In a recent post, Aronson discussed Federal Government concerns about information security and other proposed regulations. It seems that commercial organizations share similar concerns. Recently, the Information Management and Technology Assurance (IMTA) section of the AICPA produced their summary of key takeaways from the 2013 North America Top Technology Initiatives survey. The results of this survey are good practice for any business, but particularly for government contractors given the upcoming regulations being imposed for future procurements.
The top initiative this year was managing and retaining data. Data management, and its constant change in relation to changing technology, is a big risk for companies in regard to how they can effectively and efficiently run their business. Companies need to have strong policies and procedures in place that are documented and communicated to employees in order to reflect a proper control environment and reduce risk. Consideration must also be given to the type of data that needs to be retained and its level of security risk as regulations are different for various types of data (e.g. personally identifiable health and/or financial information is very high risk).
The next initiative on the survey was securing the IT environment. While many companies outsource their IT, the data (and ultimately the risk) still belongs to the company. Survey responders showed the biggest concerns over proper protection for mobile devices, the ability to quickly detect and respond to a cyber-attack, adequate deployment of automated controls to avoid management overrides, conducting an IT risk assessment appropriate to the level of complexity of their IT environment, and finally, proper monitoring of the effectiveness of IT-related internal controls. Again, documented and communicated policies and procedures are the number one priority here, but companies should also be setting IT goals that are in-line with the organization’s goals from a development as well as risk point of view. Many companies have a good handle on their credit and market risk, but not as much on their operational risk. A material weakness in operations and/or IT can result in a serious risk to the going concern of the company. For the other concerns, companies can address the risks through automatic encryption, screen locks for computers or mobile devices, proper segregation of duties, and conducting an annual IT risk assessment or IT audit.
For more information on how your company can assess and improve its IT environment, policies, and procedures, please feel free to contact Jeff Cook at 301-231-6220.