Article

What are IT General Controls (ITGC)?

Information Technology (IT) is a foundational part of every organization. It encompasses the solutions and systems that users interact directly with and those behind the scenes and only come to the fore when there is a disruption or incident (e.g., networks and web servers). IT general controls provide a set of directives for controlling how IT resources are used and managed, along with guidelines for enterprise security to protect from cybersecurity threats.

Implementing IT general controls ensures that the IT resources that users rely on and the critical IT infrastructure needed to keep organizations running are secure and optimized.

While organizations have pieces and parts of IT general controls, they must be considered holistically to ensure business continuity and compliance. Following is a review of IT general controls that will help teams coalesce around a strong ITGC strategy.

Definition of IT general controls

IT general controls are internal policies that govern how an organization’s technology is acquired, architected, deployed, used, and maintained. Key functions under IT general controls include:

  • access control to physical facilities
  • software implementation
  • user account creation
  • data management
  • computing infrastructure
  • applications
  • data security

IT general controls also cover security and compliance aspects of the system development, such as lifecycle and change management controls, backup and recovery, and operational controls.

For some organizations, IT general controls are guidelines to ensure optimal operational efficiency and cybersecurity. Others are required to follow them. Organizations such as those in the financial services and healthcare sectors must establish and maintain IT general controls to comply with applicable regulations (e.g., Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and the Sarbanes-Oxley Act (SOX)).

Why are IT general controls important?

  • Address vulnerabilities proactively
  • Ensure the confidentiality, integrity, and availability of data
  • Govern how an IT system organization operates
  • Help organizations meet compliance requirements
  • Improve the reliability and accuracy of financial reporting
  • Keep systems tested and implemented correctly
  • Minimize the risk of fraud
  • Mitigate unauthorized access, data breaches, and operational disruptions
  • Protect the enterprise’s reputation
  • Provide assurance that security systems and networks are updated regularly
  • Reduce the chances of an internal or external breach and noncompliance
  • Safeguard customer information

ITGC examples and components

Access controls on programs and data

Access controls define who can see and use what data and systems. They reduce the risk of data breaches and unauthorized data manipulation by preventing unauthorized access. Effective access controls include:

Change management controls

Change management controls provide guidelines for rolling out changes to IT systems and services to minimize disruptions. Changes considered with change management controls are adding, modifying, or removing anything related to IT infrastructure or code that could directly or indirectly affect services. Change management controls also include the planning and documentation of changes to provide context and transparency.

Computer operation controls

Computer operations controls ensure that computers are optimally programmed to meet requirements for storing, processing, and accessing data and running programs efficiently.

Data backup and recovery controls

Data backup and recovery controls help organizations minimize disruption operations. They ensure that resources, including data, business processes, databases, systems, and applications, are backed up and can be quickly restored to facilitate the resumption of normal operations. This component of IT general controls also includes guidance for regular testing to ensure preparedness and address any issues that may have arisen since the systems were put in place.

Data protection controls

Data protection controls include processes and technology to protect against all types of data loss, including data theft, corruption, and accidental access and changes. Data loss prevention systems should be in place and optimized to protect endpoints, networks, and cloud environments. Systems should be tested, applying various attack approaches to ensure that defenses perform as expected.

Incident management controls

Organizations need to plan for potential incidents and test these plans to ensure effective and rapid response if one occurs. If an incident occurs, in addition to recovery steps, plans need to be in place to record details of the incident to be used to identify the root cause and ensure that it does not happen again. Tools should also be in place to detect signs of a potential incident to allow for a proactive response.

IT operation controls

IT general controls include specific directions for IT operation controls. These include optimally deploying and managing broad security solutions, such as email filtering, firewalls, and anti-virus software. IT operation controls also cover penetration testing scheduling and policies related to bring your own device (BYOD).

Physical and environmental data center security controls

While most cybersecurity threats are thought to be digital, physical devices in data centers also pose risks. IT general controls include specific requirements for protecting data centers from unauthorized access and events that compromise the environment.

Physical access to data centers is usually controlled with biometric access technologies, keypad access, or proximity cards, often requiring multi-factor authentication, as well as on-site security and video surveillance.

