Establishing secure internal controls is a must for organizations, regardless of size. Because small and mid-size companies are not held to the same compliance requirements as larger organizations, internal auditors of small and mid-size companies need to make sure established controls and IT policies are effective in the long run.
Part 1, "Internal Control Best Practices for Small and Mid-size Companies, Part 1," discussed how establishing proper access controls and business-continuity procedures can help small and mid-size companies be on the road to having a secure IT infrastructure. This article examines three additional best practices — change management, data security protocols, and capacity planning — that small and mid-size organizations can incorporate as part of their IT policies and procedures to be better prepared for any IT threats.
Change management allows organizations to plan, schedule, implement, and track modifications to corporate activities. A formal change management process helps IT departments ensure that the implementation of system changes are aligned with business needs. Because of this, small and mid-size companies should document formal processes to implement changes in their IT systems. Specific areas to document include laboratory and staging areas, communication regarding changes, application development, and internal service-level agreements (SLAs).
Laboratory and Staging Areas
Many organizations establish laboratories to conduct tests before system changes are implemented to help identify problems that may not be seen during the development phase. Because labs are not secure environments, they should be set up on a separate network segment. In addition, only test data should be used to conduct tests.
The staging area is a segment of the network used to test proposed system changes and their impact on the production system. This area should simulate the production environment as much as possible. In addition, key employees should be given access to the staging environment, so they can participate in final tests. The staging environment also should be as secured as the company's production environment.
A process for communicating changes must be developed and documented by the IT department, and should be outlined, step-by-step, in the IT policies and procedures manual. Change management procedures help organizations to:
- Describe required or requested changes.
- Conduct a change-impact analysis.
- Determine which systems need to be updated and when.
- Identify the IT staff member(s) responsible for implementing specific changes.
- Create a timeline for all changes.
- Establish any fallback procedures in case the change doesn't occur as planned.
In addition, small and mid-size companies should create a change management committee, composed of at least one IT staff member and one senior executive. The committee should meet every week to review all change requests. Once changes are approved, they must be announced by the committee to the affected parties.
Furthermore, organizations should mandate that all change requests be documented in writing. Therefore, before a change is made, a request form needs to be filled out and sent to the head of IT for approval. Finally, during the IT planning process, organizations need to document how emergency changes will be handled. For example, many organizations allow the head of IT to approve emergency changes and communicate them to those involved.
Development of minor tools or major applications should follow the software development lifecycle model — a development process that incorporates investigation of initial system requirements, as well as the analysis, design, implementation, and maintenance activities required to keep the system up and running. Using this model helps organizations ensure final products are aligned with business needs.
At a minimum, organizations need to consider any business system requirements are part of the application's development process, in addition to technical specifications, data flow and system diagrams, testing, standard operating procedures and user guides, and change implementation plans. Companies also need to ensure the system's programming code is documented properly and kept in a central location — not on the programmer's computer.
Once the application is implemented, a review should be conducted by an independent party, such as an external auditor or internal auditor from the audit department. The IT department must be involved during all stages of development whenever possible, especially when vendors are hired to develop an application, and conduct tests to make sure security requirements are met.
An internal SLA is a contract that defines the kinds of services the user can expect from the IT department. Although small businesses may not be required to have an SLA, there should be a documented process for all IT operations that states the expected delivery of services to the business and the expected results. In many mid-size companies, SLAs are developed between the IT department and the department needing services, which define yearly expected services and how job requests will be escalated.
Data Security Protocols
Information created by employees and customers is considered a valuable asset. Because the compromise of this information affects the organization's reputation and financial stability, organizations need to identify specific protocols early in the planning process to protect corporate data, especially that of a sensitive or confidential nature. Data security protocols include those dealing with the information's management and control, and vulnerability and threat management. Other protocols include the use of properly configured firewall and intrusion detection systems (IDSs).
