What Are IT General Controls (ITGC)?

Whether employees know it or not, IT has a tremendous effect on their everyday working lives.

IT is essentially the lifeblood of a company, ensuring employees’ laptops work, procuring and installing the applications employees need to do their jobs, and instituting and upholding rules to help the company stay compliant.

But how does the IT team accomplish those tasks in a standardized, secure way?

The answer lies in IT general controls. IT general controls, or ITGCs, are a set of directives that govern how an organization’s systems operate. Yet, knowing what ITGCs are and how they work in practice isn’t always straightforward.

In this post, we’ll explain what ITGCs are, share examples of how they work in practice, and review the compliance frameworks that serve as their foundation.

Definition of IT General Controls (ITGC)

ITGC, or IT general controls, are a set of policies and procedures that govern how a company’s IT systems operate and ensure the confidentiality, integrity, and availability of data.

These controls help prevent unauthorized access, data breaches, and operational disruptions. ITGC covers every aspect of IT, including software implementation, user account creation, and data management. Effective ITGC can improve the reliability and accuracy of financial reporting and reduce the risk of fraud. Companies are required to establish and maintain ITGC to comply with various regulatory requirements such as SOX, HIPAA, and PCI DSS.

One important thing to note is that Information Technology General Controls are not the same as application controls. ITGCs govern the use of all systems within a company, from ERPs to servers, directory platforms, and project management tools. Application controls restrict what users can do within one particular platform, and typically these permissions are configured directly within that application and pertain to specific features or use cases.

Importance of ITGC in Organizations

IT general controls are non-negotiable for companies that access, store, and leverage consumer data — particularly sensitive information, such as healthcare, financial, and personal records.

Without ITGC, companies are at a high risk of cybersecurity attacks and regulatory noncompliance, jeopardizing their ability to build trust with customers and sustain regular business operations. Proper ITGC implementation reduces the chances of an internal or external breach and noncompliance, protecting your organization’s reputation and safeguarding your customers’ information. 

Examples and Key Components of ITGC

ITGCs can take on many forms, but most fall under a few distinct categories. Let’s review each in detail.

Access Controls

ITGCs should include various methods of preventing unauthorized access and data manipulation. Coupling robust password management with a least-privilege access policy can instantly lower the chances of a cyberattack. Full disk encryption is also a common access-related ITGC because it completely locks devices, even while at rest. So if a device is stolen, the hard drive cannot be accessed without the proper recovery key. Access-related ITGCs may also entail quarterly or annual inventory audits to pinpoint the most valuable data and reevaluate the controls designed to protect it. 

Change Management

IT environments are always changing; new applications are added, others are removed, and some are updated to the newest release. Change management controls help companies document and authorize changes and perform a root cause analysis if something goes wrong. Most regulatory bodies dedicate an entire section of their audit to the effectiveness of your change management processes.

Data Backup and Recovery

Accidents, natural disasters, or cyberattacks can happen anytime, and without backup or recovery plans in place, companies can lose significant data. Most companies enact ITGCs to minimize data loss through database segregation, automated backups, and business continuity plans. ITGCs may also incorporate regular testing of these configurations and plans to confirm their effectiveness and make adjustments as needed.

Security Management

When we think of hackers, we often think of a person behind a computer, but that’s not always the case. Unfortunately, people with ill-intent enter an office to wreak havoc, so it’s important to define and consistently test physical security controls, like key badge entry to sensitive areas and intrusion detection systems.

IT Operation Controls

General IT controls may refer to how IT systems are managed, who oversees those systems, where the IT roadmap is going, how and when to conduct risk assessments, and what best practices IT projects should follow. 

ITGCs in this group may also refer to overall security measures like email filtering, firewalls, antivirus software, and routine pen testing. In this age of remote work, general IT administration may apply to corporate-owned device (COD) and bring your own device (BYOD) policies as well.

Implementation of ITGC

Implementing multiple ITGCs at once can feel overwhelming. Breaking them down into more manageable pieces makes the process easier and decreases the chances of misconfiguration.

