8.2 Control Activities
Control activities are the policies, procedures, techniques, and mechanisms that help ensure management's response to reduce risks identified during the risk assessment process. In other words, control activities are actions taken to minimize risk. When the assessment identifies a significant risk to the achievement of an objective, a corresponding control activity or activities is determined and implemented.
Control activities occur throughout the organization at all levels and functions. They include various activities like approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
Control activities usually involve two elements: a policy establishing what should be done and procedures to affect the policy. All policies must be implemented thoughtfully, conscientiously, and consistently.
8.2.1 Internal Controls
Internal controls are designed to ensure that goals and objectives for the Organization and administrative areas are met. Adequate controls provide reasonable assurance regarding the accomplishment of established objectives.
Aya’s internal controls, procedures, and practices also ensure that:
- Risks are reduced to an acceptable level
- All assets are safeguarded against waste, fraud, loss, unauthorized use or disclosure, and misappropriation
- Programs are efficiently and effectively carried out per applicable laws and Aya’s policy
Controls are selected based on the cost of implementation relative to the reduction of risk and potential for loss if and when a security breach occurs. Non-monetary factors, such as reputation loss, are also considered.
The administrative processes within Aya Data rely on internal controls to comply with internal and external requirements. Sufficient controls to mitigate risks need to exist in everyday business procedures and can be preventative, detective, or corrective. Without adequate internal controls, functions within Aya Data may become non-compliant, inefficient, and too costly to operate, which in turn will ultimately fail.
8.2.2 Preventative Controls
Preventive controls are designed to discourage or pre-empt errors or irregularities from occurring. They are more cost-effective than detective controls. Credit checks, job descriptions, required authorization signatures, data entry checks, and physical control over assets to prevent improper use are all preventive controls utilized by Aya.
8.2.3 Detective Controls
Detective controls are designed to search for and identify errors after they have occurred. They are more expensive than preventive controls but still essential since they measure the effectiveness of preventive controls and are the only way to control certain types of errors effectively. Account reviews and reconciliations, observations, periodic physical inventory counts, passwords, transaction edits, and internal audits are examples of detective controls employed by Aya.
8.2.4 Corrective Controls
Corrective controls are designed to prevent the recurrence of errors. They begin when improper outcomes occur and are detected and keep the "spotlight" on the problem until management can solve it or correct the defect. Quality teams' variance reports are examples of corrective controls used by Aya.
8.3 Control Environment
As established by Aya's management, the control environment sets the organization's tone and influences its people's control consciousness. Leaders of each department establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure.
Managers and employees are to have personal and professional integrity and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal controls.
This requires managers and their staff to maintain and demonstrate at all times:
- Personal and professional integrity and ethical values
- A level of skill necessary to help ensure effective performance
- An understanding of information security and internal controls sufficient to effectively discharge their responsibilities
Managers and supervisors are also responsible for ensuring their employees are aware of the relevance and importance of their activities and how they contribute to achieving the controll environment.
8.3.1 Aya’s Security Policy
The information technology resources at Aya Data support the organization's educational/training, administrative, research, and Business Process Outsourcing Services activities, and the use of these resources is a privilege extended to members of the Aya Data community. Any employee using Aya's information technology resources for any reason must adhere to strict guidelines regarding its use. Employees are being entrusted with the safety and security of Aya Data information resources. A sound security policy for information technology resources includes the participation of every employee at all times. A good policy promotes information security.
Any person or organization within the Aya Data community that uses or provides information technology resources has a responsibility to maintain and safeguard these assets. Each employee and management member in the Aya Data community is expected to use these shared resources with consideration for others.
Individuals are also expected to be informed and be responsible for protecting their own information resources in any environment, shared or stand-alone. It is unacceptable for anyone to use information resources to violate any law or Aya Data policy or perform unethical acts.
Aya’s Acceptable Use of Information Technology Resources contains the governing philosophy for effective and efficient use of Aya's computing, communications, and information resources by all members of the Aya Data community.
While directors and management are ultimately responsible for ensuring compliance with information security practices, the DPO, in cooperation with various department heads, will develop annual security awareness and compliance training to achieve technical proficiency and appropriate use for all employees.