Sensors are commonly used to monitor data center environments, triggering alarms when temperatures are out of range or moisture is detected.

System lifecycle controls

An important part of IT general controls is system lifecycle controls. These controls cover the management of patches and updates to applications, systems, and networks. They also cover related procedures and system monitoring.

ITGC implementation

Following a process when implementing IT general controls ensures a smooth, accurate implementation that minimizes the surprises that can impact schedules and frustrate team members.

  1. Define the scope for IT general controls.
  2. Design IT general controls.
  3. Establish consistent processes for testing compliance.
  4. Create a baseline.
  5. Implement IT general controls.
  6. Test IT general controls.
  7. Assess risks and assign risk scores.
  8. Prioritize remediation of deficiencies.
  9. Review test plans and update them as requirements change.

ITGC compliance frameworks

A compliance framework helps organizations organize and categorize applicable IT general controls. This not only ensures that the right controls are in place, but also prepares organizations for audits.

Commonly used frameworks that complement ITGC and facilitate audits include COBIT, COSO, ISO, NIST SP 800-34, and ITIL.

COSO

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control framework is the most widely used internal control framework. COSO provides specific guidance for designing and implementing internal risk management controls.

The COSO control framework is composed of five components with 17 principles and 87 supporting points. The five key components of COSO are:

  1. Control environments
  2. Existing control activities
  3. Information and communications
  4. Monitoring activities
  5. Risk assessment and management

COBIT

Within the IT audit community, COBIT is the most popular IT control framework example. ISACA (Information Systems Audit and Control Association) owns the COBIT (Control Objectives for Information and Related Technology) framework and designed it for IT governance and management.

Some professionals refer to COBIT as a guideline aggregation framework. As an internal control integrated framework, it cross-references many of the other popular IT frameworks, making it an IT security framework that addresses the IT side of business risk.

The IT Governance Institute established the Control Objectives for Information Technology (COBIT) framework to outline recommended ITGC objectives and approaches. The basic premise behind COBIT is that IT processes should satisfy specific business requirements to streamline operations and safeguard enterprise data.

The five key COBIT principles are:

  • Cover the organization end to end.
  • Differentiate governance and management.
  • Meet stakeholder needs.
  • Take a holistic approach to governance.
  • Use a single integrated framework.

ISO 27001

The International Organization for Standards 27001 (ISO 27001) provides policies and procedures to mitigate legal, physical, and technical risks associated with implementing, improving, maintaining, monitoring, and reviewing information security management systems. It uses a top-down approach with six steps:

  1. Define a security policy.
  2. Scope of the information security management system.
  3. Conduct a risk assessment.
  4. Manage identified risks.
  5. Select controls to be implemented.
  6. Prepare a statement of applicability.

NIST SP 800-34

NIST SP 800-34 Contingency Planning Guide for Information Technology Systems provides a seven-step process for creating an information system contingency plan (ISCP).

  1. Develop a contingency planning policy statement that assigns organizational authority and provides directions for the enforcement of an effective contingency plan.
  2. Conduct a business impact analysis (BIA) to identify and prioritize critical information systems and components.
  3. Identify and define incident prevention and mitigation measures to optimize system availability and minimize disruptions.
  4. Detail contingency strategies to ensure speedy recovery of systems and processes in the wake of a disruption.
  5. Create an information system recovery plan that details how to repair a damaged system or bring in an alternative solution for restoring functional processes.
  6. Test plans and provide training with simulation exercises to prepare for an incident and identify any gaps.
  7. Keep plans updated to ensure that new systems or changes are covered.

ITIL

The Information Technology Infrastructure Library (ITIL) is a framework that provides guidance and best practices for managing the five stages of the IT service lifecycle:

  1. Strategy
  2. Design
  3. Transition
  4. Operation
  5. Ongoing monitoring and improvement

Conducting an audit with an ITGC framework

Six key steps for conducting an audit with a framework that complements IT general controls control audit are as follows.

Step 1: Select the framework
Assess framework options and select the one that best aligns with the enterprise’s objectives and compliance requirements. In cases where an existing framework is not a close fit, some organizations select specific elements from multiple frameworks to guide internal audits of IT general controls.

