Define and maintain appropriate business process controls to ensure that information related to and processed by in-house or outsourced business processes satisfies all relevant information control requirements. Identify the relevant information control requirements and manage and operate adequate controls to ensure that information and information processing satisfy these requirements.
Maintain information integrity and the security of information assets handled within business processes in the enterprise or outsourced.
Align Control Activities Embedded in Business Processes with Enterprise Objectives
Control the Processing of Information
Create transactions by authorized individuals following established procedures, including, where appropriate, adequate segregation of duties regarding the origination and approval of these transactions.
Authenticate the originator of transactions and verify that he/she has the authority to originate the transaction.
Input transactions in a timely manner. Verify that transactions are accurate, complete, and valid. Validate input data and edit or, where applicable, send back for correction as close to the point of origination as possible.
Correct and resubmit data that were erroneously inputted without compromising original transaction authorization levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time.
Maintain the integrity and validity of data throughout the processing cycle. Ensure that the detection of erroneous transactions does not disrupt the processing of valid transactions.
Maintain the integrity of data during unexpected interruptions in business processing and confirm data integrity after processing failures.
Handle output in an authorized manner, deliver to the appropriate recipient, and protect the information during transmission. Verify the accuracy and completeness of the output.
Before passing transaction data between internal applications and business/operational functions (inside or outside the enterprise), check for proper addressing, the authenticity of origin and integrity of the content. Maintain authenticity and integrity during transmission or transport
Manage Roles, Responsibilities, access privileges and Levels of Authority
Allocate roles and responsibilities based on approved job descriptions and allocated business process activities.
Allocate levels of authority for approval of transactions, limits, and any other decisions relating to the business process, based on approved job roles.
Allocate access rights and privileges based on only what is required to perform job activities based on predefined job roles. Remove or revise access rights immediately if the job role changes or a staff member leaves the business process area. Periodically review to ensure that the access is appropriate for the current threats, risk, technology, and business need.
Allocate roles for sensitive activities so that there is a clear segregation of duties.
Provide awareness and training regarding roles and responsibilities on a regular basis so that everyone understands their responsibilities; the importance of controls; and the integrity, confidentiality, and privacy of company information in all its forms.
Periodically review access control definitions, logs, and exception reports to ensure that all access privileges are valid and aligned with current staff members and their allocated roles.
Manage Errors and Exceptions
Define and maintain procedures to assign ownership, correct errors, override errors, and handle out-of-balance conditions.
Ensure Traceability of Information Events and Accountability
Define retention requirements based on business requirements to meet operational, financial reporting, and compliance needs.
Capture source information, supporting evidence, and the record of transactions.
Dispose of source information, supporting evidence, and the record of transactions in accordance with the retention policy.
Secure Information Assets
Apply data classification and acceptable use and security policies and procedures to protect information assets under the control of the business.
Provide adequate use of awareness and training.
Restrict use, distribution, and physical access to information according to its classification.
Identify and implement processes, tools, and techniques to reasonably verify compliance.
Report to business and other stakeholders on violations and deviations.