IT General Controls & Risk Audits

For your organization, information and the technology that supports it may represent your most valuable assets. Securing this data while making sure you continue to support the business objectives represents an increasingly critical undertaking; and it is achieved by implementing a suitable set of security controls.

Our IT General Control Audit Methodology is designed to develop a clear understanding of your key controls (including policies, processes, procedures, organizational structures, and software and hardware) that are present in the environment surrounding the information systems from a technical and operational standpoint. The objective of this review is to determine whether the Control practices are reasonable to support your technology needs and are functioning as intended.

The selection of controls is dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment options, and the general risk management approach applied to the organization, and should also be subject to all relevant legislation and regulations. Once established and implemented, controls must be monitored, reviewed, and improved where necessary to ensure sustained relevance and to validate continued conformity with organizational security and business objectives.

Primary control areas generally fall into three categories:

Technical controls use technology as a basis for controlling the access to and usage of sensitive data throughout a physical structure and over a network.

Physical control is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material.

Administrative controls define the human factors of security.

The following are examples of key areas of control that SMP evaluates:

  • General Organization
  • Vendor Management
  • Facility/Physical Security
  • Network Configuration and Security Measures
  • Security Testing
  • Incident Response
  • Hardware and Software Inventory
  • IT Acquisition
  • Maintenance and Patching
  • Security Testing
  • Incident Response
  • Hardware and Software Inventory
  • IT Acquisition
  • Maintenance and Patching
  • Systems Security
  • Information Minimization
  • Disaster Recovery—Business Continuity Planning
  • Human Resources/Staffing
  • Information Security Training/User Education/Awareness Training
  • Programming Policies, Procedures, and Standards