Step 2: Map internal controls to framework controls
Before beginning an audit, it is necessary to map an organization’s internal controls to the expected controls set forth in the framework.

Step 3: Perform a gap analysis
Compare internal and framework controls to find any that are missing or deficient.

Step 4: Create and execute a plan that includes how to address gaps and deficiencies
Corrective plans need to be developed and executed to remediate areas that fall short of framework expectations. This can be done in parallel with the testing phase.

Step 5: Test control efficacy
Once controls are in place, testing is necessary to confirm that they are properly integrated and performing as expected.

Step 6: Monitor mitigation activity
When controls are implemented, they must be continuously monitored to ensure that they meet current requirements and take into consideration changes or additions that could impact them.

ITGC and security

Key areas where IT general controls support security initiatives include the following.

Insider threats

IT general controls include limits on data access and movement to prevent malicious or accidental breaches. By monitoring employees, partners, vendors, interns, and contractors, commonly exploited weak links are understood and managed.

External threats

IT general controls ensure that protections are in place to help fight external threats. These include eliminating known vulnerabilities in systems and applications, limiting access to the minimum required (i.e., least privilege), preventing lateral movement, enforcing strong password management, and requiring security awareness training for all employees.

Risk mitigation

Areas where IT general controls mitigate risks include financial, operational, and reputational. The processes and protections that come with IT general controls are proven to reduce risks in these key areas by ensuring that organizations deploy and maintain the right systems and solutions to minimize attack surfaces and ensure business continuity.

Benefits of IT general controls

IT general controls are a proven way to uplevel an organization’s security posture and optimize overall operations. Benefits realized with IT general controls include the following.

Enhanced security

One of the principal reasons for using IT general controls is security. Following the guidelines and frameworks provided with IT general controls ensures that the right solutions are in place to provide protection from cyber attacks and other digital disasters. Among the systems that IT general controls bring to bear are identity and access management (IAM) driven by zero trust security principles, ongoing monitoring, encryption of data at rest and in motion, and anti-virus solutions.

Ensured business continuity

IT general controls not only provide protections against the vulnerabilities that could cause IT service disruptions, but ensure rapid recovery. IT general controls guide security programs to prevent issues as well as help plan and test backup and recovery systems.

Improved risk management

IT general controls reduce the volume and severity of risks associated with cyber threats from external and internal sources. Processes, and systems are in place to ensure that endpoints (e.g., laptops, mobile devices, and internet of things (IoT) devices) are hardened, applications are regularly patched and updated, access is tightly managed, and employees receive security awareness training to help them identify the signs of a possible cyber attack and avoid social engineering tactics.

Increased regulatory compliance

Using IT general controls in conjunction with larger IT frameworks, such as COBIT, COSO, and ISO 27001, ensures that organizations have the right systems in place to meet the requirements of most compliance audits.

ITGC best practices

As teams look for additional ways to bolster their security posture to address evolving threats, IT general controls can help. Consider these best practices.

Implement and follow security frameworks

Security frameworks, such as COBIT, COSO, and ISO 27001, help organizations align security programs and practices with proven implementation and management methodologies. In addition, these frameworks prepare organizations for compliance audits by ensuring that the appropriate IT general controls are in place to meet requirements.

Install all patches and updates

All application, system, and network updates should be installed regularly to ensure protection from vulnerabilities. Cyber attackers are aware of these vulnerabilities and use them as points of entry when launching attacks. IT general controls include provisions that require regular updates and ongoing monitoring for application, system, and network patches and updates.

Integrate IT general controls into procurement processes

When acquiring new systems, software, or services, include questions about how vendors address security and assess the degree to which they use IT general controls.

Provide security awareness training for team members

Employees are a favorite attack vector for cyber attackers. It only takes one employee to make a mistake for attackers to gain access to IT systems.

Careless or uninformed employees routinely fall prey to cyber attackers’ ploys that effectively leverage a range of tactics, from phishing to other social engineering campaigns.

Training employees to be aware of the approaches that cyber attackers use helps prevent mistakes that provide those attackers with access.

