Strong entry-level IT controls form the foundation of a secure and resilient technology environment. When these baseline controls are weak, the entire control framework is undermined, increasing risks to confidentiality, integrity, and availability of business systems. Below are key entry-level controls every organization should implement.

 

Governance and Accountability

• Defined Roles and Responsibilities – Ensure IT authority is clearly assigned, with adequate segregation of duties to prevent fraud or errors.

• Independent IT Security Function – Policies should be developed, enforced, and monitored by a security team separate from operational IT.

• Strategic IT Alignment – IT planning must align with business strategies, enabling proactive responses to changing business and regulatory requirements.

 

Standards, Policies, and Risk Management

• Documented Policies and Standards – Cover areas such as acceptable use, password requirements, access management, system configuration, and data handling. Policies should be reviewed and updated regularly.

• Risk Assessments – Conduct formal assessments of critical systems and facilities, supported by ongoing internal control monitoring, audits, and compliance reviews.

• Data Governance – Classify, assign ownership, and manage data throughout its lifecycle—from creation and retention to secure disposal.

 

Operational Processes

• Change and Configuration Management – Establish formal processes for requesting, testing, approving, and documenting system changes to reduce risk of outages or security gaps.

• Asset Management – Track procurement, movement, inventory, and disposal of IT assets, ensuring secure reuse and destruction of sensitive media.

• Capacity Planning – Monitor and forecast system, network, and data center capacity to avoid service disruptions.

 

IT Security and Compliance

• User Access Controls – Enforce least privilege, timely removal of terminated employees, and strict controls over third-party and remote access (e.g., VPN with MFA, device posture checks).

• Password and Authentication Policies – Require complex passwords, encourage secure storage, and implement MFA where possible.

• Security Awareness – Train employees and contractors on acceptable use, phishing risks, and media handling procedures.

• Third-Party Oversight – Define roles, responsibilities, and performance metrics for outsourced providers and monitor their compliance.

 

Monitoring and Performance

• IT Performance Indicators – Track SLAs and KPIs for service delivery to ensure IT supports business needs effectively.

• Incident and Problem Reporting – Provide end users with structured channels to report issues, while enforcing proper approvals for sensitive actions like password resets.

• Logging and Monitoring – Collect, centralize, and review logs for security events and operational anomalies.

 

Regulatory and Legal Compliance

• Regulatory Awareness – Assign responsibility for monitoring applicable laws and standards (e.g., PCI DSS, HIPAA, SOX) and updating IT policies accordingly.

• Compliance Integration – Build compliance requirements directly into IT processes, reducing after-the-fact remediation costs.