Planning and Scoping

First, you need to decide what types of IT general controls you want and need to implement. Consider what type of industry you’re in, what types of data you collect, store, and use, and where your customers are located.

Once you’ve narrowed down which ITGCs you want to achieve, estimate how long it will take to implement them. If you have a targeted end date, work backward to create a reasonable timeline for implementation, given the number of resources on your IT team, the existing tasks on their plate, and/or the bandwidth of your managed service provider (MSP).

Risk Assessment

Next, establish a baseline for each control. That involves an in-depth review of your current IT processes and tools to understand the controls you are already managing well and any additional security measures you may need to incorporate into your plan. Prioritize these new additions based on importance and inclusion in any upcoming audits you may need to pass.

Control Design and Implementation

Now that you know what controls you need, it’s time to start thinking about how to put those controls into practice. Controls can be proactive or reactive, and as their names suggest, proactive controls attempt to prevent adverse events or impacts, while reactive controls are corrective mechanisms when something goes wrong. Using proactive and reactive controls for each key area of your security program can help you cover your bases.

While some ITGC are fairly universal and straightforward, some organizations may have more complex requirements based on the type of product they sell or services they offer. Working with an experienced auditing firm can help you design and customize the proper controls for your company.

Control Testing

Testing is critical. Be sure to thoroughly test each and every ITGC to verify that it accomplishes what it was designed to do. It’s a good idea to have several people test the same ITGC with different profiles to identify any abnormalities in how the control functions.

Ongoing Monitoring

ITGC is not a one-and-done exercise. Be sure you have a process in place for continuously monitoring the controls you’ve implemented and fix any bugs or gaps as quickly as possible.

ITGC Compliance Frameworks

ITGC is a subsection of the larger IT controls space. To guarantee the highest level of compliance, companies lean on three overarching security frameworks to inform their ITGCs.

COSO

The Committee of Sponsoring Organizations (COSO) framework integrates controls into everyday business processes that validate ethical and transparent operations. COSO has five requirements:

1. Control environments to uphold industry-standard practices and reduce organizations’ legal exposure.
2. Control activities to make sure tasks are carried out in a way that minimizes risk and accomplishes business objectives.
3. Information and communications that help stakeholders understand and comply with legal requirements, such as privacy regulations.
4. Monitoring by internal and/or external auditors to ensure employees are following existing controls.
5. Risk assessment and management to identify and mitigate as many risks as possible.

While these components are fairly vague, COSO has published detailed requirements for ESG, AI, and cloud computing-focused companies to observe corresponding regulations in those fields.

COBIT

The IT Governance Institute established the Control Objectives for Information Technology (COBIT) framework to outline recommended ITGC objectives and approaches. The basic premise behind COBIT is that IT processes should satisfy specific business requirements to streamline operations and safeguard enterprise data. The five key COBIT principles are:

1. Meeting stakeholder needs.
2. Covering the enterprise end to end.
3. Applying a single integrated framework.
4. Enabling a holistic approach.
5. Separating governance from management. 

In the United States, the COBIT framework is used to achieve compliance with the Sarbanes-Oxley Act (SOX).

ISO

ISO 27001 is a framework related to information security and change management. More specifically, ISO 27001 sets out policies and procedures to lessen the legal, physical, and technical risks associated with implementing, monitoring, reviewing, maintaining, and improving an information security management system. ISO 27001 uses a top-down approach, with six steps to attain compliance:

1. Define a security policy.
2. Define the scope of the information security management system.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.

By following ISO 27001 conditions, companies show customers that they take security seriously and conform to industry standards. 

Security Concerns with ITGC

IT general controls lessen a company’s exposure to threats and potential compliance violations that can have devastating consequences on operations, reputation, and revenue.

Insider Threats

Employees, partners, vendors, interns, and contractors can all be weak links in your company’s security. They may unwittingly fall for a social engineering attack or accidentally share classified information. Some may even intentionally create a user account without proper permissions to access confidential files or steal company IP to get ahead in a new role elsewhere. ITGCs that limit and monitor data movement can prevent malicious — and unintentional — insider threats.

