What are IT General Controls (ITGC)?

Information Technology (IT) is a foundational part of every organization. It encompasses the solutions and systems that users interact directly with and those behind the scenes and only come to the fore when there is a disruption or incident (e.g., networks and web servers). IT general controls provide a set of directives for controlling how IT resources are used and managed, along with guidelines for enterprise security to protect from cybersecurity threats.

Implementing IT general controls ensures that the IT resources that users rely on and the critical IT infrastructure needed to keep organizations running are secure and optimized.

While organizations have pieces and parts of IT general controls, they must be considered holistically to ensure business continuity and compliance. Following is a review of IT general controls that will help teams coalesce around a strong IT general controls strategy.

Definition of IT general controls

IT general controls are internal policies that govern how an organization’s technology is acquired, architected, deployed, used, and maintained. Key functions under IT general controls include:

• access control to physical facilities
• software implementation
• user account creation
• data management
• computing infrastructure
• applications
• data security

IT general controls also cover security and compliance aspects of the system development, such as lifecycle and change management controls, backup and recovery, and operational controls.

For some organizations, IT general controls are guidelines to ensure optimal operational efficiency and cybersecurity. Others are required to follow them. Organizations such as those in the financial services and healthcare sectors must establish and maintain IT general controls to comply with applicable regulations (e.g., Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and the Sarbanes-Oxley Act (SOX)).

Why are IT general controls important?

• Address vulnerabilities proactively
• Ensure the confidentiality, integrity, and availability of data
• Govern how an IT system organization operates
• Help organizations meet compliance requirements
• Improve the reliability and accuracy of financial reporting
• Keep systems tested and implemented correctly
• Minimize the risk of fraud
• Mitigate unauthorized access, data breaches, and operational disruptions
• Protect the enterprise’s reputation
• Provide assurance that security systems and networks are updated regularly
• Reduce the chances of an internal or external breach and noncompliance
• Safeguard customer information

ITGC examples and components

Access controls on programs and data

Access controls define who can see and use what data and systems. They reduce the risk of data breaches and unauthorized data manipulation by preventing unauthorized access. Effective access controls include:

• Biometric authentication
• Full disk encryption 
• Least-privilege access
• Multi-factor authentication
• Password management
• Password rotation
• Strong passwords

Change management controls

Change management controls provide guidelines for rolling out changes to IT systems and services to minimize disruptions. Changes considered with change management controls are adding, modifying, or removing anything related to IT infrastructure or code that could directly or indirectly affect services. Change management controls also include the planning and documentation of changes to provide context and transparency.

Computer operation controls

Computer operations controls ensure that computers are optimally programmed to meet requirements for storing, processing, and accessing data and running programs efficiently.

Data backup and recovery controls

Data backup and recovery controls help organizations minimize disruption operations. They ensure that resources, including data, business processes, databases, systems, and applications, are backed up and can be quickly restored to facilitate the resumption of normal operations. This component of IT general controls also includes guidance for regular testing to ensure preparedness and address any issues that may have arisen since the systems were put in place.

Data protection controls

Data protection controls include processes and technology to protect against all types of data loss, including data theft, corruption, and accidental access and changes. Data loss prevention systems should be in place and optimized to protect endpoints, networks, and cloud environments. Systems should be tested, applying various attack approaches to ensure that defenses perform as expected.

Incident management controls

Organizations need to plan for potential incidents and test these plans to ensure effective and rapid response if one occurs. If an incident occurs, in addition to recovery steps, plans need to be in place to record details of the incident to be used to identify the root cause and ensure that it does not happen again. Tools should also be in place to detect signs of a potential incident to allow for a proactive response.

IT operation controls

IT general controls include specific directions for IT operation controls. These include optimally deploying and managing broad security solutions, such as email filtering, firewalls, and anti-virus software. IT operation controls also cover penetration testing scheduling and policies related to bring your own device (BYOD).

Physical and environmental data center security controls

While most cybersecurity threats are thought to be digital, physical devices in data centers also pose risks. IT general controls include specific requirements for protecting data centers from unauthorized access and events that compromise the environment.

Physical access to data centers is usually controlled with biometric access technologies, keypad access, or proximity cards, often requiring multi-factor authentication, as well as on-site security and video surveillance.

Sensors are commonly used to monitor data center environments, triggering alarms when temperatures are out of range or moisture is detected.

