IT Controls

Controls are

specific manual or automated activities performed by persons or systems, which are designed to ensure that adverse effects of an event, should it occur, are prevented or detected"

IT Controls are a sub-set of organizational controls which are designed to make IT systems more secure and reliable by minimizing errors, security breaches, unauthorized access, and vulnerabilities. IT controls are necessary to protect information technology assets, make the transactions they produce trustworthy and to ensure they deliver business outcomes in line with business strategy and organizational standards. IT Controls can be mechanisms, rules and procedures which are incorporated into the design, development and deployment of information systems.

There are two broad categories of controls:

1. General Controls: as the name suggests they are controls which apply to all applications. Examples are controls related to design and use applications, and security of of data

2. Application Controls: are unique to each computerized application. Examples are controls within applications to ensure completeness, accuracy and validity of data.

Controls can be be further categorized into many groups, for example:

1. IT Governance Controls

2. Physical Security Controls

3. Business Continuity Controls

4. Disaster Recovery Control

5. Identity and Access Management Controls

6. SDLC related Controls

7. Monitoring Controls

8. Information Security Controls

9. Data Privacy Controls

10. Backup and Recovery Controls

11. Vendor Management Controls

Types of Control

1. Preventive - Designed to be implemented prior to a threat event and reduce and/or avoid the likelihood and potential impact of a successful threat event

2. Corrective - Designed to correct errors or irregularities that have been detected

3. Detective - Designed to find problems once they have occurred

Control Objectives are

"..statements that address how risk is going to be effectively managed by an organization"