Information Technology General Controls, popularly called ITGCs refers to the set of control such as policies,
procedures, and technologies that an organization puts in place to ensure confidentiality, integrity, and
availability of its information and IT systems.
ITGC review is an assessment of these controls to determine their effectiveness in protecting the organization’s
information and IT systems.
A comprehensive ITGC review typically covers the following areas:
- Access Management/Control: These are the controls in place to ensure that users do not have access
privileges beyond those that are required by them to perform their assigned duties as having excessive rights
may create a violation of the segregation of duties principle and/or least privileged principle. This control
User Access Creation: This is the control in place to ensure that the right access is granted to
joiners/new hires on the systems, e.g., management’s approval prior to granting system access to
new users or modified users
User Access Revocation: These are procedures implemented by organizations to ensure that leavers’
access is revoked/removed from the system in a timely manner after their exit date. For instance,
HR sends the leaver listing to IAM team (Identity and Access Management) a few days before the
actual exit date for the prompt removal of access
User Access Review: This involves the periodic review of privileges assigned to users on the system
to ensure that access remains appropriate. Most organizations do this on a quarterly basis by
sending the list of users on the system alongside their privileges and/or roles mapped to them to
their respective line managers to review for appropriateness. Depending on the response of the line
managers, user access can be maintained, revoked or modified
Password management: This is a control put in place by organizations to ensure that access is
authenticated through unique user IDs and passwords or other methods as specified by the
password policy of the organization as a mechanism for validating that users are authorized to gain
access to the system. Password parameters such as password minimum length, password
complexity, password expiration, account lockout, etc. are configured to mitigate inappropriate
access to the systems.
Privileged Access Restriction: This control ensures that privileged access is restricted to specific
users. For instance, granting privileged-level access/rights such as security administrators’ rights to
users are restricted to a selected few in the IAM team and may require additional approval than
what is needed for granting other access to the system
Logging and Monitoring: This involves the logging and monitoring of users’ activities on core
applications especially the activities performed by users with privileged-level access for any
suspicious or unauthorized activity. Most organizations log all activities but only monitor those that
are carried out by users who have privileged-level access. Activities that are being monitored may
include those that involve a change to code, configurable data, etc.
- Change Management: This is a process implemented by organizations to control and manage changes to IT
systems, infrastructure, and software. The aim of change management is to ensure that changes are properly
planned, tested, implemented, and reviewed in a controlled and predictable manner, with minimal
disruption to IT services. The standard change management process typically involves the following steps:
a. Change request and assessment
b. Impact analysis and risk assessment
c. Change planning and scheduling
d. Change implementation
e. Change testing and validation
f. Change release and deployment
g. Change evaluation and review.
For change management review as part of ITGCs review, the following are to be considered:
Segregation of environments: It is expected that test, development, and production environments
should be segregated such that the development of new changes is carried out on dev. environment,
change testing and validation are performed on the test environment and changes are released after
it has been tested into the production/live environment. It is also important to ensure that access
to implement changes into the application’s live environment is restricted and segregated
appropriately from the development environment.
Software development and maintenance: This involves evaluating the controls over software
development and deployment to ensure that applications are secure and meet the organization’s
standards. Different controls are implemented by different organizations such as raising of detailed
BRS (Business Requirement specification) which consist of ‘As is’ and ‘To be’ process flow and are
reviewed by management/stakeholders involvement before development, ensuring testing and
validation are done, obtaining the approval of change advisory board before deploying the changes
into the production environment. There is some application such as ServiceNow which has the
capacity to track the change management end-to-end process.
Change Testing and validation: The control that has been put in place to ensure that changes made
to the application are appropriately tested and approved before being moved into the production
- Computer Operations: This involves Backup and recovery, IT disaster recovery, Incident management and
Backup and recovery: These are the process of creating and storing copies of data, and restoring the
backed-up data periodically to test the recoverability and the readability of the data. This test is very
important as this would guarantee that the backed-up data will be restored should there be an
actual need for it (disaster, data loss, system downtime, etc)
The main steps involved in backup and recovery are:
Backup: Creating and storing duplicate copies of data on different media such as external
hard drives, cloud storage, or tapes.
Recovery: The process of restoring the backed-up data to its original state or to a new
location in case of data loss due to hardware failure, software corruption, natural disasters,
or other reasons.
There are different backup and recovery strategies, such as full backup, incremental backup, and
differential backup, each with its own benefits and drawbacks. However, it is very important to
regularly test recovery procedures to ensure that the backup data is usable and recoverable in case
of an emergency.
Other things to consider in backup and recovery are:
Backup scheduling: Frequency of the backup, time of day or hour the backup is done, etc.
This usually depends on the data RTO and RPO.
Recovery methods: This is the recovery method deployed by the organization, this can be
restoration from backup, disaster recovery plan, etc.
Data verification: The process deployed by the organization for checking backup data for
accuracy and completeness
Incident management: Incidents are mainly defined as unplanned events that disrupt normal
operations while incident management is the process of detecting, responding to, and resolving
incidents. Below are the steps most organizations have deployed for managing incidents so as
accord the appropriate attention to incidents :
Incident detection: This is the process organization has put in place for identifying an incident, this
can be through monitoring systems or user reports
Incident classification: Incidents can be categorized by severity, impact and, type. Most incident
management applications assign different levels, ranging from 1 to 5 to severity and impact, with 1
being low and 5 being critical.
Incident prioritization: Priority is assigned to incidents based on the classification (type, severity,
and impact) as this will determine the order in which incidents will be addressed.
Incident escalation: Defining the escalation path in the incident management process such as
involving the appropriate team and/or support or expert resources if necessary for prompt
Incident resolution: This is the step that involves fixing the incident’s root cause and restoring
normal operations with minimal or no outage i.e. Investigating and resolving incidents, often
through collaboration with other teams
Incident documentation and reporting: Recording details of the incident and creating reports for
analysis and improvement. Part of the activity performed here, which is also key is the review of
incident management processes and improving the process to prevent similar incidents in the
future. The documentation can also be referenced should a similar incident occur in the future.
The review of all these aforementioned processes and controls is considered ITGC review and the objective of
performing this view is to identify any weaknesses or gaps in the organization’s IT controls; and to provide
recommendations for improvement.