System lifecycle controls

An important part of IT general controls is system lifecycle controls. These controls cover the management of patches and updates to applications, systems, and networks. They also cover related procedures and system monitoring.

ITGC implementation

Following a process when implementing IT general controls ensures a smooth, accurate implementation that minimizes the surprises that can impact schedules and frustrate team members. 

1. Define the scope for IT general controls.
2. Design IT general controls.
3. Establish consistent processes for testing compliance.
4. Create a baseline.
5. Implement IT general controls.
6. Test IT general controls.
7. Assess risks and assign risk scores.
8. Prioritize remediation of deficiencies.
9. Review test plans and update them as requirements change. 

ITGC compliance frameworks

A compliance framework helps organizations organize and categorize applicable IT general controls. This not only ensures that the right controls are in place, but also prepares organizations for audits.

Commonly used frameworks that complement ITGC and facilitate audits include COBIT, COSO, ISO, NIST SP 800-34, and ITIL.

COSO

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control framework is the most widely used internal control framework. COSO provides specific guidance for designing and implementing internal risk management controls.

The COSO control framework is composed of five components with 17 principles and 87 supporting points. The five key components of COSO are:

1. Control environments 
2. Existing control activities 
3. Information and communications  
4. Monitoring activities
5. Risk assessment and management

COBIT

Within the IT audit community, COBIT is the most popular IT control framework example. ISACA (Information Systems Audit and Control Association) owns the COBIT (Control Objectives for Information and Related Technology) framework and designed it for IT governance and management.

Some professionals refer to COBIT as a guideline aggregation framework. As an internal control integrated framework, it cross-references many of the other popular IT frameworks, making it an IT security framework that addresses the IT side of business risk.

The IT Governance Institute established the Control Objectives for Information Technology (COBIT) framework to outline recommended ITGC objectives and approaches. The basic premise behind COBIT is that IT processes should satisfy specific business requirements to streamline operations and safeguard enterprise data.

The five key COBIT principles are:

• Cover the organization end to end.
• Differentiate governance and management.
• Meet stakeholder needs.
• Take a holistic approach to governance.
• Use a single integrated framework.

ISO 27001

The International Organization for Standards 27001 (ISO 27001) provides policies and procedures to mitigate legal, physical, and technical risks associated with implementing, improving, maintaining, monitoring, and reviewing information security management systems. It uses a top-down approach with six steps:

1. Define a security policy.
2. Scope of the information security management system.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select controls to be implemented.
6. Prepare a statement of applicability.

NIST SP 800-34

NIST SP 800-34 Contingency Planning Guide for Information Technology Systems provides a seven-step process for creating an information system contingency plan (ISCP).

1. Develop a contingency planning policy statement that assigns organizational authority and provides directions for the enforcement of an effective contingency plan.
2. Conduct a business impact analysis (BIA) to identify and prioritize critical information systems and components.
3. Identify and define incident prevention and mitigation measures to optimize system availability and minimize disruptions. 
4. Detail contingency strategies to ensure speedy recovery of systems and processes in the wake of a disruption.
5. Create an information system recovery plan that details how to repair a damaged system or bring in an alternative solution for restoring functional processes.
6. Test plans and provide training with simulation exercises to prepare for an incident and identify any gaps.
7. Keep plans updated to ensure that new systems or changes are covered.

ITIL

The Information Technology Infrastructure Library (ITIL) is a framework that provides guidance and best practices for managing the five stages of the IT service lifecycle:

1. Strategy
2. Design
3. Transition
4. Operation
5. Ongoing monitoring and improvement

Conducting an audit with an ITGC framework

Six key steps for conducting an audit with a framework that complements IT general controls control audit are as follows.

Step 1: Select the framework
Assess framework options and select the one that best aligns with the enterprise’s objectives and compliance requirements. In cases where an existing framework is not a close fit, some organizations select specific elements from multiple frameworks to guide internal audits of IT general controls.

Step 2: Map internal controls to framework controls
Before beginning an audit, it is necessary to map an organization’s internal controls to the expected controls set forth in the framework. 

Step 3: Perform a gap analysis
Compare internal and framework controls to find any that are missing or deficient. 

Step 4: Create and execute a plan that includes how to address gaps and deficiencies
Corrective plans need to be developed and executed to remediate areas that fall short of framework expectations. This can be done in parallel with the testing phase.

Step 5: Test control efficacy
Once controls are in place, testing is necessary to confirm that they are properly integrated and performing as expected.

