Complexity of the IT setup has greatly increased. This has resulted to a greater focus around controls in the IT environment. Information Technology General Controls (ITGC) are controls that govern how technology is designed, implemented, and used in an organization. They are the foundation of the overall IT control environment as they provide the assurance that systems operate as intended and that output is reliable. These basic controls can be applied to IT systems such as operating systems, databases, applications and supporting IT infrastructure to ensure the integrity of the data and processes that the systems support.
ITGC are the most important elements of IT Security and effective compliance. These controls include: Logical access controls over infrastructure, applications and data, System development life cycle controls, Program change management controls, Data center physical security controls, System and data backup and recovery controls and Computer operation controls. Technology that other parts of the enterprise use to do their jobs are governed by ITGC’s. For example, an organization might have applications that support human resource, finance, research, procurement, sales & marketing, and inventory. All those teams use their own IT applications and depend on certain ways of how the applications operate. Therefore, this arises the need to conduct assessment of the controls in place.
The IT General Controls assessment is performed by conducting an audit. An audit is the best way to get an objective and comprehensive analysis of the controls in place to manage technology risks and the overall risks to the enterprise. The first step of the assessment begins by identifying a compliance framework that includes all the standard ITGC risks and potential controls. Some of the standard frameworks that can be used are: ISO 27001, ISACA General Controls, COBIT, Deloitte GITC, COSO, NIST etc. One way to implement ITGC is use of ISO 27001 standard framework. For example, change management is an IT General Control; The ISO 27001 standard assists in the implementation of the change management control by outlining the best practices to be followed such as documenting a Change Management Policy. Additionally, the ISO 27002 Standard expounds on how Change Management may be implemented including the content of the Change Management Policy and the requirements of an effective change management process etc.
ISO 27001 is the international standard for information security that sets out the specification for an information security management system (ISMS). The standard’s best-practice approach helps organisations conduct a basic risk assessment, identify weaknesses in one’s ITGC’s and acts as a guide for performing IT security assessments. The standard has 10 management system clauses and 18 Annex A controls. The ten management clauses are: Scope, Normative references, Terms and definitions, Context, Leadership, Planning and risk management, Support, Operations, Performance evaluation and Improvement.
The 18 Annex A Control sets are:
- 5 Information security policies
- 6 Organization of information security
- 7 Human resource security
- 8 Asset management
- 9 Access control
- 10 Cryptography
- 11 Physical and environmental security
- 12 Operations security
- 13 Communications security
- 14 System acquisition, development, and maintenance
- 15 Supplier relationships
- 16 Information security incident management
- 17 Information security aspects of business continuity management
- 18 Compliance
The ISO 27001 standard has an added advantage over the other standards as one can get certified against it. The certification helps organizations stand out and have a competitive advantage over their competitors as it assures the clients that the controls in place are adequate, effective and secure.
Conclusion: IT General Controls are the foundation of the overall IT control environment. The controls govern how technology is designed, implemented, and used in an organization. ISO 27001 is one way of implementing the ITGC’s as it helps to conduct a basic risk assessment that assists in giving a comprehensive analysis of the controls in place to manage technology risks and identify weaknesses in those controls.