Getting Back to I&T Basics: Over the past twelve months, YHB has been assessing, now preparing, and soon to be implementing significant changes to our audit software. This new software will bring about a drastic shift in how we go about conducting and documenting our audits. This new software offers built-in AI analysis, various types of automated processes, integrated client collaboration, and more. I have seen a few changes in my decade plus career, but this will no doubt be the biggest change since YHB went from paper audits to digital back in the early 2000s.  

Change can be terrifying, especially when those changes are significant. In the IT realm, changes comes swiftly. Those that fail to keep up can open themselves up to increased security risks. Despite the need to keep up with emerging threats through use of fancy tools and software, it is the tried-and-true basic IT controls that ultimately provide the most security. These include controls such as passwords, administrator management, anti-virus software, patch management, etc. The method to apply these controls has evolved over the years; however, the basic premise of the controls has remained similar since the use of computers has taken off.  

If you’ve been following along, you’re already familiar with laying the groundwork for a solid information and technology strategy. In our first article, we explored the foundations—IT governance, strategic planning, and crafting a comprehensive IT policy framework. In the second article, we turned our attention to putting up the pillars through managing IT risks and dealing effectively with third-party risk management. With these essential building blocks in place, we are now ready to dive into the next practical step: starting to give your risk mitigation strategies some teeth by creating an IT General Controls (ITGC) framework. 

Why an ITGC Framework? 

Let’s start by briefly discussing why the order matters. Imagine you’re building a house. Governance and strategic planning were your architectural blueprints, IT policies, your detailed construction instructions, and managing risk your structural engineering guidelines. The ITGC framework represents the nuts, bolts, wiring, and plumbing that keep everything operationally sound and running smoothly. 

IT General Controls are critical because they ensure that your organization’s technology infrastructure is reliable, secure, and properly maintained. Without effective ITGCs, organizations are vulnerable to fraud, data breaches, compliance issues, or even operational chaos. No business wants to spend precious time putting out technology fires rather than driving growth. 

What Are IT General Controls, Anyway? 

Simply put, IT General Controls are the controls applied broadly across the IT environment. They encompass controls over your IT systems, processes, and data management practices that support overall system security, availability, data integrity, and regulatory compliance. Unlike specific application controls, which deal with individual software programs, ITGCs cover the entire IT landscape and typically fall into a few core areas: 

1. Access Controls
2. Change Management 
3. System Development and Maintenance 
4. Operations Management 

Let’s break each one down and explore how you can build controls effectively in your organization. 

Step-by-Step Guide to Building Your ITGC Framework 

Step 1: Access Controls—Keeping Your Digital Doors Locked 

Access controls manage who can access systems and data within your organization. Think of them as the locks on your doors and your security system—controlling entry and exit while ensuring only authorized individuals enter sensitive spaces. 

Key considerations for strong access controls include: 

• Identity Access Management: Ensure proper procedures for setting up, maintaining, and removing employee and third-party user accounts. 
• Authentication Practices: Implement secure log-in measures such as strong passwords, multi-factor authentication (MFA), or a Zero Trust security model. 
• Role-Based Access Control (RBAC): Assign permissions based on defined roles within your company to limit access only to what’s necessary. This concept is commonly referred to as the theory of least privilege. 
• Periodic Reviews: Regularly review user access rights to prevent “access creep,” where users accumulate more permissions than they need. 

Practical Tips for User Access Reviews: 

• Conducting periodic user access reviews can be daunting when you have more systems than you can count. To ensure the workload remains manageable, risk assess your systems and applications. Reviews should then be performed at a frequency commensurate with the assessed risk. The higher the risk, the more frequent the review.  
• User access reviews should consider whether the user represents an active employee, or vendor, as well as a verification that the assigned privileges are consistent with that user’s job responsibilities.  
• Administrator accounts are an obvious place to start, but do not overlook service accounts. These accounts often have elevated privileges and can be easily overlooked for internal abuse or external exploitation. 
• Include file share and NTFS permissions for important data storage areas, such as accounting or HR network shares, in your review. 
• Consider the completeness and accuracy of your data. Do the reports provided include all user accounts? Does your listing of terminations cover the entire period since the previous review?  

Step 2: Change Management—Control Your Technology Evolution 

Change management ensures technology changes (e.g., updates, patches, enhancements, new implementations) are effectively planned, tested, approved, and documented. Without solid change management controls, your organization could experience cyber incidents, disruptions in operations, or worse due to unintended consequences of system changes. 

Key elements of robust change management include: 

• Formalized Change Requests: Establish clear procedures for initiating change requests, defining responsibilities and requirements, developing rollback procedures, and obtaining approvals. 
• Change Approval Boards (CABs): Utilize committees or groups of stakeholders responsible for approving significant changes. 
• Testing Procedures: Require comprehensive testing for each change before deployment to production environments. 
• Documentation and Audit Trails: Maintain detailed records of changes made, including justification, testing results, approvals, and implementation outcomes. 

Practical Tips for Change Control Processes: 

• Changes are generally classified into four categories: routine/recurring, minor, major, and emergency. Whatever terms you end up using, be sure to clearly define them. 
• Create workflows for each type of change. This will create a well-structured process and help limit bottlenecks. 
• Leverage your helpdesk ticketing system by digitizing the entire process, from submission to approval. If you do go this route, create a standard naming convention or ticket type. This will make identifying changes easy. (Your auditor will thank you!) 
• Implement systematic segregation of duties controls. Developers should not conduct the QA testing, and ideally, neither party should migrate code into production. 
• Use multiple environments such as Development, Test, Staging, and Production. Restrict developers’ access to upper environments and limit testers’ access to lower environments. Additionally, be cautious when using production data in development and testing settings. 

