ITGC Access to programs and data
Program and data access corresponding to a category of ITGC. As ITGC is a general computer control, its implementation is a regulatory obligation for large companies. To this end, the external auditors will ensure its implementation and effectiveness as part of the annual audit of the accounts.
The purpose of the category is to ensure that these are properly limited to authorized persons. A common example is the case of a person who is part of the company, always has an active account and has access to sensitive data. Unauthorized access to programs and data may result in data corruption, deletion, or leakage.
To limit these risks, the category includes 5 controls on 3 layers: applications – operating systems – databases.
- Access creations are monitored, validated by an authorized manager, and properly implemented.
- The access rights of users who have left or are no longer legitimate (due to change of workstation for example) are deactivated in time.
- The activity of high-privilege accounts, administrators and sensitive generic accounts is regularly monitored.
- Access rights are subject to periodic review.
- Passwords are correctly configured.