QUESTION 1

- IT general control are set of rules and procedures that govern how the company’s IT systems
operate and ensure the security of data.
- IT General Controls (ITGC) are essential for ensuring the integrity, confidentiality, and
availability of data and IT systems within an organization. These controls are typically divided
into several categories:

1.Access Controls
- Should include various methods of preventing unauthorized access and data manipulation.
Coupling robust password management with a least-privilege access policy can instantly
lower the chances of a virus/cuber attack
- Access controls are designed to prevent unauthorized access to IT systems and data. These
controls ensure that only authorized users have access to specific systems and information
based on their roles and responsibilities.
Important Elements:

 User Access Management: User access management includes role-based access controls
(RBAC), which distributes rights according to user roles, as well as procedures for adding,
modifying, and removing user accounts.

 Authentication and Authorization: Techniques for confirming user identities, such as multi-
factor authentication (MFA), biometric scans, and passwords. Users can only access
resources that are required for their position thanks to authorization.

 Access Reviews and Audits:

 Physical Access Controls: Measures to secure physical access to IT infrastructure, such as

server rooms, through locks, access cards, and surveillance.

* Access-related ITGCs may also entail quarterly or annual inventory audits to pinpoint the most
valuable data and reevaluate the controls designed to protect it.

* Effective access controls help in safeguarding sensitive information, protecting against data
breaches, and ensuring compliance with regulatory requirements like GDPR and HIPAA.

2. Change Management Controls

- Change management controls help companies document and authorize changes and
perform a root cause analysis if something goes wrong.
- Change management controls are designed to manage changes to IT systems and
processes in a controlled manner. The controls ensure that any changes are authorized,
tested, documented, and implemented without disrupting business operations.
Important Elements:
  Change Request and Approval: A structured procedure for submitting and approving
requests for modifications that guarantee the changes are required and approved by the
relevant staff.

 Impact Analysis: Assessment of the potential impact of proposed changes on the existing
systems, including risk evaluation and mitigation strategies, examines how suggested
modifications might affect the current systems, taking into account risk assessment and
mitigation techniques.

 Testing and Validation: Modifications in a controlled setting to make sure they function as
intended and don't create any new problems or vulnerabilities.

 Documentation and Tracking: future reviews, every modification must be meticulously

documented, including the justification, the methods taken to implement it ,detailed
documentation of all changes, including rationale, implementation steps, and outcomes, to
maintain an audit trail and facilitate future reviews.

 Procedures: Established procedures to revert to the previous state if a change causes

unexpected issues, Developed protocols to return to the initial state in the event that a
modification results in unforeseen problems.

3. Data Backup and Recovery

- Accidents, natural disasters, or cyberattacks can happen anytime, and without backup or
recovery plans in place, companies can lose significant data.
- Data management controls focus on the integrity, confidentiality, and availability of data
throughout its lifecycle. These controls encompass data storage, processing, and transmission.

Important Elements:

 Data Backup and Recovery: Regular backups of critical data and robust recovery procedures
to ensure data can be restored in case of loss or corruption.

 Data Encryption: Encryption of sensitive data both at rest and in transit to protect it from
unauthorized access and breaches.

 Data Classification and Handling: Categorization of data based on its sensitivity and
implementation of appropriate handling procedures to protect data according to its
classification.

 Data Retention and Disposal: Policies for retaining data for required periods and securely
disposing of data that is no longer needed.

4. IT Operations Controls
- General IT controls may refer to how IT systems are managed, who oversees those
systems, where the IT roadmap is going, how and when to conduct risk assessments,
and what best practices IT projects should follow.
Important Elements:

 Incident Management: Processes for identifying, reporting, and resolving IT incidents,

including service disruptions and security breaches.
  Monitoring and Logging: Continuous monitoring of IT systems and logging of key activities
to detect and respond to issues promptly.

 Performance Management: Monitoring and optimizing the performance of IT systems to

ensure they meet business needs and service level agreements (SLAs).

 Patch Management: Regular updates and patches to software and hardware to address
vulnerabilities and improve functionality.

 Service Continuity and Disaster Recovery: Plans and procedures to maintain IT services
during disruptions and recover from major incidents.

5. IMPLIMENTATION OF IT CONTROLS

- Having determined which controls are necessary, it is now time to consider how to
implement them. Both proactive and reactive controls are available; as their names imply,
proactive controls aim to stop negative effects or events, whilst reactive controls operate as
corrective measures when anything goes wrong. You may ensure complete coverage of your
security program by implementing both proactive and reactive controls for each important
area.
- Certain firms may have more sophisticated requirements depending on the kind of product
or service they sell, even though some ITGC are pretty common and simple. You can create
and modify the right controls for your business with the assistance of a seasoned auditing
organization.
Important Elements:
 Costs of development may get out of control:

 Programes: The programes within the systems may contain the errors

 Designed systems: The system designed may not suit the users
requirements,the new system may not incorporate enough controls to
ensure the integrity of its programmes

 Transfer of information: The information transferred from old system to the

nee system may be erroneous or incomplete

6. SECURITY FRAMEWORK
- Is a comprehensive set of guidelines developed by the National Institute of Standards and
Technology (NIST) to help organizations manage cybersecurity risks. It provides a structured
approach for identifying, assessing, and mitigating threats to critical assets, systems, and
data
Important Element:
 Identity: To gain knowledge of cybersecurity threats, including resources, the
corporate environment, and any applicable legal requirements.
 Protect: To put controls and safety measures in place to guarantee the secure
delivery of vital infrastructure services. Data security and IAM are included in this.
 Detect: To set up systems for quickly recognizing and reacting to cybersecurity
occurrences. Early threat detection reduces the impact of threats.
 React: To create and carry out plans for handling incidents. Restoring regular
operations and reducing harm are the main goals of this role.
 Recover: To put systems and services back online following a cyberattack. The goal of
recovery is to get back to normal while taking lessons from the event.