Information Technology

In addition to this abbreviated FAQ, a more comprehensive IT risk assessment document is available for system administrators, in PDF format. Click below to open the questionnaire.

IT Security Risk Assessment Questionnaire (PDF)

  1. Does each person with system access have a unique (not shared) user ID?

    • Ideal Answer: YES. Anyone needing access to any IT system must have their own personal ID.


  2. Are user ID's and passwords kept secret?

    • Ideal Answer: YES. User ID's and passwords should be kept confidential and never shared with anyone.


  3. Are user passwords composed of at least 9 alpha/numeric characters and passwords changed at least every 365 days for non-administrator accounts or at least 15 alpha/numeric characters and passwords changed at least every 180 days for administrator accounts?

  4. Are files of personal computers, including laptops and notebooks, backed-up on a regular basis?

    • Ideal Answer: YES. Files stored on personal computer local drives should either be backed-up to a network drive or to a disk media (floppy/CD-R/DVD-R) on a regular basis.


  5. Does the department maintain individual/site license documentation for all software installed or used on departmental PS's?

    • Ideal Answer: YES. Documentation showing proof of purchase/license for all departmental software should be maintained in a central file. Any software installation media should be centrally secured and controlled to avoid unauthorized installation and use.


  6. Is the level of IT system access assigned to each staff member regularly reviewed by management to assure that there is still a continuing need for it?

    • Ideal Answer: YES. User access right to information and systems should be periodically reviewed to make sure a valid job-related need still exists for the access.


  7. Does department management review and approve the request for access by any staff member to the various University systems?

    • Ideal Answer: YES. Management should sign all access requests only after verifying that it is necessary for the staff member to perform their job duties.


  8. Is the required paperwork notification completed and filed before a staff member removes any IT equipment from campus for an extended period of time?

    • Ideal Answer: YES. Before any University property is removed from campus for an lengthy or open period of time, an Off-Campus Use of Property From (http://www.uiowa.edu/~fusprop/forms/index.html) must be completed and files with Property Management.


  9. Are the hard drives of computers being disposed of, over-written to Department of Defense (DOD) standards or physically destroyed prior to be sent to Surplus?

    • Ideal Answer: YES. In order to prevent the compromise of confidential data or violation of software licensing agreements, all computer hard drives should either be overwritten using a software utility that meets DOD standards, or physically disassembled and destroyed. Please note that the standard "Format" command is not sufficient, and does not prevent data recovery. See the University Computer Data and Media Disposal Policy for more information.


  10. Does the department have a documented disaster recovery/business continuation plan?

    • Ideal Answer: YES. All departments should document the process they would follow to restore operation in the event of a local disaster. The recovery plan should be tested on at least an annual basis. See http://itsecurity.uiowa.edu/resources/drbcp.shtml for assistance in developing a plan.


  11. Are all users aware of and implementing workstation best practices as outlined by the IT Security Office?