YouTube SummarySee all summaries
Watch on YouTube
Publisher thumbnail
INFOSEC TRAIN
17:5311/29/24
Cybersecurity

How User Actions Impact IT General Controls (ITGC)?

11/29/24
Summaries by topic
English

User access creation and management are crucial IT General Controls (ITGC) and must be aligned with company policies to mitigate risks. The process involves verifying user requests, ensuring proper authorization, and timely access provision, all while adhering to defined roles and responsibilities. Auditing this process entails testing attributes against samples and evaluating the effectiveness of controls across the organization to ensure compliance with policies and regulations.

User Access Creation

00:00:07 User access creation usually involves providing new user IDs for new starters or modifying existing roles, such as when a user changes departments or locations. Companies often delete and recreate IDs during these changes, which may not be ideal but is a common practice. The most relevant part of this process is determining the appropriate access levels based on the user's role and the application's requirements, ensuring access aligns with organizational policies and regulations.

Company Policy & Compliance

00:01:52 Companies should have a clearly defined policy for user access, including background verification and access granting procedures. This policy guides the control implementation, defining the steps and approvals required for granting access. Adhering to this policy on a daily basis ensures consistency and reduces the risk of non-compliance with regulations and standards.

Training & Implementation

00:16:12 Training is essential for all stakeholders involved in the user access process, including administrators, approvers, and requesters. It ensures everyone understands the policy, their role in it, and the risks mitigated by implementing the defined controls. The implementation itself involves establishing procedures for creating and managing user access based on company policies and relevant IT systems.

Auditing User Access

00:04:57 Auditing user access involves verifying if the control is effectively implemented and mitigates associated risks. This includes testing aspects like whether user requests are appropriately authorized, access is granted in a timely manner and if access levels match user roles and responsibilities. Auditors use workpapers and testing methodologies to document the process and gather evidence for regulatory and legal compliance.