The Quaestor - Volume 6, Issue 3

“I’ve won the lottery, so I won’t be in today....or ever again.”

(Or alternatively, The Importance of Documented Processes and Procedures from a Departmental Perspective)

Contributed by: Wendy Roy, IACA Senior Internal Auditor

Ok, so this perhaps is a long shot (but, not impossible, I hope!); however, employee absence and turnover are not long shots.  They happen every day and result in short-term or long-term periods of transition. Departments have often worked long and hard to develop processes that are well controlled, efficient and effective; the processes work great when the key process owners are there to execute them.  However, when those individuals are suddenly not able to perform their given duties, chaos can erupt; determining what needs to be done, when it needs to be done, how it should be done,  and who should do it can be a daunting task – all at a time when your staffing resources have been reduced.  Good controls and efficiencies are often  lost during these frantic times.

So what can you do to help mitigate the challenges that accompany employee absence and turnover? Well, the single most effective measure you can take is to have all of your critical operational processes well documented. These are essentially “how to” documents. They need to be adequately detailed to ensure that someone with limited or no knowledge can complete the task satisfactorily. Components of documented procedures should include a calendar or checklist of what needs to be completed and when – daily, weekly, monthly, quarterly, semi-annually and/or annually. Also, if there are specific dates or days when these tasks are to be performed, that information should be included as well. Once the various tasks are identified, the next step is to set about thoroughly documenting how to perform them. These should be step-by-step directions which would also include the computer applications used and the applicable contact information for key contacts involved in the processes.

The best time to create this documentation is when you have an experienced individual performing the tasks; they are best positioned to create a thorough and detailed document. However, that doesn’t mean that this is the only time procedures can be documented. If nothing exists previously, the person learning the job should be tasked with documenting the procedures as they learn them. In both cases, supervisors should review the documents to ensure that the processes are documented accurately and appropriately.

Periodic review (i.e., at least annually) by the key process owners along with their supervisors should occur to ensure the accuracy of the published documents, identify possible gaps between established procedure and practice (either correct the procedure document or amend the practice), and look for efficiencies/redundancies. Upon completion of this exercise, the documents should be amended as necessary and noted as being “updated” as of the review date.

Employee absence and turnover is inevitable and a normal part of business. However, the disruption that accompanies it doesn’t have to be part of the routine. To foster smooth transition periods and to ensure continuity of controls during times of employee vacancies/turnover/absences, document your processes and procedures. Start today – because you never know when you might win the lottery!

Inform RIT

Contributed by Ben Woelk, Policy and Awareness Analyst, Information Security Office

Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this issue, we’ll talk about the status and next steps of the Private Information Management Initiative (PIMI).

What’s PIMI?

The Private Information Management Initiative (PIMI) is a multi-phase program whose intent is to ensure that RIT disposes of unneeded Private Information securely and retains only the Private Information needed to support essential business processes. Because of the rise in Identity Theft, breaches of Private Information have drawn increased public scrutiny and federal and state regulations govern its protection and provide notification requirements in the event of a breach.  Our goal is to have no unnecessary private information remaining on personal computers or devices, in email, or in hard copy format.  If it is stored anywhere other than servers (i.e., desktops, laptops, mobile devices, email, or portable media), it must be authorized  by the divisional VP and encrypted.

What’s happened so far?

PIMI kicked off in January 2011 with the initial deployment of Identity Finder software on Windows computers. The Identity Finder software identifies potential matches for Private Information and presents the information in a report that allows you to remediate the information. The deployment has continued through the calendar year by division and college and the software has been deployed on most Windows computers used by faculty and staff.

As of November 21, 2011, Identity Finder software had conducted more than 27,000 searches on almost 3,200 Windows computers. More than 1,600 of those computers contained probable matches for Private Information. Since January 2011, Identity Finder has identified more than 13  million probable matches.

What’s next?

Windows:
PIMI will be wrapping up Identity Finder deployment to and remediation of the
remaining Windows computers. We’re identifying any gaps and working with representatives of the colleges and divisions to eliminate unnecessary Private Information and relocate necessary Private Information to servers.

Mac:
PIMI will deploy the Identity Finder software to Mac computers by division and
college beginning in winter quarter. The Mac software will have the same basic functionality as the Windows software, allowing users to shred, scrub, or ignore matches. However, the software will not scan email on Macs, so each user will need to remediate Private Information found there manually.

Document Destruction Days:

Although we usually think of Private Information as being stored digitally, Private Information in other formats can also be used to facilitate identity theft. Non-digital information is also subject to federal and state regulations. Document Destruction Days will be designated by each college and division for employees to ensure that they’re not retaining unneeded Private Information in formats not located on computers and the network. These formats could include “hard-copy” materials, disks, CD/DVDs, video tapes, and any other type of storage media.

For more information about the Private Information Management Initiative or if you have any other questions about Information Security at RIT, visit the RIT Information Security Webpage at http://security.rit.edu, contact us at infosec@rit.edu, or call 585-475-4123.

Additional Information by IACA

What about ethics in the workplace?
Learn about the RIT Ethics and Compliance Hotline

IACA Team
Learn more about your IACA team.