In addition, employees should be trained and tested on IT general controls to ensure they understand why they are in place and how to abide by them. Whether it is online webinars or in-person classes, security awareness is critical for stopping cyber attackers and gaining the most from IT general controls.

Use IT general controls strategically

Take a step back and consider the ultimate goals for IT general controls. Then, build out processes to execute strategies for achieving these objectives. This ensures that the organization uses IT general controls optimally on an ongoing basis.

Use IT general controls to protect against cybersecurity threats and reduce risk

IT general controls provide the structure and strategies needed to protect digital assets and supporting systems from cybersecurity threats and facilitate risk mitigation efforts. Taking the time to understand the nuances of IT general controls means that they are easier to implement and maintain. Organizations that prioritize IT general controls see risks reduced and overall cybersecurity improved.

DISCLAIMER: THE INFORMATION CONTAINED IN THIS ARTICLE IS FOR INFORMATIONAL PURPOSES ONLY, AND NOTHING CONVEYED IN THIS ARTICLE IS INTENDED TO CONSTITUTE ANY FORM OF LEGAL ADVICE. SAILPOINT CANNOT GIVE SUCH ADVICE AND RECOMMENDS THAT YOU CONTACT LEGAL COUNSEL REGARDING APPLICABLE LEGAL ISSUES.

Answers to frequently asked questions about IT general controls

What are IT General Controls (ITGC)?

IT general controls (ITGC) are policies, procedures, and technical mechanisms used to reduce risk by ensuring that objectives are met, including meeting standards for the availability, reliability, integrity, and security of an organization’s information systems. These controls establish guidelines for acquiring, deploying, and operating technology systems and resources to protect them from cyber threats. The main areas covered under ITGC include:

  • Access controls for systems and data
  • Change management
  • Data and system backup and recovery
  • IT operations
  • Physical security
  • System development lifecycle oversight
What are the main benefits of ITGC?

Among the many benefits of ITGCs are support for:

  • Alignment of IT with organizational governance, security, and compliance requirements
  • Security-conscious culture
  • Establishment of baseline security safeguards
  • Maximum system uptime
  • Reduced risk by preventing unauthorized access, unintended changes, and data loss
  • Regulatory compliance with industry standards and legal mandates
  • Responsible IT stewardship
  • Strong reputational protection
Why are IT General Controls important?

Organizations should have ITGCs because they provide the stable, secure foundation needed for systems, data, and business processes to operate reliably, help meet audit and compliance requirements, and enable effective risk management by:

  • Applying standardized protocols that safeguard sensitive systems and data.
  • Building stakeholder trust with demonstrable controls as evidence of sound governance.
  • Enabling compliance goals with broadly applicable compliance mandates, such as those set forth by SOX (the Sarbanes-Oxley Act), the Health Insurance Portability and Accountability Act (HIPAA), and PCI DSS (the Payment Card Industry Data Security Standard).
  • Improving recovery and resilience with tested backups, job controls, and change management.
  • Protecting the integrity of systems and data by preventing unauthorized access, tampering, or accidental changes.
  • Providing auditability and accountability with logging, segregation of duties, and documented processes.
  • Reducing incident frequency and impact with strong access controls, patching and update protocols, backup and recovery standards, and continuous monitoring.
  • Supporting accurate financial and operational reporting that auditors can trust.
  • Establishing governance mechanisms over how IT systems function.
What are examples of IT General Controls?

Several of the ITGCs are most broadly used to ensure systems are reliable, secure, and auditable, and common use cases for these include the following.

