2. HISTORY
In October 2001, when the Enron scandal broke, the company specialized
in energy brokerage and was, at the time, one of the largest market
capitalizations in the world.
As a result of this scandal, Enron was declared bankrupt and Arthur
Andersen was liquidated.
This event led to the creation of a regulation in the United States called
the Sarbanes-Oxley Act (SOX) that aimed to protect investors by
improving the accuracy and reliability of information provided by
companies.
The proliferation of IT General Controls, or ITGCs, is, in part, a response
to this problem. The implementation of these controls is a regulatory
obligation for large companies who now have their financial statements
audited annually.
2
3. INTRODUCTION
Information Technology General Controls (ITGCs) dictate how technology
is used in an organization. ITGCs help prevent breaches, data theft, and
operational disruptions.
ITGCs influence everything from user account creation, to password
management, to application development. They prescribe how new
software is set up, who the admins are, how the system is tested and
implemented, and when security and software updates should take
place.
Information Technology General Controls (ITGC), a type of internal
controls, are a set of policies that ensure effective implementation of
control systems across an organization. ITGC audits help an organization
verify that the ITGC are in place and functioning correctly, so risk is
properly managed in the organization.
3
4. Types of ITGC Controls
I. Physical and Environmental Security - Data centers must be
protected from unplanned environmental events and unauthorized
access that could potentially compromise normal operations. Access
to data centers is usually controlled by keypad access, biometric
access technologies, or proximity cards. These techniques enable
single-factor and or multi-factor authentication.
II. Logical Security - All company employees require access to digital
assets, but they do not require the same type of privileges. When
providing stakeholders with access to company assets, administrators
should apply the least privileges principle, and supply exactly the
level of access needed to perform the responsibilities of a certain
role.
4
5. Types of ITGC Controls
III. Backup and Recovery - To maintain normal operations, organizations
must establish backup and recovery strategies and practices. It is
critical to protect resources, including data, business processes,
databases, virtual machines (VMs), and applications. There is a wide
range of backup and recovery options available, including cloud-
based services, on-premises systems, and hybrid solutions.
IV. Incident Management - Organizations should establish continuous
incident management practices and tooling that enables them to
constantly monitor the environment, receive alerts on anomalous
events, and rapidly respond to threats. However, since systems tend
to send many false positive alerts, it is critical to set up automated
5
6. Types of ITGC Controls
up automated processes that prioritize and validate incidents before
notifying human teams.
Information Security - The term “information security” refers to all
practices, processes, and tools used to protect a company’s
information assets and systems. It is critical to implement
standardized forms of information security, to ensure that information
remains secure and protected. This typically involves processes that
prevent data loss of all types, including data theft, exfiltration, and
corruption, and accidental modification, as well as processes that
protect against known cyber threats and techniques, and strategies
for dealing with unknown and zero day attacks.
6
7. Components of ITGC
Implementation
There are three main components of ITGC implementation:
1) People - A critical part of an ITGC project is people. Due to the
complexity of ITGC, it is necessary to build a deep level of
understanding of the control framework with all relevant peers.
2) Process - As IT and business systems become more integrated, ITGC
processes must meet the needs of the entire organization, not just
the IT department.
3) Technology - Automation can significantly improve the ITGC process
and reduce human error. You can use workflows to automate existing
controls such as: Creating user accounts, Reviewing logs for
anomalous activity etc.
7
8. ITGC Compliance Frameworks
ITGC is a subsection of the larger IT controls space. To guarantee the
highest level of compliance, companies lean on three overarching
security frameworks to inform their ITGCs.
Committee of Sponsoring Organizations (COSO) Framework
Control Objectives for Information Technology (COBIT) framework
ISO 27001 framework
8
9. CONCLUSION
The implementation and proper functioning of these controls
are essential for companies in protecting them from the following
risks:
Reputational (data leak).
Operational (the information system is unavailable).
Financial (fraud).
Compliance (In the event of control failures, the accounts may not be
certified) .
9