When developing a compliance plan for your company one of the first tasks is identifying how your information security management system operates. Below we have provided several internal controls examples to demonstrate the types of polices, procedures, and technical configurations a company may establish to build a strong control environment. Ideally, a pre-cursor to establishing internal controls is a risk analysis.
Controls are a means to mitigate risk. Adding a control could be seen as slowing down business, so it’s necessary to ensure that only the right controls are prioritized and implemented. You may be asking, what are internal controls? It can be anything from a policy that directs what should be done, a procedure which describes how something should be done to reduce risk, a technical configuration to prevent information exposure, or monitoring to detect malicious activity. Controls are generally categorized as preventive or detective.
Below are 9 examples of common internal controls:
Information Security Policy – a foundational document that defines the administrative, technical, and physical security requirements of an organization. It is a document that defines how information confidentiality, integrity, and availability is protected.
Annual Security Policy Review – a procedure to ensure that the information security policy remains up to date. Over time company goals change, there are personnel changes, and new threats emerge. Reviewing your information security policy annually will keep your company current.
Confidentiality Agreement – a legal document that employees typically sign that requires them to keep all company and customer data confidential. The purpose of this is to prevent information leakage.
Encryption Policy – a document that describes how and when a company uses encryption. An example encryption policy may state that all customer data in transit or at rest must be encrypted. Policies typically also specify encryption algorithms and key lengths.
Change Management – a process that enables the secure and structured approach to management changes to system configurations or application code. Change management is a category that often includes controls as testing and QA, source code versioning, peer review, and segregation of duties between developers and production engineers.
Backup and Recovery – a process that ensures that data remains available when needed. Companies often focus a lot on backup but fall short when developing recovery plans. Backups should be tested on a regular basis.
Security Awareness Training – people are often the weakest link in any information security program. Regular security training, reminders, and documentation to prove it occurred goes a long way in keeping auditors happy.
Semi-Annual Review – just as policies and procedures go stale, this control ensures that accounts and configurations on systems remain up to date. New employees are hired, job responsibilities change, and terminations happen. This ensures that system access control remains consistent with the workforce.
Vendor Patching – keeping software such as applications and operating systems up to date is one of the best ways to prevent getting hacked. Software patching should occur on a regular basis for normal updates and immediately for critical updates.