List of the ITGRC controls - alishahbaz/ITGRC GitHub Wiki

IT Governance, Risk, and Compliance (ITGRC)

IT Governance, Risk, and Compliance (ITGRC) encompasses various frameworks and regulations, each with its own set of controls. Below is a list of common ITGRC controls categorized under key domains:

1. IT General Controls (ITGC)

These controls apply to IT systems and processes to ensure security, availability, and reliability.

A. Access Management Controls

  • User access provisioning and deprovisioning
  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • Privileged access management (PAM)
  • Periodic access review and recertification

B. Change Management Controls

  • Change request documentation and approval
  • Segregation of duties (SoD) in change implementation
  • Change testing and impact assessment
  • Emergency change procedures
  • Post-change validation and review

C. IT Operations & Backup Controls

  • Regular system and data backups
  • Backup encryption and retention policies
  • Disaster recovery and business continuity planning (BCP/DRP)
  • Incident response and escalation processes
  • Patch and vulnerability management

D. IT System Development Lifecycle (SDLC) Controls

  • Secure coding practices
  • Security testing (SAST/DAST)
  • Code reviews and peer testing
  • Secure software release management
  • Data masking and anonymization

E. Logging and Monitoring Controls

  • Centralized logging (SIEM implementation)
  • Audit log review and alerting
  • Security event correlation
  • User and entity behavior analytics (UEBA)

2. IT Risk Management Controls

  • Risk assessment and treatment plans
  • Third-party/vendor risk management
  • Continuous monitoring of emerging threats
  • Risk acceptance and mitigation strategies
  • Compliance risk assessments

3. IT Compliance & Governance Controls

These align with various frameworks like SOX, PCI DSS, ISO 27001, NIST, HIPAA, GDPR.

A. SOX (Sarbanes-Oxley Act) Controls

  • Financial data integrity and access controls
  • IT change control and segregation of duties
  • ITGC audits and monitoring

B. PCI DSS (Payment Card Industry Data Security Standard) Controls

  • Cardholder data encryption
  • Secure network architecture
  • Regular penetration testing and scanning
  • Strict access control policies

C. ISO 27001 Controls (Aligned with Annex A of ISO 27001)

  • Asset management (A.8)
  • Cryptographic controls (A.10)
  • Secure communication (A.13)
  • Secure development (A.14)
  • Supplier security management (A.15)

D. NIST Cybersecurity Framework (CSF) Controls

  • Identify: Asset management, governance
  • Protect: Access control, data security
  • Detect: Anomalies and events, security monitoring
  • Respond: Incident response planning
  • Recover: BCP/DRP

E. GDPR (General Data Protection Regulation) Controls

  • Data subject rights (Right to be forgotten, portability)
  • Data protection impact assessments (DPIA)
  • Consent management
  • Encryption and pseudonymization of personal data