8.4 Assets Accountability
Proper internal control is to be maintained over all information technology resources at all times. Adequate ICT asset management – from requisition to disposal – ensures a much greater likelihood that Aya Data will continue to meet customer requirements in the indefinite future by planning orderly fashion and mandating consistency throughout the organization.
ODPC will conduct an annual audit to ascertain the maintained registry of those members of the Aya Data community who have access to protected information and inventory of information assets on all Aya Data systems considered in scope. Individuals authorized to access organizational data shall adhere to the appropriate roles and responsibilities, as defined within contractual agreements and Aya’s policies.
8.5 Data Classification
Data classification is required to determine the relative sensitivity and criticality of information technology resources, which provide the basis for protection efforts and access control. The Data Classification and Protection Standard establishes a baseline derived from best practices, state laws, regulations, and Aya Data policies that govern the privacy and confidentiality of data.
The Data Classification and Protection Standard apply to all data (e.g., client, partner, research, financial, and employee data collected in electronic or hard copy form that is generated, maintained, and entrusted to Aya Data). Except where a different standard is required by grant, contract, or the law.
All data within Aya must be classified into one of four sensitivity tiers or classifications that Aya Data has identified: Public, Internal, Restricted, and Confidential. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive, and correspondingly tighter controls are necessary for these values.
All Aya’s data is to be reviewed periodically and classified according to its use, sensitivity, and importance to Aya Data and in compliance with regulatory and/or state laws.
ODPC has pre-defined several types of sensitive data. The level of security required depends partly on the effect that unauthorized access or disclosure of those data values would have on Aya Data’s operations, functions, image or reputation, assets, or the privacy of individual members of the Aya Data community.
8.5.1 TIER I: Public
This kind of information is accessible to the public. Making the information public will not damage the organization/client.
8.5.2 TIER II: Internal
This kind of information is accessible to every employee and authorized third parties. Unauthorized access may induce minor harm and/or inconvenience to the organization/client.
8.5.3 TIER III: Restricted
This kind of information is accessible to a specified group of employees and authorized third parties. Unauthorized access to information may cause substantial damage to the business and/or the organization's repute.
8.5.4 TIER IV: Confidential
This kind of information is accessible only to specified individuals in the organization. Unauthorized access to information could cause catastrophic damage to the business and/or the organization's repute.
8.6 Information Handling
Aya's employees create records as part of the ordinary course of conducting the organization's business. Records containing sensitive information should exist only in areas with a legitimate and justifiable business need and should be maintained under strict controls as outlined in this document.
Mishandling sensitive information is a significant risk to Aya Data and may cause considerable financial or reputational harm. All Aya Data employees, regardless of position, must protect sensitive information by being aware of any sensitive information they may store, process, or transmit.
The Data Classification and Protection Standard outlines the minimum standards for protecting sensitive Aya Data information. Additional controls required under applicable laws, regulations, or standards governing specific forms of data (e.g., health or financial information, credit card data), will be applied under specific circumstances.
8.7 Identity & Access Management
Identity and access management ensures accurate identification of authorized Aya Data community members and provides secure authenticated access to and use of physical and network-based services. Identity and access management is based on a set of principles and control objectives to:
- Ensure unique identification of members of the Aya Data community and assignment of access privileges
- Allow access to information resources only by authorized individuals
- Ensure periodic review of membership in the community and review of their authorized access rights
- Maintain effective access mechanisms through evolving technologies
Access Control refers to the process of controlling access to space, systems, networks, and information based on business and security requirements. The objective is to prevent unauthorized disclosure of Aya’s information assets. Aya Data’s access control measures include secure and accountable means of identification, authentication, and authorization. Please see the Physical Office Security Policy for further reference.
Identification is the process of uniquely naming or assigning an identifier to every individual or system to enable decisions about access levels. The key feature of an identification process is that each user of the Aya Data community, and any other entity about which access decisions need to be made, is uniquely identifiable from all other users.
Authentication validates the identity of the person. The authentication process determines whether someone or something is who or what it is declared to be. Authentication factors can be something you know (password), something you have (token), or something you are (biometric). Two-factor authentication consists of two of the three factors (e.g., password and token) in these distinct categories. For access control, authentication verifies one’s identity through ICT.
