Energy Credit Best Practices – Chapter: Information Technology http://ccro.org © Copyright 2022, CCRO. All rights reserved. 26 Implementation of a two-person approach to managing any data being physically removed from any system allows a checks-and-balances approach to ensuring data security. Transportation outside of any data center and or secured facility should consider guards to secure sensitive data safety. • Logical Security - IT Systems, in general, do not always require physical access but always require logical access of some sort. Whether this is due to some defined Access Control List (ACL) or simply being able to extract and store data outside of its typical means, all of these represent Logical Security challenges. Consider putting the following processes into place to address Logical Security. Make reviewing ACLs a regular part of the IT Governance process. Consider expiring access as default instead of granting access indefinitely. While this may create a small amount of additional overhead from an IT perspective, reducing the risk associated with unsecured logical access is typically considered well worth the tradeoff. Secure credit data and related information in the smallest but most business-aligned Logical Security buckets. By putting this more advanced level of Security into place, it minimizes the total amount of data that could be exposed during any IT Security breach. • Security Governance - Not typically considered part of the Security portfolio, IT Governance is not to be overlooked as the overall encompassing guidance for IT Security. Research into many historical Security breaches has determined that if an overall IT Governance process had been in place, the Security breach would likely not have occurred or would have occurred at a lesser severity. Several key elements of the Security Governance process that should be considered are: − Information Lifecycle Management – Easily accessible data should be limited by archiving or otherwise making data less accessible. This limits data exposure during any Security breach while still allowing data to become accessible if needed. − IT Architecture Reviews – Formation of an IT Architecture review board exposes individual Information System architectures to a more systematic and holistic review process. For example, internal threats to Security to Systems can be mitigated in this fashion. Any inconsistently applied Security mechanics can be found and corrected before these Systems being placed into production. • Security Patching - Every IT system hosting credit-related information should be placed on a platform requiring regularly patched operating Systems and application environments to remain fully functional and secure. This ensures that a patching process is in place that addresses patching needs in a time-effective manner while balancing credit business uptime with the risk and Security of IT system patching.