Whether employees know it or not, IT has a tremendous effect on their everyday working lives.
IT is essentially the lifeblood of a company, ensuring employees’ laptops work, procuring and installing the applications employees need to do their jobs, and instituting and upholding rules to help the company stay compliant.
But how does the IT team accomplish those tasks in a standardized, secure way?
The answer lies in IT General Controls. IT General Controls, or ITGCs, are a set of directives that govern how an organization’s systems operate. Yet, knowing what ITGCs are and how they work in practice isn’t always straightforward.
In this post, we’ll explain what ITGCs are, share examples of how they work in practice, and review the compliance frameworks that serve as their foundation.
Information Technology General Controls Definition
Information Technology General Controls (ITGCs) dictate how technology is used in an organization. ITGCs help prevent breaches, data theft, and operational disruptions.
ITGCs influence everything from user account creation, to password management, to application development. They prescribe how new software is set up, who the admins are, how the system is tested and implemented, and when security and software updates should take place.
Because ITGCs specify certain security protocols, they also impact vendor procurement. Applications that cannot uphold ITGCs put companies’ data at risk, so investors and auditing firms may review ITGCs to ensure companies achieve and maintain regulatory compliance.
One important thing to note is that Information Technology General Controls are not the same as application controls. ITGCs govern the use of all systems within a company, from ERPs to servers, directory platforms, and project management tools. Application controls restrict what users can do within one particular platform, and typically these permissions are configured directly within that application and pertain to specific features or use cases.
ITGCs can take on many forms, but most fall under a few distinct categories. Let’s review each in detail.
General IT Administration
Most ITGCs fall under the “general IT” umbrella. General IT controls may refer to how IT systems are managed, who oversees those systems, where the IT roadmap is going, how and when to conduct risk assessments, and what best practices IT projects should follow.
ITGCs in this group may also refer to overall security measures like email filtering, firewalls, antivirus software, and routine pen testing. In this age of remote work, general IT administration may apply to corporate-owned device (COD) and bring your own device (BYOD) policies as well.
ITGCs should include various methods of preventing unauthorized access and data manipulation. Coupling robust password management with a least-privilege access policy can instantly lower the chances of a cyberattack. Full disk encryption is also a common access-related ITGC because it completely locks devices, even while at rest. So if a device is stolen, the hard drive cannot be accessed without the proper recovery key. Access-related ITGCs may also entail quarterly or annual inventory audits to pinpoint the most valuable data and reevaluate the controls designed to protect it.
System Life Cycle Controls
There’s a reason why applications, systems, and networks have updates 一 releases contain new features or patch existing vulnerabilities. When users don’t regularly update their programs, they do themselves a disservice and put their companies at risk of an attack. That’s why many ITGCs focus on forcing regular updates and consistent monitoring of an organization’s applications, systems, and network service-level commitments.
To that end, companies often weave ITGCs into the procurement process, asking vendors to supply a Service Organization Controls Report (SOC), and assessing whether extra controls are required to keep data safe and secure. Many companies also implement patch management tools to automatically deploy patches to the operating systems, browsers, and applications that are behind schedule.
Physical and Environmental Security Controls
When we think of hackers, we often think of a person behind a computer, but that’s not always the case. Unfortunately, people with ill-intent enter an office to wreak havoc, so it’s important to define and consistently test physical security controls, like key badge entry to sensitive areas and intrusion detection systems.
Data Protection and Recovery Controls
Accidents, natural disasters, or cyberattacks can happen anytime, and without backup or recovery plans in place, companies can lose significant data. Most companies enact ITGCs to minimize data loss through database segregation, automated backups, and business continuity plans. ITGCs may also incorporate regular testing of these configurations and plans to confirm their effectiveness and make adjustments as needed.
ITGC Compliance Frameworks
ITGC is a subsection of the larger IT controls space. To guarantee the highest level of compliance, companies lean on three overarching security frameworks to inform their ITGCs.
The Committee of Sponsoring Organizations (COSO) Framework integrates controls into everyday business processes that validate ethical and transparent operations. COSO has five requirements:
- Control environments to uphold industry-standard practices and reduce organizations’ legal exposure
- Control activities to make sure tasks are carried out in a way that minimizes risk and accomplishes business objectives
- Information and communications that help stakeholders understand and comply with legal requirements, such as privacy regulations
- Monitoring by internal and/or external auditors to ensure employees are following existing controls
- Risk assessment and management to identify and mitigate as many risks as possible
While these components are fairly vague, COSO has published detailed requirements for ESG, AI, and cloud computing-focused companies to observe corresponding regulations in those fields.
The IT Governance Institute established the Control Objectives for Information Technology (COBIT) framework to outline recommended ITGC objectives and approaches. The basic premise behind COBIT is that IT processes should satisfy specific business requirements to streamline operations and safeguard enterprise data. The five key COBIT principles are:
- Meeting stakeholder needs
- Covering the enterprise end to end
- Applying a single integrated framework
- Enabling a holistic approach
- Separating governance from management
In the United States, the COBIT framework is used to achieve compliance with the Sarbanes-Oxley Act (SOX).
ISO 27001 is a framework related to information security and change management. More specifically, ISO 27001 sets out policies and procedures to lessen the legal, physical, and technical risks associated with implementing, monitoring, reviewing, maintaining, and improving an information security management system. ISO 27001 uses a top-down approach, with six steps to attain compliance:
- Define a security policy
- Define the scope of the information security management system
- Conduct a risk assessment
- Manage identified risks
- Select control objectives and controls to be implemented
- Prepare a statement of applicability
By following ISO 27001 conditions, companies show customers that they take security seriously and conform to industry standards.
How JumpCloud Can Strengthen Your IT General Controls
ITGCs are essential for any business, but especially for enterprise organizations. Without ITGCs, companies of all sizes struggle with compliance, operational, and security issues. Not only do these problems drain IT departments of their time and energy, they also put businesses’ reputations at risk. Enacting ITGCs keeps everyone on track, forcing them to uphold and work from a single source of truth while protecting an organization’s invaluable data.
But developing and sustaining them is easier said than done. Fortunately, JumpCloud’s capabilities make IT control management a breeze. Working from a “trust nothing, verify everything” principle, JumpCloud’s Zero Trust security model allows IT teams to oversee user access to applications, files, networks, devices, and more, all from an open directory platform. JumpCloud is easy to implement, works with existing multi-factor authentication (MFA) protocols companies may already have, and helps meet SOC, HIPAA, GDPR, and PCI compliance requirements.
Learn more about JumpCloud’s approach to compliance today.