Articles

ITGCs - Introduction to General Information Security Controls

By July 11, 2022 No Comments

*By Juliana Nunes

With the increasingly intense and widespread use of IT, computerized systems have grown significantly, increasing their complexity and interconnectivity, changing the way organizations conduct their business and inducing greater vulnerability to internal and external threats.

Consequently, it became necessary to structure and monitor controls to mitigate IT-related risks, which is the objective of the ITGC - Information Technology General Controls, general information technology controls.

ITGC - GENERAL CONTROLS OF INFORMATION TECHNOLOGY

There are 6 main general information technology controls:

  • Physical and logical access management;
  • Change management;
  • Incident management;
  • Backup management;
  • physical environment;
  • Business continuity.

These controls must be defined, applied and monitored continuously through internal and/or external audits, with the aim of always improving their efficiency and maturity, following and following frameworks such as ISO 27001, NIST and best market practices.

In addition to controls, it is extremely important that processes are documented in policies, standards or manuals, establishing guidelines and objectives to be followed and rules to be complied with by everyone in the organization and stakeholders.

PHYSICAL AND LOGICAL ACCESS MANAGEMENT

Physical and logical access control consists of the processes of granting, revoking, altering, and reviewing all access in the organization. Access requests must be formalized through forms, email or tool, and approved by the responsible managers. With this, the organization safeguards and protects itself from activities performed improperly by employees and third parties with access to its environment.

For users away from or disconnected from the organization, access revocations must occur in a timely manner, preventing undue access to critical information. Periodic reviews ensure that errors in the access management process are detected and corrected, ensuring that accesses are in accordance with user needs and adhere to business needs.

CHANGE MANAGEMENT

Change management is based on a formal process for all critical systems in the organization where it determines the requirements for carrying out routine and emergency changes in the production environment of corporate systems. This process must present, at least, levels of approvals, reports of changes carried out, emergency and approved, as well as ensure that tests are carried out in environments segregated from production, being necessary to maintain a record of approvals before implementation in the production environment.

The service to execute the infrastructure changes must be established through a standard flow, containing minimally criteria for the classification of impact and urgency of the changes, approvals from the business areas, deadlines established for the execution and closure of the changes.

The absence of these procedures can lead to unauthorized changes, increasing the risk of systems in disagreement with the organization's needs and instability in the production environment.

INCIDENT MANAGEMENT

Information security and cyber security incidents are considered to be all situations of attacks and violation or failure to comply with information protection controls that put the organization's data, systems and IT equipment at risk, making them unavailable, operating in a incorrect, inaccurate or allowing unauthorized access by unauthorized persons, affecting the confidentiality, availability and integrity of assets and information.

For the treatment of incidents and problems, events must be recorded effectively, allowing a critical analysis to be carried out, in order to mitigate the impact on the organization's environment, since the analysis of these incidents provides the creation of lasting solutions, decreasing the incidence of problems and increasing the stability of IT services.

Internal procedures containing the action plan and response to IT and information security incidents detailing all identification steps must be documented, as well as incident classification, reaction times and resolution by priority (SLA), typologies that can be recorded , remedial groups, mitigation measures, investigation and education of treatment teams.

MANAGEMENT OF BACKUP

Procedures and routines must be formalized for carrying out backup and restore, enabling the continuity of operations in cases of emergency in which the responsible operators are not present or in a possible failure of the backup.

The tests of restore they must be prepared and executed periodically and it is important to document the results obtained, considering information such as responsible for the documentation, date of execution, time of execution and identification of the recovered media.

those of the tapes backup must be stored in an appropriate place and segregated from the IT environment, aiming at the continuity of operations in case of unforeseen stops and the need for data recovery. Usually, companies hire companies specialized in safeguarding tapes, maintaining tape withdrawal and delivery procedures in accordance with the policies established by the contracting company.

PHYSICAL ENVIRONMENT

Physical environment controls aim to maintain security measures for access to critical equipment that are stored in environments that contain critical organization information such as the Data Center.

All activities within these environments must be monitored and previously authorized by a responsible employee and only necessary people must have access to these facilities.

To improve the security of the control environment of the Data Center, there are equipment that can be implemented, such as:

  • Redundant air conditioning equipment;
  • Fire door, which aims to fully protect the Data Center against fire;
  • Internal control of temperature, humidity and early detection of smoke;
  • Automated fire detection and containment system;
  • UPS and Power generator;
  • racks for server storage;
  • CO2 fire extinguisher near the door;
  • Security cameras;
  • Raised floor.

It is necessary to define a periodicity of preventive and corrective maintenance so that the equipment operates correctly without any unforeseen events.

Furthermore, databases, workstations, providers and servers must contain configuration settings. firewall, redundancies for business continuity and periodic vulnerability scans for increased security. It is also necessary to monitor the capacity of CPUs, memories, disks, services in order to determine their changes in the use of network resources. Once these changes are mapped out, it is possible to conduct more accurate long-term planning for additional resources.

BUSINESS CONTINUITY

Due to the increasing dependence of companies on their computerized data processing systems to conduct and execute business activities, it was necessary, through the consolidation of information, to define continuity plans, crisis management and disaster recovery. The purpose of structuring these processes for the organization's business continuity management is:

  • Ensure the continuity of data processing in the event of any disasters or impacts;
  • Minimize losses arising from the interruption of usual data processing activities;
  • Keeping the number of decisions taken under pressure in an eventual disaster or contingency at acceptable levels.

The preparation of a contingency plan must minimally contemplate potential disasters and contingencies, identify computerized applications considered critical for the organization to prioritize their restoration, and develop specific procedures to be followed in the event of a disaster or contingency. Perform periodic tests and emergency simulations to ensure the effectiveness of controls and guidelines established in documentation, carry out continuous improvement in structured processes and monitor and address the risks identified through action plans.

FINAL CONSIDERATIONS

The application of IT controls has become fundamental in the current scenario for better security in the organizational environment. The controls presented above were some main examples that are in the job market at the moment, but it is worth mentioning that there are others such as:

  • monitoring of jobs;
  • Patch Management;
  • logs audit;
  • Password parameterization;
  • Management of generic and administrative accounts;
  • Segregation of function;
  • Vulnerability management.

It is important to point out that the processes must be periodically evaluated to maintain the efficiency and maturity of the controls. Monitoring should be continuous, evaluating and monitoring its functionality in order to continuously identify points for improvement.

Ensuring a structured and secure IT environment will bring more reliability internally among employees and with business partners, in addition to improving the performance of the organization's processes and reducing costs in the long term.

— Juliana Nunes is a GRC and Information Security Senior Consultant | [SAFEWAY]

How can we help?

THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.

today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.

In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law SuitPeople and Technology.

through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!