Management and Control
The way organizations choose to manage and control data depends on how data is classified and who the data owner is — the primary employee responsible for managing and coordinating the data's use, such as determining who has data access rights, approving changes, and determining the appropriate backup and recovery times. Classifying information helps to ensure the right kind of security control is implemented. Possible classification categories include:
- Restricted (i.e., data with a highly monitored distribution list, such as reports of major business issues that could harm the company's reputation).
- Confidential (i.e., information that is limited to data owners, such as a list of department budgets).
- Internal (i.e., data that is restricted to corporate employees, such as an employee satisfaction survey).
- Public (i.e., information that is available to the public, such as published quarterly profit reports).
When dealing with restricted or confidential data, companies may consider the use of encryption or attorney-client privileges to safeguard the information's integrity and privacy. Organizations also should make sure corporate data is backed up regularly and the data owner is an employee.
Vulnerability and Threat Management
One of the main reasons data controls are established is to manage potential software and hardware risks. During the IT planning process, organizations should consider the following guidelines:
- IT departments should implement a documented process for receiving software updates and security patches from vendors.
- Companies should draft a test and implementation plan that defines how patches and updates will be conducted, and follow established change management protocols.
- Organizations should consider conducting an ethical attack at least once per year to verify system vulnerabilities, especially if an external Web site is available to the public. The ethical attack can be performed by a third-party vendor or the IT department.
- Software and hardware applications should undergo an ethical attack before production.
Firewalls and IDSs
In many companies, firewalls serve as the main defense against intruders and act as a gateway for all inbound and outbound network connections. IDS software, on the other hand, helps keep track of network activities. Because of their importance, internal auditors working in small and mid-size companies should recommend that IT departments implement the following protocols to enhance their use of firewall and IDS tools:
- All external Internet protocol connections must take place through the firewall.
- The firewall should be setup with a default "deny all" configuration, give access as needed, and document all access requests.
- Firewall and IDS configuration changes must follow the change management process.
- All change requests must be reviewed by the security staff and approved by senior management staff prior to implementation.
- All firewall and IDS alarms should be logged and archived daily.
Many security breaches can be prevented by using data security protocols like the ones described above. Incorporating these best practices can help small and mid-size companies ensure internal controls that safeguard the integrity and privacy of their information are in place.
The final best practice organizations should consider, especially when drafting or reevaluating IT policies and procedures, is the use of capacity planning — the annual forecasting of future hardware, software, and network requirements based on current resource use, historical trends, and projected business needs. To establish accurate capacity planning models, IT departments should review resource-use trends every three months. This will help companies better determine if any budget or staff resource changes are needed to meet expected demands.
Also, a periodic — preferably, quarterly — report should be distributed by the IT manager to application owners that shows the network system's performance and availability metrics to compare historic versus expected figures. The report can contain items such as: memory and central processing unit use, server uptime, and the average response time of instructions sent to the system. In addition, a capacity planning steering committee could be created to discuss this report and decide if current or projected resources are adequate based on expected business needs. If so, the steering committee should discuss the coming year's resource requirements by the end of the fiscal year's second quarter and submit all final decisions to the company's budget officer by the end of the third quarter.
Building Internal Controls Today for the Future
The internal controls described above and in part one of this article should be discussed early in the IT planning process and culminate in the implementation of solid IT policies and procedures that allow the organization to have a secure IT environment.
Establishing internal controls that are part of IT policies and procedures benefits organizations of all sizes in various ways. First, internal controls help create a controlled IT environment that is compliant with company policies and regulatory requirements. Second, internal controls that are established as part of the planning process help IT departments meet the organization's technology needs more effectively. Finally, IT policies and procedures help executive managers know the role IT plays within the organization and how internal controls will be implemented to meet corporate strategic goals. Once established, internal auditors can use these policies and procedures as guidelines to examine the effectiveness of IT operations and assess whether their activities are compliant with internal regulations during audit reviews.