Step 6: Monitor mitigation activity
When controls are implemented, they must be continuously monitored to ensure that they meet current requirements and take into consideration changes or additions that could impact IT general controls.

ITGC and security

Key areas where IT general controls support security initiatives include the following. 

Insider threats

IT general controls include limits on data access and movement to prevent malicious or accidental breaches. By monitoring employees, partners, vendors, interns, and contractors, commonly exploited weak links are understood and managed. 

External threats

IT general controls ensure that protections are in place to help fight external threats. These include eliminating known vulnerabilities in systems and applications, limiting access to the minimum required (i.e., least privilege), preventing lateral movement, enforcing strong password management, and requiring security awareness training for all employees.

Risk mitigation

Areas where IT general controls mitigate risks include financial, operational, and reputational. The processes and protections that come with IT general controls are proven to reduce risks in these key areas by ensuring that organizations deploy and maintain the right systems and solutions to minimize attack surfaces and ensure business continuity.  

Benefits of IT general controls

IT general controls are a proven way to uplevel an organization’s security posture and optimize overall operations. Benefits realized with IT general controls include the following.

Enhanced security

One of the principal reasons for using IT general controls is security. Following the guidelines and frameworks provided with IT general controls ensures that the right solutions are in place to provide protection from cyber attacks and other digital disasters. Among the systems that IT general controls bring to bear are identity and access management (IAM) driven by zero trust security principles, ongoing monitoring, encryption of data at rest and in motion, and anti-virus solutions.

Ensured business continuity

IT general controls not only provide protections against the vulnerabilities that could cause IT service disruptions, but ensure rapid recovery. IT general controls guide security programs to prevent issues as well as help plan and test backup and recovery systems.

Improved risk management

IT general controls reduce the volume and severity of risks associated with cyber threats from external and internal sources. Processes, and systems are in place to ensure that endpoints (e.g., laptops, mobile devices, and internet of things (IoT) devices) are hardened, applications are regularly patched and updated, access is tightly managed, and employees receive security awareness training to help them identify the signs of a possible cyber attack and avoid social engineering tactics.

Increased regulatory compliance

Using IT general controls in conjunction with larger IT frameworks, such as COBIT, COSO, and ISO 27001, ensures that organizations have the right systems in place to meet the requirements of most compliance audits. 

ITGC best practices

As teams look for additional ways to bolster their security posture to address evolving threats, IT general controls can help. Consider these best practices. 

Implement and follow security frameworks

Security frameworks, such as COBIT, COSO, and ISO 27001, help organizations align security programs and practices with proven implementation and management methodologies. In addition, these frameworks prepare organizations for compliance audits by ensuring that the appropriate IT general controls are in place to meet requirements.

Install all patches and updates

All application, system, and network updates should be installed regularly to ensure protection from vulnerabilities. Cyber attackers are aware of these vulnerabilities and use them as points of entry when launching attacks. IT general controls include provisions that require regular updates and ongoing monitoring for application, system, and network patches and updates.

Integrate IT general controls into procurement processes

When acquiring new systems, software, or services, include questions about how vendors address security and assess the degree to which they use IT general controls.

Provide security awareness training for team members

Employees are a favorite attack vector for cyber attackers. It only takes one employee to make a mistake for attackers to gain access to IT systems.

Careless or uninformed employees routinely fall prey to cyber attackers’ ploys that effectively leverage a range of tactics, from phishing to other social engineering campaigns.

Training employees to be aware of the approaches that cyber attackers use helps prevent mistakes that provide those attackers with access.

In addition, employees should be trained and tested on IT general controls to ensure they understand why they are in place and how to abide by them. Whether it is online webinars or in-person classes, security awareness is critical for stopping cyber attackers and gaining the most from IT general controls.

Use IT general controls strategically

Take a step back and consider the ultimate goals for IT general controls. Then, build out processes to execute strategies for achieving these objectives. This ensures that the organization uses IT general controls optimally on an ongoing basis.

Use IT general controls to protect against cybersecurity threats and reduce risk

IT general controls provide the structure and strategies needed to protect digital assets and supporting systems from cybersecurity threats and facilitate risk mitigation efforts. Taking the time to understand the nuances of IT general controls means that they are easier to implement and maintain. Organizations that prioritize IT general controls see risks reduced and overall cyber security improved. 

You might also be interested in: