controls access and activity, and monitors changes to database management systems or database records to ensure data integrity, reliability and security.
  • Computer Operations: Ensures system processing is authorized and scheduled appropriately, and deviations or problems are identified and resolved. This includes procedures for backup and recovery of data and systems in the event of a disaster.
  • Network/LAN/Telecommunications: Assures reliable and secure transmission of data from internal and remote-access sources, allowing local governments, agencies, departments and school districts to easily share critical information with public entities throughout the county, state and country.

Principles for Effective IT Controls
The public CIO is responsible for deploying and overseeing the maintenance of general IT controls. Many of those principles apply to balancing individual IT needs against needs to guard against unauthorized access, conflicts of interest and opportunities for fraud.

Maintaining that balance starts with determining roles, rights and duties for each employee. An individual's role or responsibilities determine what rights or privileges that person needs to access various aspects of the IT system. Duties define the particular tasks or activities an individual performs and include the functions that person performs within an application, database or other IT component.

User provisioning assigns a profile to each employee that encompasses that person's roles, rights and duties as they relate to work responsibilities and required IT access needs. The concept of least privilege is incorporated into the user provision. Least privilege allots individual access to only the IT systems required by work duties.

Based on passwords and login, an active or LDAP (Lightweight Directory Access Protocol) directory automatically maintains employee groupings and the rights and levels of privilege assigned to each individual. The directory grants or rejects access attempts based on the login and directory information.

Separation of duties divides tasks that are an inherent conflict of interest for a department or individual. Separation is a crucial control for reducing errors and preventing fraud. For example, building sites should be inspected for construction code compliance by someone other than the person who approved the building permits. Monthly bank account statements for an adult educational program need to be reviewed and reconciled by someone who does not have any responsibilities for receiving or making payments from that account. All defined separations of duties need to be reflected in IT directories and access restrictions.

Applications depend on the operating system for user accessibility, functionality and reliability. The operating system transmits vast amounts of critical data and promotes IT integration and interoperability. It also provides the point of entry for network users, and secure login or password policies are crucial. Passwords should require a combination of letters and numbers that cannot be guessed easily. Passwords should be changed regularly too. Automatic logoff features also deter someone from inappropriately using a laptop computer or workstation left unattended for a few minutes.

Firewalls regulate what data can enter the network from external sources. General IT controls must ensure remote access is limited to authorized users, that no "backdoors" exist for inappropriately accessing the network, and that antivirus software provides adequate protection. Outbound transmissions require secure data encryption.

IT infrastructure exists in a dynamic environment and general IT controls require attention year-round. User provisions and related directories must be changed whenever a worker's responsibilities change. Within a state attorney general's office, for example, access to investigation data must be continually restricted to employees directly involved in a particular investigation. To prevent unauthorized use and potential fraud, all former employees' passwords and related access rights must be revoked as soon as they leave.

Servers, operating systems and applications require periodic patches, service packs and enhancements. Backup and recovery functions are vital to ensure critical data is accurate and available. Change management controls must assure modifications are made promptly, configured properly and tested to maintain and protect the network. 

New viruses and other security threats emerge throughout the year, and firewalls and antivirus programs need to be checked regularly for vulnerabilities. System testing should encompass new systems and enhancements. Any incidents that disrupt or threaten IT operations require immediate response, along with remediation and retesting. All control activities require documentation.

Alyssa G. Martin Contributing Writer
Alyssa G. Martin, CPA, MBA, is the Dallas executive partner and the firmwide partner in charge of the Risk Advisory Services group at Weaver and Tidwell LLP, an independent certified public accounting firm in the Southwest. Martin can be contacted at (817) 332-7905 or (972) 448-6975.