Using the salient points below, you can establish an internal control checklist or statement of policy for your company’s Information Technology

General
• Procedures should be defined and documented to ensure the security and proper maintenance of notebooks, computers and computer-related equipment.
• Usage of pirated software within the office premises should not be permitted at all times.

Logical Security
• Access should only be permitted by the use of a valid and unique identity (ID) and password combination.
• Log-on IDs should be automatically disabled after three log-on failures.
• Log-on IDs and passwords should be revoked when employees leave the organisation. HR should inform the IT department via the resignation form timely.
• Log-on IDs should be automatically disabled after three minutes of inactivity.
• User access rights should be restricted to those required for the users’ normal duties and in line with approved standard group profile.
• Request for non standard user profile should be documented and approved by respective Functional Managers.
• Changes to user access rights should be based on written approvals.
• Password confidentiality should be controlled as follows:
- Compulsory change of passwords every six months
- Minimum password length of six characters
• Virus scan utilities should be automatically invoked at every log-on.

Application Controls
• Access security matrix/policy which identifies users to each application they should be granted access to and their access rights within that application should be documented and updated every six months.
• All violations and security activities must be logged, reported, reviewed and appropriately escalated to identify and resolve incidents involving unauthorised activities.

Physical Security
• Network Servers should be located away from hazardous operations and in a clean and stable environment.
• There should be fire detection and extinguishing equipment near the Network Servers.
• Access to the Network Server room should be restricted to authorised officers with access cards.
• All computer equipment should be tagged and accounted for in the Fixed Assets Register.
• All commercial software in the computers must be licensed.

Continuity Planning
• Data should be backed up daily and stored in a fire proof safe.
• There should be weekly data back-ups and these backup media should be stored offsite.
• An Uninterrupted Power Supply (UPS) equipment should be installed.
• Contingency plans should be established and tested annually.
• The contingency plans should:
- Identify key personnel and their responsibilities
- List emergency phone numbers
- Detail arrangements for immediate replacements of essential hardware
- Restoration of backed up data (ensure integrity of both media and disks)

User Request Management
• User request for modification on application and output should be approved by the respective Functional Managers.
• Monthly meetings with respective division should be conducted to consolidate and prioritise user requests and update the status of request.

Segregation of Duties
• There should be segregation of duties between the following functions:
- Maintenance of computer systems
- Computer programming
- Normal operations and accounting