UC San Diego SearchMenu

Internal Control Practices: Information Systems

Learn best practices to protect UC San Diego's electronic information.

Background

UC San Diego's electronic information systems contain many forms of personal and private information. By allowing appropriate system access and recording transactions in an accurate and timely manner, you can manage electronic information and ensure data integrity. Follow these internal control practices to make sure you handle electronic information and technology appropriately.

Accountability, authorization, and approval

When proper accountability exists, you know who has access to electronic and personal information, for what business purpose they have access, what information systems and data are authorized for use, and where sensitive, private information resides.

  • Best practices:
    • Limit business system and data access to appropriate users.
    • Adhere to security and privacy policies for email, Web browsing, and electronic communication.
    • Determine approval hierarchies and appoint a departmental security administrator (DSA).
    • Implement security measures to protect access to electronic resources and private information according to IS-3 (PDF) and PPM 135-3 (PDF).
    • Communicate and coordinate access and security with IT Services.
    • Train employees in computer access, security, software, and appropriate use of University information.
    • Address reported or suspected access and security violations according to the CIRT process.
  • Potential consequences if accountability does not exist:
    • Misuse of information
    • Identity theft
    • Improper use of university assets
    • Damage to public image
    • Legal actions

Security of assets

UCSD's electronic information is a valuable asset. Security controls prevent and reduce the risk of harm caused by error, accident, natural disasters, or malicious action. Avoid duplication of information if it’s available elsewhere. Store information in a secure location.

  • Best practices:
    • Use and share data for business purposes only.
    • Design, document, and test internal processes to ensure security and data integrity.
    • Secure personal information in a locked or password protected location.
    • Regulate authorized access to resources through security measures such as user IDs and passwords.
    • Implement auditable authorization processes that adhere to University policies.
    • Train all users in security awareness.
    • Inform your DSA and system/ data custodians about access rules and security violations.
    • Restrict access of information and systems to people who need the access to perform their jobs.
    • Periodically review information stored in electronic or paper format.
    • Secure or discard personal and private information properly.
  • Potential consequences if electronic information is not secured:
    • Identity theft
    • Damage to public image
    • Misuse of University resources and information

Review and reconciliation

Your reconciliation activities confirm that transactions are recorded correctly, can be readily retrieved, and are safeguarded from improper alteration.

  • Best practices:
    • Ensure data integrity by validating data with the Data Warehouse, or FinancialLink tools and reporting models.
    • Follow retention schedules and data retention requirements.
    • Periodically review information stored in electronic or paper format.
  • Potential consequences if review and reconciliation activities are not performed:
    • Errors, discrepancies, or irregularities undetected
    • Inaccurate, incomplete official records
    • Improper access to business systems and data