2701.5 Addendum

The integrity cycle includes controls over the creation, implementation, security, and use of information systems, applications, infrastructure, and related technology resources, controls over the operations in date centers, and controls over the security of data and electronic records. Information technology controls (1) enhance assurance of the accuracy and reliability of the results of data processing, (2) contribute toward safeguarding University assets, and (3) promote operational efficiency and effectiveness. 

1. Procedures should be established to ensure the selection, installation and implementation of the proper facilities, equipment, systems, and technology resources to meet current and future data processing requirements.  

2. There should be effective control over the deployment and use of personnel and technology resources in the user and technology departments.  

3. A systems development methodology (SDM) should be followed to ensure the development of effective, efficient, maintainable and auditable information systems. Changes to existing systems should be governed by the same criteria that exist for the development of new systems.  

4. Controls should be in place to ensure the continuous operating capability of the University’s technology operating environment (e.g., a disaster recovery plan) and the prevention and/or timely detection of equipment misuse and data loss.  

5. There should be programmed procedures in applications and information systems to ensure the complete and accurate processing of all authorized data, including prevention, detection and correction of errors; and prevention and/or timely detection of unauthorized data.  

6. Methods and procedures should be in place to ensure the adequate documentation of the programs and systems for use by user personnel, data processing personnel, management and auditors.  

7. Procedures should be established to ensure the proper selection, use and control of third-party service providers, hosted systems, and cloud service providers.  

NOTE: Computer control guidelines to support the Integrity Cycle standards are available through the Office of Audit, Compliance and Privacy – Office of Internal Audit website.