Passwords are an essential aspect of computer security. They are the front line of protection for user accounts. All community users (including directors, management, employees, guests, contractors, and vendors) are responsible for selecting and securing their passwords. A poorly chosen password may result in the compromise of Aya’s entire network. Adhering to secure password procedures will help reduce the compromise of user accounts on Aya’s systems. Please see Password Standards for further reference on passwords.
Authorization is the process used to grant permissions to authenticated users. Authorization grants the user, through technology or process, the right to use the information assets and determines what type of access is allowed (read-only, create, delete, and/or modify).
The access rights to the information must then be entered into the security system via an access list, directory entry, or view tables, for example, so that the authorization rules can be enforced. The level of control will depend on the classification of the data and the level of risk associated with loss or compromise of the information.
- The Data Owner must establish criteria for account eligibility, creation, maintenance, and expiration.
- The Data Owner must individually authorize sensitive data, and an annual confidentiality agreement must be acknowledged or signed by all authorized users.
- Depending on the relative sensitivity of the data, staff may be subject to a security clearance check before they are hired, transferred, or promoted. Any employee not subjected to such a clearance check when first hired should not be placed in a sensitive position until security clearance has been obtained.
- Data Owners must periodically review user privileges and modify, remove, or inactivate accounts when access is no longer required.
- Procedures must be documented for the timely revocation of access privileges and return of institutionally owned materials (e.g., keys, laptops) for terminated employees and contractors.
- Inactivity time-outs must be implemented, where technically feasible, for terminals and workstations that access sensitive data. The period of inactivity shall be no longer than 1 minute in publicly accessible areas.
- Audit trails exist for detective and reactive response to system penetration, infection of systems and data due to malicious code, catastrophic system loss, or a compromise of data integrity.
8.7.4 Remote Access
Remote access to information technology resources (switches, routers, computers, etc.) and sensitive or confidential information (social security numbers, credit card numbers, bank account numbers, etc.) are only permitted through secure, authenticated, and centrally-managed access methods. Systems that contain sensitive client, personnel, and financial data will be available for off-site remote access through an Aya centrally managed VPN that provides encryption and secure authentication.
It should also be understood that when accessing sensitive data remotely, storing any sensitive data onto local hard drives, floppy disks, or other external media (including laptops and Smartphones) is prohibited.
External computers used to administer Aya Data resources or access sensitive information must be secured. This includes patching (operating systems and applications), utilizing updated anti-virus software and firewall, with configurations as per all relevant Aya’s policies and procedures.
8.7.5 Privileged Access
System administrators routinely require access to information resources to perform essential system administration functions critical to the continued operation of Aya Data. Such privileged access is often termed "root" or "administrator" access. Privileged accounts enable vital system administration functions to be performed and are only used for authorized purposes.
The number of privileged accounts is to be kept to a minimum and only provided to personnel whose job duties require it. Administrators or users who need privileged accounts should also have non-privileged accounts when performing daily routine tasks and should not use their privileged accounts for non-authorized purposes. Activities performed using a privileged account will be logged, and the logs will be reviewed regularly by an independent and knowledgeable person.
Personnel who manage, operate, and support Aya's information systems, including individuals who manage their own systems, are expected to use appropriate professional practices in providing for the security of the systems they manage. Responsibility for systems and application security must be assigned to an individual knowledgeable about the information technology used in the system and in providing security for such technology.
8.7.6 Segregation Of Duties
Separate individuals must perform tasks involved in critical business processes. For example, the responsibilities of annotators, quality assurance teams, and system administrators must not overlap unless authorized by the Data Owner. Duties and obligations shall be assigned systematically to a number of individuals to ensure that effective checks and balances exist. Such controls keep a single individual from subverting a critical process. Essential duties include authorizing, approving, and recording projects, issuing and receiving assets, and reviewing or auditing projects.
Segregation of duties should be maintained between the following functions:
- Data annotation
- Quality assurance
- Data entry
- Computer operation
- Network management
- System Administration
- Systems development and maintenance
- Change management
- Security administration
- Security audit
Qualified and continuous supervision ensures that internal control objectives are achieved. This standard requires supervisors to continuously review and approve their staff's assigned work and provide the necessary guidance and training to ensure that errors, waste, and wrongful acts are minimized and that specific management directives are followed.