Overview of IT General Controls (ITGC)

Jul 17, 2024

Overview of IT General Controls (ITGC)

Introduction to ITGC

  • Definition: Internal controls for making IT systems more secure, reliable, and effective.
  • Purpose: Crucial for business compliance (e.g., COBIT framework and Sarbanes-Oxley Act).
  • Best Practices: Even if compliance isn't required, ITGC offers best practices for IT operations.

ITGC Framework

  • Categories of Controls:
    1. Access to Programs and Data
    2. Program Changes
    3. Computer Operations
    4. Program Development

Access to Programs and Data

  • Security Policy: Defines who can access data and at what level.
  • Principle of Least Privilege: Minimum necessary access for users.
  • AAA Framework: Authentication, Authorization, and Auditing (includes Identification and Accounting per CISSP).
    • Importance of processes for adding/removing access and regular revalidation.
    • Additional checks for administrators.
    • Monitoring for invalid logins.

Program Changes

  • Policy Requirements: Defines processes to ensure changes don’t risk availability or security.
    • Hardware/software changes, upgrades, bug fixes, in-house code development.
    • Importance of performance and security (e.g., changing multi-factor authentication).
  • Approval Process: Reviews and approves changes, including emergency patches.
    • In-house code reviewed by others.

Computer Operations

  • System Maintenance: Involves physical access and data integrity.
    • Input from both IT and Security policies.
    • Monitoring system availability and security issues.
    • Fixed job scheduling.
    • Data center management (redundant power, cooling, access control).
    • Backup and recovery systems (verification and data restoration).
    • Disaster recovery plans for site unavailability.

Program Development

  • Software Development: Internal and third-party software/systems.
    • Starts with policies on implementation.
    • Controls from supplier selection to service acquisition and maintenance.
    • Development methodology and full software development lifecycle for in-house and third-party systems.

Implementation and Review

  • Process: Initial assessment, documentation, evidence collection, and review.
  • Repetition: Regular reviews as systems change or periodically.
    • Different systems may need varying review rates.

Conclusion

  • Summary: Quick overview of IT General Controls and their importance.
  • Future Content: More cybersecurity videos to come.
  • Call to Action: Like, subscribe, and click notification icon for updates.