By: Edris Ahmady

Introduction

It often times gets confusing trying to figure out how an organization manages their information technology assets. If I were to tell you that they would have to implement a framework, then a common question that pops up would be, okay what did they do before the framework implementation? That is where ITGC and ITAC comes in. In essence ITGC and ITAC are a low-level form of management where organizations place controls in order to secure and manage their information technology assets. Usually, organizations would have ITGCs and ITACs, then implement a larger more established framework that would eventually influence and change the existing controls. If you continue on (which I encourage you to do) you would get a better understanding as to what ITGCs and ITACs are, and their purpose and hopefully you would gain an understanding as the role they play in the larger landscape of information technology security and management.

What is Information Technology General Controls (ITGC)?

Information Technology General Controls (ITGCs) are essentially a set of guidelines that outline how information technology is used and kept secure within an organization. Its goals are to ensure IT assets are properly implemented and maintained within their respective environments. Additionally, they are also very important for IT auditors, since upon review, it provides a helpful insight on an organization’s IT infrastructure. ITGCs can come in many forms but some of the most common ones are Access Controls, System Life Cycle Controls, Physical Environment Controls, and Data Protection and Recovery Controls. Finally, keep in mind that ITGCs are generally a low-level concept, organizations tend to implement established frameworks such as COBIT to influence their IT general controls.

Access Control:  Are a set of controls put in place to mitigate unauthorized access to systems, or information. These controls consist of anything ranging from revoking employee access to company resources after termination, to reviewing prior authorization and revoking or granting access to individuals on a need-to-know basis.

System Lifecycle Controls:  Are controls put in place to ensure the management of an organizations systems. This may include updates to an organization’s hardware, software, or existing processes. Doing so, secures an organizations ability to maintain a solid level of security and mitigate risk as much as possible.

Physical Environment Controls:   Are a set of controls put in place for the management and security of physical assets. This may involve placing physical barriers in place such as security guards, special access entry points, or surveillance cameras. Controls of this nature will ensure the physical security of an organization’s physical assets, such as office buildings or data centers.

Data Protection and Recovery Controls: Are a set of controls placed to manage/safeguard the handling, processing, and integrity of an organizations data assets. Controls for data protection and recovery involves having a curated data recovery process, storing copies of your data in multiple locations, and encrypting batch jobs or data processes with the latest data encryption best practices.

What is Information Technology Application Controls (ITAC)?

Information Technology Application controls are similar to General controls being that they are both used by auditor to get an understanding of an organizations IT infrastructure. The key difference though, is that Application controls strictly impact any software applications an organization utilizes. Additionally, each application being used will have different controls accompanying it, adding another key difference between ITAC and ITGC. Finally, the control areas that ITAC focuses on are input, processing, and output functions (IPO). This means that ITAC mainly focuses on the completeness and validity of data recorded within applications throughout the applications lifecycle.