  • Access management solutions (e.g., role-based access controls, strong password rules, and multi-factor authentication) to restrict access to systems and data.
  • Backup and recovery (e.g., regular backups, offsite copies, and disaster recovery runbooks and drills) to ensure data recovery and service continuity after incidents.
  • Change management (e.g., change ticket with approvals, test/rollback plan, scheduled change windows) to provide a formal process to request, approve, test, and deploy changes.
  • Configuration management and hardening (e.g., CIS benchmarks enforced via infrastructure as code and configuration management tools) to enforce baselines and controls to prevent insecure configurations.
  • Digital forensics and incident response (e.g., incident response playbooks and post-incident investigation plans).
  • Encryption and key management (e.g., TLS or transport layer security for data in transit and KMS or key management service/system for key rotation) to protect data at rest and in transit, as well as to secure key lifecycles.
  • Logging, monitoring, and alerting (e.g., centralized SIEM (Security Information and Event Management) with retention and alerts for anomalies) to capture and review system and user activity logs to detect issues.
  • Operations and job scheduling controls (scheduled backups with automated verification and alerting) to maintain control over batch jobs, backups, and production operations.
  • Patch management (e.g., schedule for installing routine update patches and timeframes for installing security-related patches) to ensure up-to-date systems and timely remediation of software vulnerabilities.
  • Physical security (e.g., badge access, CCTV, and locked server rooms) to prevent unauthorized access to servers, network equipment, and storage.
  • Privileged access management (e.g., just-in-time access and session recording) to enforce more stringent controls on admin and root accounts.
  • Separation of duties (e.g., developers cannot promote code to production without ops approval) to prevent individuals from controlling conflicting functions.
  • System development lifecycle (SDLC) management (e.g., code reviews, SAST/SCA (Static Application Security Testing/Software Composition Analysis) in CI (Continuous Integration), and pre-production testing) to enforce secure development practices and testing before release.
  • Third-party and vendor management (contractual security requirements and periodic assessments) to create rules for (vendor access, SLAs, and security posture baselines).
  • User provisioning and deprovisioning (e.g., HR-triggered automated provisioning or deprovisioning when someone starts or leaves an organization) to processes to add, modify, and remove user accounts promptly.
How are IT General Controls implemented?

To implement ITGCs, define, deploy, and maintain policies, technical configurations, operating procedures, and enforced workflows. They should be monitored and routinely tested to ensure that auditors and stakeholders can verify they operate effectively. The following ITGC implementation steps should include collaboration between IT, compliance, and audit teams, as well as business units, to ensure that the controls are integrated into operations. This structured approach is critical for minimizing the risk of cyber threats, supporting audit readiness, and maintaining business continuity.

  • Scope and assess risk
    Identify and assign a risk score for systems and processes that support financial reporting, sensitive data, and critical functions. Be sure to include any compliance requirements for each. Then, prioritize controls based on risk (i.e., impact × likelihood).
  • Define objectives
    Write clear policy statements for each ITGC category and map each policy to one or more measurable control objectives and required evidence.
  • Design technical controls
    Select tools to enforce technical controls, such as access management, change management, and backup and recovery systems and plans. Implement processes to manage these controls, using automation where possible.
  • Test and validate controls
    Run periodic control testing with internal control owners and auditors. Also, conduct regular technical testing (e.g., vulnerability scans, penetration tests, and backup-restore drills).
  • Monitor and alert
    Define KPIs (e.g., time-to-provision/deprovision, patching SLA, backup success rate, number of privileged sessions, and failed login trends). Set up systems to send alerts on failures or exceptions and automate remediation where possible.
  • Collect evidence and documentation
    Keep machine-readable evidence (e.g., ticket IDs, pipeline logs, configuration commits, privileged account session records, SIEM incidents, and backup logs). Also, maintain version-controlled copies of runbooks and policies.
  • Enforce governance
    Assign control owners (e.g., security, IT ops, and development teams). Also, an operating model for periodic review, change control for policies, and audit facilitation should be created.
  • Continuous improvement
    Following incidents, conduct root-cause analysis and update controls and playbooks as needed. Also, conduct regular audits, tabletop exercises, and metrics-driven tuning.
What are the compliance frameworks related to IT General Controls?

Compliance frameworks related to IT General Controls (ITGC) serve as structured guidelines that organizations can use to align their IT systems and processes with both regulatory and best practice requirements. These frameworks include:

  • CIS (Center for Internet Security) Controls
  • COBIT (Control Objectives for Information and Related Technologies)
  • COSO (Committee of Sponsoring Organizations of the Treadway Commission)
  • FedRAMP
  • ISO/IEC 27001
  • ITIL (Information Technology Infrastructure Library)
  • NIST 800-34
  • NIST Cybersecurity Framework (CSF)
  • NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53)
  • SOC 2 (second version of Service Organization Controls)
What are some examples of how IT general controls are applied?