External Threats

The volume of cyberattacks isn’t showing signs of slowing. Hackers are constantly brainstorming new ways to access company data, whether it be through vulnerabilities in business applications, lateral movement, spreading ransomware, taking advantage of poor password management, or employee manipulation. Monitoring audit logs, installing antivirus software, and automatically installing updates are all ways to thwart external threats.

Compliance with Regulations

Most modern businesses must comply with at least one federal or global regulation. ITGC helps companies adhere to those rules and maintain compliance over time, avoiding hefty penalties that can result from noncompliance.

Benefits of ITGC

IT general controls give companies more than peace of mind. Let’s take a look at several concrete ways ITGC benefit an organization.

Improved Security

Security is one of the main purposes of instituting IT general controls. Observing security frameworks will force your organization team to adopt identity and access management (IAM) based on Zero Trust security principles, robust monitoring, encryption, and antimalware — all of which keep your data and your client’s data safe.

Better Risk Management

ITGC inherently mitigate the risk of insider and external threats by locking down end points like laptops, kiosks, and mobile devices, eliminating vulnerabilities in the applications people use every day, maintaining IAM best practices, and educating employees on the signs of a possible cyberattack.

Increased Compliance with Regulations

By leveraging frameworks like COSO, COBIT, and ISO 27001, companies can adequately prepare for an initial security and compliance audit. Perhaps more importantly, routinely reviewing and amending IT policies and best practices helps companies uphold industry mandates and standards over time.

Enhanced Business Continuity

During a security breach, everyday business tasks screech to a halt. In the days it takes companies to get the organization back up and running, they can lose hundreds of thousands of dollars in sales and productivity. Having ITGC in place reduces a company’s exposure to vulnerabilities, leaks, and other cyber threats that can interrupt business activity and hurt profitability.

Best Practices for ITGC Security

Bolstering organizational security should be at the top of IT teams’ priority lists. Here are a few best practices to consider:

• Employee training: Cyberattackers know that one misinformed employee can be the key to organization access and specifically design campaigns to get them to give up information. Making employees aware of cyber threats with regular security training, regularly testing their knowledge, and notifying them of new phishing or social engineering techniques can decrease the chances of a full-blown attack.

• Implementing key security frameworks: Following COSO, COBIT, and ISO 27001 principles align your company’s practices with globally-defined security standards, helping you prepare for compliance audits, certifications, and other necessary requirements for enterprise and government work.

• Making continuous updates: There’s a reason why applications, systems, and networks have updates 一 releases contain new features or patch existing vulnerabilities. When users don’t regularly update their programs, they do themselves a disservice and put their companies at risk of an attack. That’s why many ITGCs force regular updates and consistently monitor their organization’s applications, systems, and network service-level commitments.

• Weaving ITGC into procurement: Ask vendors to supply a Service Organization Controls Report (SOC) and assess whether extra controls are required to keep data safe and secure. It’s also a good idea to implement patch management tools that automatically deploy patches to operating systems, browsers, and applications that are behind schedule.

How JumpCloud Can Strengthen Your IT General Controls

ITGCs are essential for any business, but especially for enterprise organizations. Without ITGCs, companies of all sizes struggle with compliance, operational, and security issues. Not only do these problems drain IT departments of their time and energy, they also put businesses’ reputations at risk. Enacting ITGCs keeps everyone on track, forcing them to uphold and work from a single source of truth while protecting an organization’s invaluable data.

But developing and sustaining them is easier said than done. Fortunately, JumpCloud’s capabilities make IT control management a breeze. Working from a “trust nothing, verify everything” principle, JumpCloud’s Zero Trust security model allows IT teams to oversee user access to applications, files, networks, devices, and more, all from an open directory platform. JumpCloud is easy to implement, works with existing multi-factor authentication (MFA) protocols companies may already have, and helps meet SOC, HIPAA, GDPR, and PCI compliance requirements.