Information Technology General Controls (ITGC), a type of internal controls, are a set of policies that ensure the effective implementation of control systems across an organization. ITGC audits help an organization verify that the ITGC is in place and functioning correctly, so that risk is properly managed in the organization.
The scope of the ITGC commonly includes access control to physical facilities, computing infrastructure, applications, and data; security and compliance aspects of the system development life cycle, change management controls, backup and recovery, and operational controls over computing systems.
There are several accepted standards for ITGC audits, including the Control Objectives for Information Technologies framework (COBIT, developed by ISACA), SP 800-34 Contingency Planning Guide for Information Technology Systems (by NIST), and the Information Technology Infrastructure Library (ITIL) framework.
ITGC audits can involve monitoring the ITGC on an ongoing basis, identifying issues and responding to them, as well as proactive internal audits of ITGC components, and adjustment of policies and controls according to audit results.
Here are the main categories of ITGC controls:
Data centers must be protected from unplanned environmental events and unauthorized access that could potentially compromise normal operations. Access to data centers is usually controlled by keypad access, biometric access technologies, or proximity cards. These techniques enable single-factor and or multi-factor authentication.
Organizations often add more layers of protection against unauthorized access. For example, closed-circuit video cameras are deployed as part of the overall physical security monitoring system. Additionally, data centers need technologies that control the temperature within the facility, to ensure it is suitable for human staff as well as machinery. These systems often trigger alarms when the temperature changes or an emergency occurs.
All company employees require access to digital assets, but they do not require the same type of privileges. When providing stakeholders with access to company assets, administrators should apply the least privileges principle, and supply exactly the level of access needed to perform the responsibilities of a certain role.
To establish access levels, IT can work with HR to determine what assets each employee requires to perform their job. Additionally, organizations should protect credentials using several mechanisms, such as encryption, strong passwords, password rotation, multi-factor authentication, and biometric authentication.
To maintain normal operations, organizations must establish backup and recovery strategies and practices. It is critical to protect resources, including data, business processes, databases, virtual machines (VMs), and applications. There is a wide range of backup and recovery options available, including cloud-based services, on-premises systems, and hybrid solutions.
IT infrastructure is constantly targeted by attackers. Organizations should establish continuous incident management practices and tooling that enable them to constantly monitor the environment, receive alerts on anomalous events, and rapidly respond to threats. However, since systems tend to send many false positive alerts, it is critical to set up automated processes that prioritize and validate incidents before notifying human teams.
The term “information security” refers to all practices, processes, and tools used to protect a company’s information assets and systems. It is critical to implement standardized forms of information security, to ensure that information remains secure and protected.
This typically involves processes that prevent data loss of all types, including data theft, exfiltration, and corruption, and accidental modification, as well as processes that protect against known cyber threats and techniques, and strategies for dealing with unknown and zero-day attacks.
An ITGC audit verifies whether appropriate procedures and processes are in place to ensure the confidentiality, integrity, and availability of information technology processes. By having strong IT general controls in place, organizations can limit their exposure to potential threats from both within their own environments and external sources.
Regulations and compliance requirements must be taken into account when considering IT General Controls to ensure the security of systems and data.
Organizations are held responsible for establishing IT controls that adhere to applicable laws, regulations, and industry standards. By leveraging IT General Controls, organizations can ensure they are meeting their legal requirements while protecting the security of their systems and customer data.
When it comes to ITGC compliance, one of the best practices is to assess the organization’s overall IT risk. This can help identify areas in need of improvement and prioritize remediation efforts. Another best practice is to conduct regular ITGC audits to ensure that controls remain effective and compliant. Organizations should also implement effective change management processes, including testing changes before deployment and monitoring for unauthorized changes.
Furthermore, organizations must ensure that system access is secure, such as using two-factor authentication and access control measures to restrict access to full system privileges to those approved by the IT security team. Organizations should also implement policies and procedures for managing data, monitor networks and systems regularly, and establish an incident response process for dealing with data breaches.
In summary, IT General Controls are crucial for organizations to protect their systems and data from cyber threats and other malicious activities. IT General Controls cover areas such as system access, identity and authentication, change management, backups, segregation of duties, and system maintenance. Organizations should regularly assess their IT risk, conduct ITGC audits, implement effective change management processes, and ensure secure system access, among other best practices, to ensure that their controls remain effective and compliant.
Following a process when implementing IT general controls ensures a smooth, accurate implementation that minimizes the surprises that can impact schedules and frustrate team members.
Six key steps for conducting an audit with a framework that complements IT general controls control audit are as follows.
Assess framework options and select the one that best aligns with the enterprise’s objectives and compliance requirements. In cases where an existing framework is not a close fit, some organizations select specific elements from multiple frameworks to guide internal audits of IT general controls.
Before beginning an audit, it is necessary to map an organization’s internal controls to the expected controls set forth in the framework.
Compare internal and framework controls to find any that are missing or deficient.
Corrective plans need to be developed and executed to remediate areas that fall short of framework expectations. This can be done in parallel with the testing phase.
Once controls are in place, testing is necessary to confirm that they are properly integrated and performing as expected.
When controls are implemented, they must be continuously monitored to ensure that they meet current requirements and take into consideration changes or additions that could impact IT general controls.
IT general controls are a proven way to level up an organization’s security posture and optimize overall operations. Benefits realized with IT general controls include the following.
One of the principal reasons for using IT general controls is security. Following the guidelines and frameworks provided with IT general controls ensures that the right solutions are in place to provide protection from cyber attacks and other digital disasters. Among the systems that IT general controls bring to bear are identity and access management (IAM) driven by zero trust security principles, ongoing monitoring, encryption of data at rest and in motion, and anti-virus solutions.
IT general controls not only provide protections against the vulnerabilities that could cause IT service disruptions, but ensure rapid recovery. IT general controls guide security programs to prevent issues as well as help plan and test backup and recovery systems.
IT general controls reduce the volume and severity of risks associated with cyber threats from external and internal sources. Processes, and systems are in place to ensure that endpoints (e.g., laptops, mobile devices, and internet of things (IoT) devices) are hardened, applications are regularly patched and updated, access is tightly managed, and employees receive security awareness training to help them identify the signs of a possible cyber attack and avoid social engineering tactics.
Using IT general controls in conjunction with larger IT frameworks, such as COBIT, COSO, and ISO 27001, ensures that organizations have the right systems in place to meet the requirements of most compliance audits.
IT systems are now an essential part of many businesses daily operations. IT General Controls would be applicable to organizations of all sizes; companies should evaluate their situation in light of the framework and determine how risks are mitigated in their organization. An annual assessment of an organization’s controls in the IT General Controls framework, as well as the implementation of mitigating controls for identified problems, will assist an organization in addressing the appropriate problem areas as it increases.
Aspire High Consultants is a boutique IT Risk Solution consulting firm currently engaged in the business of providing risk management solutions in specific domains
Address