IT general controls are applied in a range of scenarios across industries to maintain security, operational integrity, and compliance. Several examples include:

  • Financial sector
    Stringent access controls are implemented to ensure that only authorized personnel can view or modify sensitive financial data to support accurate financial reporting and regulatory mandates.
  • Healthcare providers
    Regular data backup and disaster recovery controls protect patient health information, comply with regulations, and minimize the risk of service disruptions.
  • Technology firms
    Change management controls are enforced during software updates to document all system modifications to mitigate potential operational disruptions and reduce the risk of unauthorized changes.
What are some real-world examples that illustrate the importance of ITGC?

The following real-world incidents illustrate how IT general controls (ITGC) serve as critical safeguards for organizations.

Target (2013)

  • Attackers used stolen credentials from an HVAC vendor to pivot and exfiltrate customer card data
  • Failed ITGCs—vendor access controls, network segmentation, and third-party onboarding

Equifax (2017)

  • Attackers used stolen credentials from an HVAC vendor to pivot and exfiltrate customer card data
  • Failed ITGCs: patch and vulnerability management, asset inventory, and emergency change process

SolarWinds supply-chain (2020)

  • Malicious code was injected into a trusted vendor’s build, distributing compromised updates to customers.
  • Failed ITGCs: secure SDLC/build integrity, CI/CD change controls, and third-party risk management

Capital One (2019)

Misconfigured cloud resources and overly permissive IAM allowed attackers to access customer data.

  • Failed ITGCs: cloud configuration and infrastructure as code (IaC) controls, IAM entitlement management, and logging

NHS (2017)

  • WannaCry ransomware exploited SMB/EternalBlue, encrypting systems across many NHS trusts and disrupting care.
  • Failed ITGCs: patch management, asset inventory, backup & recovery, segmentation, IR readiness.

Uber (2022)

  • Attackers accessed internal systems using stolen or abused credentials; later incidents involved internal-system compromise.
  • Failed ITGCs: privileged access management, user provisioning/deprovisioning, secrets management, and monitoring
What are some practical examples of ITGC implementation?

Practical examples of IT General Controls (ITGC) implementations include:

  • Critical infrastructure (e.g., utilities and energy grids)— record privileged sessions for consoles and test emergency failover playbooks regularly
  • Financial services—enforce multi-factor authentication and least-privilege access controls on all trading and treasury systems
  • Healthcare—use integrity monitoring, access logging, and alerting for unusual patient-data access on EHR systems
  • Compliance—use encrypted repositories for sensitive data with key-rotation and strict audit trails for client access
  • Retail and e-commerce—segment POS networks, conduct regular PCI scans, and enforce strict change controls for checkout code
How is the integration of compliance frameworks with ITGC accomplished in practice?

Integrating compliance frameworks with IT general controls (ITGC) in practice begins with a comprehensive assessment of organizational objectives, risk appetite, and regulatory obligations. It also requires:

  • Ensuring that selected frameworks are contextually relevant and adequately address both business needs and compliance mandates.
  • Mapping existing ITGCs to specific framework requirements, often through the creation of detailed control matrices that identify where current policies and technical safeguards align with, or diverge from, the framework’s principles.
  • Collaboration between IT, compliance, and business stakeholders to document current control activities, analyze any gaps, and develop remediation plans for deficiencies.
  • Operationalizing the integrated framework by establishing ongoing procedures for monitoring, testing, and auditing ITGC effectiveness.
  • Leveraging automation where applicable to facilitate control enforcement and streamline evidence collection.
  • Conducting regular training and awareness initiatives to ensure that all relevant personnel understand both the controls themselves and the reasons for compliance, thus fostering a culture of accountability.
  • Having management periodically review and update the integrated ITGC and compliance structure in response to regulatory changes, technological advances, or shifts in business strategy.
  • Enabling continuous improvement.
  • Maintaining a robust security and compliance posture.
Date: December 29, 2025Reading time: 15 minutes
ComplianceCybersecurityData security

Get started

See what SailPoint identity security can do for your organization

Discover how our solutions enable modern enterprises today to meet the challenge of ensuring secure access to resources without compromising productivity or innovation.

Request a demoContact us