ITGC

Available

IT General Controls · SOX

The IT general controls that underpin a SOX audit: access management, change management, IT operations & resilience, incident & security monitoring, data protection, and third-party management.

6 domains · 81 controls · 258 tests

Access Management

19 controls

AM-01 IT Organisation & Segregation IT responsibilities are appropriately divided. AM-02 Password / Authentication Policy Credentials meet a minimum strength/lifecycle baseline. AM-03 Multi-Factor Authentication (MFA) Sensitive/exposed surfaces require more than a password. AM-04 Centralised Identity / SSO Identity lifecycle changes propagate consistently. AM-05 Session Management / Timeout Unattended sessions are automatically secured. AM-06 User Access Provisioning Access is granted only on a documented, authorised, least-privilege basis. AM-07 User Access Modification (Movers) Access stays appropriate when users change roles. AM-08 User Access De-provisioning (Leavers) Access is revoked promptly on departure. AM-09 Periodic User Access Review Access remains appropriate via periodic owner attestation. AM-10 Privileged / Administrator Access Privileged access is restricted, justified and attributable. AM-11 Privileged Access Management (PAM) Privileged sessions are brokered, recorded and just-in-time. AM-12 Segregation of Duties (SoD) Conflicting duties are separated. AM-13 Generic / Shared / Service Accounts Non-personal accounts are inventoried, owned and controlled. AM-14 Remote Access / VPN Remote connectivity is authenticated, encrypted, restricted. AM-15 Database Access Controls Direct DB access is minimised, named and logged. AM-16 Operating System / Server Access OS-level access is restricted and approved. AM-17 Application Access (RBAC) Application functionality is granted by least-privilege role. AM-18 Cloud IAM / Console (GCP) Cloud identities follow least privilege with guardrails. AM-19 Physical Access (or Cloud SOC) Physical access to processing facilities is controlled.

Change Management

23 controls

CM-01 Change Management Policy Changes are governed by a documented, current standard. CM-02 Change Request & Documentation Every change is recorded for traceability. CM-03 Change Authorisation Changes reach production only after approval. CM-04 Testing / UAT Before Production Changes are validated before release. CM-05 Environment Segregation Dev, test and production are isolated. CM-06 SoD in Changes (Dev ≠ Deployer) The author of a change cannot unilaterally release it. CM-07 Developer Access to Production Standing developer prod access is minimised and controlled. CM-08 Code Review / Peer Approval Code changes are independently reviewed before merge. CM-09 Version Control / SCM Source code integrity and history are maintained. CM-10 Deployment Pipeline (CI/CD) Releases run through a controlled, auditable mechanism. CM-11 Emergency Changes Urgent changes remain controlled. CM-12 Rollback / Back-out Plans Failed changes can be recovered from. CM-13 Patch Management Security patches are applied timely and risk-prioritised. CM-14 Infrastructure / IaC Changes Infrastructure/cloud config changes are controlled. CM-15 Database / Schema Change Control DB structure and data changes are controlled. CM-16 SDLC Methodology Development follows a defined, gated lifecycle. CM-17 Requirements & Design Approval Systems are built to approved requirements. CM-18 Secure Development Standards Security is built in, not bolted on. CM-19 Application Security Testing & Pen Test Applications are tested for security pre/post release. CM-20 Data Conversion / Migration Migrated data is complete and accurate. CM-21 Go-Live / Implementation Approval Systems go live only when ready. CM-22 Post-Implementation Review Outcomes and controls are validated after release. CM-23 Project Governance & Stage Gates Significant initiatives are governed and accountable.

IT Operations & Resilience

17 controls

OR-01 IT Governance & Oversight Technology is governed with clear accountability. OR-02 IT & Information Security Policies Baseline expectations are documented and maintained. OR-03 IT Risk Assessment Technology risks are identified and treated. OR-04 Asset & Configuration Management IT assets are known, owned and managed. OR-05 Regulatory & Compliance Monitoring Applicable obligations are tracked and assessed. OR-06 Job Scheduling Control Automated processing is scheduled and access-controlled. OR-07 Batch Monitoring & Failure Handling Processing failures are detected and resolved. OR-08 System & Infrastructure Monitoring Health of critical systems is observed. OR-09 Capacity & Performance Management Resources scale to demand. OR-10 Data-Centre Environmental Controls Facilities are protected (or provider-attested). OR-11 Backup Policy & Execution Data is backed up to meet recovery objectives. OR-12 Backup Failure Monitoring Backup failures are surfaced and fixed. OR-13 Backup Restoration Testing Backups are proven recoverable. OR-14 Backup Storage & Protection Backup copies are secure and resilient. OR-15 Disaster Recovery Plan Recovery from major disruption is planned. OR-16 DR Testing The recovery plan actually works. OR-17 Business Continuity Plan Business operations continue through disruption.

Incident & Security Monitoring

9 controls

SM-01 Logging Standard & Retention What is logged and for how long is defined/enforced. SM-02 Access & Privileged Activity Logging Security events are captured centrally and protected. SM-03 Time Synchronisation (NTP) Log timestamps are reliable for forensics. SM-04 Security Alerting & Anomaly Monitoring Suspicious access is detected and acted upon. SM-05 Endpoint Protection (EDR) Endpoints are protected and monitored for malware. SM-06 Vulnerability Management Weaknesses are found and fixed on a managed basis. SM-07 Security Awareness Training Staff are equipped against human-factor threats. SM-08 Incident Management IT incidents follow a consistent lifecycle. SM-09 Problem Management Root causes of recurring issues are addressed.

Data Security & Protection

7 controls

DS-01 Data Classification & Handling Data is protected per sensitivity. DS-02 Network Security / Firewall Zones are segmented; rules follow least privilege. DS-03 Encryption at Rest Stored sensitive/PII/crypto data is protected. DS-04 Encryption in Transit Data on the wire is protected. DS-05 Cryptographic Key Management Keys are managed across their lifecycle (critical for a DPT firm). DS-06 Secrets / API Key & Token Management Secrets are vaulted, rotated and never hardcoded. DS-07 Data Retention & Secure Disposal Data is retained and disposed per policy/regulation.

Third-Party / Vendor Management

6 controls

VM-01 Vendor / Third-Party Risk Assessment Third-party risk is assessed before and during reliance. VM-02 SOC Report Review (SOC 1/2) Outsourced controls are evidenced and gaps managed. VM-03 Cloud Provider Governance (GCP) Shared-responsibility and cloud obligations are managed. VM-04 Outsourcing Register & MAS Compliance Material outsourcing meets MAS expectations. VM-05 Third-Party Access Management External party access is least-privilege and monitored. VM-06 Service Level & Performance Monitoring Vendor delivery is monitored against commitments.