What are IT General Controls and why do we need them?
IT applications are a core part of almost everything in an enterprise company today. From human resources to finance, operations, sales, marketing, and R&D, everyone is dependent and almost addicted to various solutions that help them do their job.
IT General Controls are a set of internal controls that help ensure that an organization is properly implementing sets of controls across its environment in an effort to ensure proper risk management and risk mitigation.
The scope of what is included in an ITGC framework is often adopted from public standards such as COSO, COBIT by ISACA or the NIST 800-34. The ITGC frameworks will be adopted and implemented to properly meet the requirements of an ITGC audit, which is conducted by an external party. The ITGC audit will measure the effectiveness of the IT general controls that were put in place. Monitoring these controls through internal ITGC audits as well as 3rd party audits will ensure that the policies were properly implemented and that necessary adjustments are made over time to match the organization’s business environment which is ever changing and evolving.
ITGC Control Frameworks often break down into objectives of principals which will touch several different areas of the organization. For example:
The people, process and tools used to protect informational assets in an organization. It is critical to adopt a risk management framework to both measure and to mitigate data breaches which could lead to data and credential theft, extortion, corruption of the data integrity, and inadvertent changes to data, as well as external threat actors looking to leverage zero days and advance techniques. A great resource to learn about the ever-changing threat landscape would be the MITRE ATT&CK framework.
Physical and Environmental Security
Data centers are susceptible to fires, earthquakes and many other disasters which could affect your data. Thinking about this ahead of time and having a backup which is not susceptible to the same risks at the same time is critical.
Backup and Recovery
Simply having a backup of your data is not enough. You need to first identify your assets and ensure they are all being backed-up regularly. Next, you need to have the right resources and tools in place to ensure that the backups are both protected and segregated from the source, and that they are also accessible in a time of need. Backups can happen both locally and in the cloud, with a strong preference to cloud over recent years, although we’ve seen many incidents where backups to the cloud were also compromised in a breach or that the corrupted data was backed up, overwriting non corrupted backups and leaving no clean set of data to pull from.
Organizations are being attacked daily. In today’s modern and remote enterprise environment, you can’t operate under the assumption “Will I be breached” but rather you must always ask “When will I be breached”. As such, it is critical to ensure that incident response practices are in place. The difference between a complete and utter disaster to a minor bump in the road could be the comprehensiveness of this plan. A solid incident response plan will ensure there are automated processes in place to remove false positives, and that there is an escalation plan that will make sure that each incident gets the proper attention necessary, with clear pre-defined processes to handle each escalation stage.
So how do you get started with IT General Controls testing?
Picking your framework would be the first step. This will allow leadership, as well as internal and external ITGC auditors to align around a set of rules that everyone agrees on. Next, you will need to scope out what part of the framework you will be adopting. For example, trying to adopt the entire COBIT framework at once would be too large of an undertaking for most enterprises in one shot, and would certainly be too much for mid to smaller companies.
Once you’ve scoped out the ITGC framework of choice, you can begin the risk assessment, where you will survey people, processes, and tools to measure the effectiveness of the controls in place. After completing the assessment, you’ll be left with a list of gaps to remediate. Creating a prioritized and tiered remediation plan is key. Remediation plans can become overwhelming very quickly, so assigning a level of importance and an owner to each open gap will help you mitigate the gaps quickly and efficiently.
IT General Controls is a critical part of running an organization. Establishing these practices early on will help the organization grow in a safer and lower risk environment, allowing the organization to focus on their key business objectives. Governance, risk and compliance are areas that many organizations ignore in their early days, and they don’t always pick the right tools to accompany them as they grow as an organization. As soon as a real life incident affects your organization, and it will, the difference between a well implemented ITGC practice could be the difference between success and failure.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days