Introduction
Nowadays, covered entities more and more rely on modern technologies. However, they expose important information to different hazards. Various technical safeguards have been designed in order to cope with such problems. To discuss this issue in detail, the example of a college registrar’s office will be analyzed. This office is located in a building, among many other offices. Its specialists have access to students’ records via wireless and wired networks. All information is stored on a server in the same building. The college administration has to protect the integrity of student records in accordance with the Family Educational Rights and Privacy Act. The main goal of this paper is to provide recommendations for ensuring technical safeguards in this college registrar’s office.
Analysis and Recommendations
Proper physical access control safeguards should include physical approaches, strategies, and procedures that protect electronic data from any type of hazards, including unauthorized intrusion. Therefore, adequate safeguards are a complex system of different methods based on access control standards (Mehraeen, Ayatollahi, & Ahmadi, 2016). Evaluation and implementation of these standards imply considering all physical access to electronic information.
Such measures also should prevent access to a protected system from the outside. The main elements of proper access control are access provision, authentication, and entitlement reviews. There are several recommendations for the implementation of effective physical access control safeguards. The first type of measures should be aimed at protecting facility access. They should ensure limited and properly authorized access to all sensitive information and facilities that house electronic systems. It is necessary to identify all people that might use this equipment, such as employees working in the office, specialists from other departments, and students.
Also, safeguard policies should specify the measures to control physical access, for example, video monitoring, security staff, electronic control systems, locks, and others. The next type of measure should include standards for the appropriate use of computers and other electronic devices that provide access to protected information. Another important aspect is the antivirus software. The staff should be trained on how to use such programs and monitor the update processes. The next measure is the control over the movement of electronic devices. It is especially important for memory devices such as hard drives and digital memory cards. Also, it is necessary to properly handle receipt, removal, and storage of all electronic equipment.
Audit Controls
Internal audit controls are a very important measure on which any company should rely. Such safeguard methods allow reducing risks and improve overall performance (Kelly & Tan, 2017). It is necessary to identify ineffective processes and either upgrade or stop them. Therefore, specialists of this registrar’s office should constantly monitor and update operating policies. Professional certification is also very important for internal audit. There are two major types of audit controls: preventive and detective (“Are there different types,” n.d.). Preventive measures should be aimed at protecting the system from operating errors. Detective controls allow identifying such errors while internal auditors test risky processes.
Auditing implies the continuous evaluation of risks and control assessment. Auditors examine trends within a particular process to identify the level of risk. However, auditors should support regulatory control evaluation requirements and determine short- and long-term priorities. Full access to all systems is crucial for proper auditing processes. In addition, it is very important to control that constant monitoring does not negatively affect the overall performance.
Also, auditors develop risk management and control mechanisms that allow an organization to respond to control deficiencies adequately. Therefore, there are several main recommendations for audit controls in this registrar’s office. First, auditors should constantly review existing policies and always apply those who have been tested. Second, they have to control the segregation of duties among the office specialists. Third, it is necessary to design risk-based schemes that comply with the goals of the registrar’s office. Fourth, an audit group should gradually engage in work in order to fully comprehend the key work processes and systems that are related to them.
Logical Access Control Methods
Logical access control is normally conducted through access control lists, passwords, and account restrictions. The first method, access control lists, allows denying control to a particular object if a person does not have special permission. It is necessary to implement this method because such permissions can provide either partial or full access to protected information. Therefore, unauthorized entities can be prevented from using certain systems via access control lists. The second method, passwords, is also a very effective measure (“Physical and logical access security,” n.d.). This measure should be applied because it is extremely difficult to hack systems that are protected by passwords made up of random symbols.
Hence, it is necessary to avoid using simple words or phrases, for example, words from the dictionary. Also, a password itself should be kept in a secure place. The best solution is to learn it by heart. The third logical access control method is account restrictions. The most effective restrictions include time restrictions and account expiration. The first type ensures that a person does not have access to particular systems during a certain period. It is helpful for system administrators who can launch update processes in the night time without being bothered by other users. In addition, account expirations are necessary to make unused accounts unavailable so they will not be utilized in the future.
Analysis of a Data Transfer
In the described office, the flow of data is ensured via wireless and wired networks. All information is kept on a server that is located in the same building. Such a system has many advantages. The first important aspect is connection speed, which is very high due to the use of such technologies. The second aspect is the bandwidth, and a wired network is much better regarding this parameter than a wireless one. Good bandwidth and connection speed are crucial for effective work with electronic data.
Other important aspects are information transfer safety and reliability. In terms of these factors, using wired systems is very effective as the chances of losing information are small. However, the main disadvantage of these two networks is the necessity to maintain them as these services require much finance. In addition, wireless systems are not very stable because wireless reception can be impaired by other networks.
The main techniques for transmission security safeguards are a constant audit, updating of programs, and encryption. Security specialists should be responsible for audit trails assessment as it ensures integrity (“Technical safeguards,” n.d.). It is also very important to establish a system of penalties for unauthorized changes in protected information. A review of risk analysis allows security specialists to make reports on the effectiveness of the integrity controls.
Also, it is necessary that all electronic systems are updated as it enhances their security. All safeguards are based on the application of different software, and in order to function properly, it should be updated. Finally, encryption is a very effective technique that ensures safe transmission and retention of protected data.
Conclusion
The main technical safeguards include access controls, audit controls, updating, and encryption. Access controls are necessary to limit the availability of protected information. Audit controls allow revealing imperfections of a system and improve its effectiveness. Updating and encryption ensure the safe transmission of information. Therefore, in order to protect important data, it is necessary to establish a complex system of different procedures and policies and control its proper functioning.
References
Are there different types of internal controls? (n.d.). Web.
Kelly, K., & Tan, H. T. (2017). Mandatory management disclosure and mandatory independent audit of internal controls: Evidence of configural information processing by investors. Accounting, Organizations and Society, 56, 1-20.
Mehraeen, E., Ayatollahi, H., & Ahmadi, M. (2016). Health information security in hospitals: The application of security safeguards. Acta Informatica Medica, 24(1), 47-50.
Physical and logical access security. (n.d.). Web.
Technical safeguards. (n.d.). Web.