543.16—What are the minimum internal controls for information technology?
(a)
Physical security measures restricting access to agents, including vendors, must exist over the servers, including computer terminals, storage media, software and data files to prevent unauthorized access and loss of integrity of data and processing.
(c) User controls.
(1)
Computer systems, including application software, must be secured through the use of passwords or other approved means.
(2)
Procedures must be established and implemented to ensure that management or independent agents assign and control access to computer system functions.
(3)
Passwords must be controlled as follows unless otherwise addressed in the standards in this section.
(ii)
When an individual has multiple user profiles, only one user profile per application may be used at a time.
(iii)
Passwords must be changed at least quarterly with changes documented. Documentation is not required if the system prompts users to change passwords and then denies access if the change is not completed.
(iv)
The system must be updated to change the status of terminated users from active to inactive status within 72 hours of termination.
(v)
At least quarterly, independent agents must review user access records for appropriate assignment of access and to ensure that terminated users do not have access to system functions.
(vii)
System exception information (e.g., changes to system parameters, corrections, overrides, voids, etc.) must be maintained.
(4)
Procedures must be established and implemented to ensure access listings are maintained which include at a minimum:
(1) Daily backup of data files—
(i) Backup of all programs.
Backup of programs is not required if the program can be reinstalled.
(ii)
Secured storage of all backup data files and programs, or other adequate protection to prevent the permanent loss of any data.
(iii)
Backup data files and programs may be stored in a secured manner in another building that is physically separated from the building where the system's hardware and software are located. They may also be stored in the same building as the hardware/software as long as they are secured in a fireproof safe or some other manner that will ensure the safety of the files and programs in the event of a fire or other disaster.
(2)
Recovery procedures must be tested on a sample basis at least annually with documentation of results.
(e) Access records.
(1)
Procedures must be established to ensure computer access records, if capable of being generated by the computer system, are reviewed for propriety for the following at a minimum:
(2)
If the computer system cannot deny access after a predetermined number of consecutive unsuccessful attempts to log on, the system must record unsuccessful log on attempts.
(f) Remote access controls.
(1)
For computer systems that can be accessed remotely, the written system of internal controls must specifically address remote access procedures including, at a minimum:
(i)
Record the application remotely accessed, authorized user's name and business address and version number, if applicable;
(iii)
The procedures used in establishing and using passwords to allow authorized users to access the computer system through remote access;
(iv)
The agents involved and procedures performed to enable the physical connection to the computer system when the authorized user requires access to the system through remote access; and
(v)
The agents involved and procedures performed to ensure the remote access connection is disconnected when the remote access is no longer required.
(2)
In the event of remote access, the information technology employees must prepare a complete record of the access to include:
(iv)
Description of work performed in adequate detail to include the old and new version numbers, if applicable of any software that was modified, and details regarding any other changes made to the system.