Step 3: System Development and Maintenance—Keeping Your Digital Engine Healthy 

At first glance, this step will appear to be a continuation of the previous; and that is not entirely inaccurate. With the last step we focused on establishing a controlled process for implementing changes. Now we are discussing the creation of the change itself. Step 3 will help you create controls around system development and maintenance to help ensure software systems remain secure, stable, and aligned with business requirements. Good practices here prevent costly errors and downtime. 

Consider these essential system development controls: 

• System Development Life Cycle (SDLC): Clearly define the steps, responsibilities, and quality standards for developing or implementing software and systems. 
• Secure Coding Standards: Set clear guidelines for secure coding practices, reducing vulnerabilities within applications. 
• Quality Assurance (QA): Incorporate rigorous QA processes, including user acceptance testing, prior to system deployment. 
• Patch and Vulnerability Management: Regularly apply security updates and monitor your systems for vulnerabilities or outdated components. 

Practical Tips for Patching: 

• Schedule regular internal and external vulnerability scans and add a penetration test once vulnerability management practices have solidified. 
• Employ automated discovery tools to establish effective asset management practices. Creating a comprehensive hardware and software inventory is essential for identifying necessary patches. 
• Set up automated alerts and reports for critical updates and security patches, ensuring nothing slips through unnoticed. 
• Systematically enforce patching on endpoints to avoid users that will continually deny system updates.  
• Make patch and vulnerability management reporting a standard part of the IT Steering (or similar) Committee’s agenda. This will help establish accountability and oversight for this process. 

Step 4: Operations Management—Keeping IT Smooth and Reliable 

Operations management is one mechanism for an organization to address availability and processing integrity risks. By establishing controls and clear procedures, it ensures IT infrastructure and processes remain stable and reliable. These controls keep day-to-day activities running smoothly, preventing disruptions and enabling swift recovery from unexpected incidents. Essential elements of effective operations management include: 

• Job Scheduling and Processing: Implement automated processes for managing routine IT tasks and batch processing to avoid operational bottlenecks. 
• Incident and Problem Management: Establish clear protocols for addressing IT incidents quickly, efficiently, and effectively. 
• Backup and Recovery Procedures: Maintain comprehensive data backup processes with regular testing to ensure recoverability and efficacy. 
• Capacity and Performance Monitoring: Regularly review and monitor your systems’ capacity and performance to anticipate and address issues proactively. 

Practical Tips: 

• Develop a simple checklist or dashboard to monitor critical IT processes regularly, ensuring operational risks are quickly identified and managed. 
• Design your data backup schedule in accordance with the recovery point objectives set in your business impact analysis. 
• Just like data backups, automated processes should be periodically tested to ensure continued accuracy and processing integrity. 

Integrating ITGCs into Your Existing IT Governance and Risk Management Efforts 

Your ITGC framework shouldn’t exist in isolation. Instead, it’s a natural extension of your previously established governance, strategic plans, and risk management activities. To seamlessly integrate your controls framework: 

• Link your controls directly back to your IT policies and procedures. These should clearly align. 
• Map the ITGCs to your identified IT risks. Controls should target and mitigate these risks. 
• Continuously engage with stakeholders across the organization to build awareness and responsibility for controls. 

Sustaining Your ITGC Framework—It’s a Marathon, Not a Sprint 

Sadly, creating and implementing the control structure is not the end of the process. Think of your new ITGC framework like a puppy. Just like a puppy requires food, water, and exercise to thrive, so to do ITGCs. Instead of food, water and exercise though, ITGCs require ongoing monitoring, testing, improvement, and responsiveness to organizational changes. 

Start by scheduling regular audits and reviews to maintain your ITGC framework’s effectiveness. These audits can identify gaps, weaknesses, or emerging threats, allowing controls to be modified proactively. 

Next, build an education program. Educating your teams about the purpose, importance, and specifics of your ITGC framework can dramatically enhance compliance and operational effectiveness. Simple, clear communication ensures staff understand their roles and responsibilities in maintaining control effectiveness.  

Finally, those charged with governance should be kept informed of the operating status of control activities. In larger organizations, this is generally the responsibility of the Board of Directors (or a designated sub-committee), while for smaller organizations this may fall to ownership or a specific member of senior management. Regardless of size, periodic reporting should include results of any audits, exception remediation strategies and status, as well as any planned improvements.  

Common Pitfalls (and How to Avoid Them) 

Even the best-intentioned organizations sometimes fall into common ITGC pitfalls. Here’s a quick snapshot of what to watch out for: 

• Pitfall: Overly complex controls that lead to frustration and non-compliance. 
  Avoidance strategy: Keep controls practical, straightforward, and user-friendly. 

• Pitfall: “Set-and-forget” attitude toward controls leading to outdated practices. 
  Avoidance strategy: Regularly revisit your controls as part of your business reviews and adapt them as needed. 

• Pitfall: Poorly defined responsibilities causing confusion and compliance lapses. 
  Avoidance strategy: Clearly document roles and responsibilities to ensure accountability is transparent and understood. 

Bringing It All Together 

While it may seem straightforward, the complexity of your organization will impact the steps needed to build and sustain your IT General Controls framework. We’ve covered access controls, change management, and system maintenance. By integrating these controls into your governance structures and risk management plans, you will have established a resilient and adaptive IT ecosystem that supports organizational goals and mitigates risks effectively. 

In this journey to return to basics, we have been progressively building stronger foundations: from strategic governance and policies; to risk and vendor management; and now comprehensive IT general controls. Each step brings clarity, strength, and resilience to our IT operations.  

Join us next time as we focus on how to build strong business continuity management and incident response programs. Until then, remember: Good IT general controls are like deodorant—nobody notices when you use them, but everyone notices when you don’t.