The information technology (IT) environment is very dynamic. As technologies change, so too do the requirements for controls. ITGCs are controls that apply to all systems, components, processes, and data for a given organization or data center. The main objective of ITGCs is to ensure the proper development and implementation of applications and the integrity of programs, data files, and computer operations.
Most companies have an organizational structure responsible for establishing policies and procedures related to ITGCs in an information technology environment. Depending on company size, this may be one position or many positions consolidated into one role with multiple responsibilities. Those who establish an organization’s ITGC must stay up-to-date with industry changes that affect ITGCs. This is done by obtaining education and/or training, networking with peers, reading industry publications, attending seminars and workshops. There are even software packages that can monitor ITGC in real time.
The increased use of computers makes it necessary to have controls in place that are effective and efficient for the business to use daily. ITGCs allow companies to limit access privileges to information technology components. They can help prevent problems such as unauthorized personnel gaining access to confidential data files or financial records, viruses infecting the system, or even damaging parts of the operating system. Great care should be taken when designing these types of controls because they affect an organization’s daily operations.
Some common ITGCs are:
Logical Access Controls Over Infrastructure, Applications, and Data
This control protects the mainframe, servers, workstations, application software, and related data. Controls are established to limit access privileges to programs, files, records/data files in logical storage media.
Monitoring of Access to Programs and Data Files
This is an important control because it requires that all changes made or attempted on a computer program/system be tracked when users make them. After this information is collected, it needs to be analyzed for any malicious activities.
System Development Life Cycle Controls
System development life cycles (SDLCs) establish standards that ensure all efforts to implement, modify, or maintain ITGCs are properly recorded and authorized for implementation. This control also ensures controls are implemented as intended and proper approval of changes.
Physical Access Controls
This control provides physical barriers to prevent unauthorized personnel from accessing computer components such as servers, workstations, printers/plotters, storage media. If these potential threats cannot be eliminated, the next best thing is limiting access privileges.
Program Change Management Controls
Program change management (PCM) is responsible for controlling and monitoring changes to each program that affect computer operations. These controls are just a few of many that can be implemented in an organization’s IT environment. Other examples include network access, security administrator, database administrator, mainframe administrator, printer/plotter access privileges, system configuration control.
Data Center Physical Security Controls
Physical security controls are implemented to maintain the confidentiality, integrity, and availability of ITGCs. Controls that ensure physical security include perimeter barriers, alarms, surveillance systems, locks on doors/windows, outdoor warning devices.
IT Operations Controls
These controls focus on individuals responsible for operating information technology infrastructure control procedures. The many tasks performed by this group include:
- Establishing standards for utilization of infrastructure resources (equipment).
- Implementing change management procedures.
- Ensuring backups are properly completed.
Network Access Controls
This control grants access rights for users attempting to gain network access. Authentication is required before granting privileges determined by an individual’s role or function. This ensures that only authorized personnel have access to the company’s databases’ information.
Final Thoughts
These general controls are just examples of the many that can be implemented to ensure security in today’s information technology environment. If companies take the time to review their ITGCs and compare them against current standards, they will find areas where improvement is needed. Immediate review for all established standards is important so that no unauthorized changes are made to them, which could potentially cause damage to an organization’s infrastructure. It is also important for businesses to continually create a more secure IT environment because hackers are always finding new methods for gaining access to sensitive data.
