IT General Control Review Areas
Data Security Regulations (201 CMR 17.00 et seq.)
- Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of PI in any form.
- Develop, implement, maintain & monitor a comprehensive, Written Information Security Program (WISP) establishing safeguards against data breaches.
- Maintain minimum computer security systems (firewalls, updated virus definitions and patches, password management protocols, etc.).
- Encrypt all records containing PI transmitted across public networks or wirelessly, and as stored on laptops and other portable devices.
- Oversee service providers and require by contract to implement & maintain safeguards to protect and secure PI.
- Network scan to identify suspect devices
- Anti-Virus/Malware coverage
- Software firewall configuration
- Windows program installation
- Password policies (default passwords)
- Application/Security event logging configuration and retention
- Windows desktop local administrator group membership
- Security patch levels for the operating system and web browser
- Still using WEP? Or worse, no encryption at all?
- Have vendor default passwords been changed?
Backup technologies are stored appropriately and any confidential data is encrypted