ID Control

Service Level Agreement (SLA) response time is in accordance with

ITGC.1 SLA procedure - Service levels are defined and managed to support
financial reporting system requirements.

Access permissions review is performed periodically - User access

privileges are periodically reviewed by application owners to verify that
access privileges remain appropriate and that segregation of duties is
maintained; List of privileged users (the so-called “super user”) on
ITGC.10.1
application systems, databases, network and software is limited to
appropriate personnel and is periodically reviewed by management.
Access to financial folders and data is limited to appropriate
personnel.

CI/CD tools access restriction is reviewed - User access privileges are

periodically reviewed by application owners to verify that access
privileges remain appropriate and that segregation of duties is
maintained; List of privileged users (the so-called “super user”) on
ITGC.10.2
application systems, databases, network and software is limited to
appropriate personnel and is periodically reviewed by management.
Access to financial folders and data is limited to appropriate
personnel.
 Change management meeting are held and documented - Change
ITGC.11.1 management projects are clearly defined and approved by
management at the beginning of the project.

Operation and security requirements are part of feature development -

ITGC.11.2 Change management projects are clearly defined and approved by
management at the beginning of the project.

New employees onboarding process is in place - Application owners

ITGC.12.1 authorize the nature and extent of new user access privileges,
according to the user's job requirements.
 User access provisioning is in place - Application owners authorize the
ITGC.12.2 nature and extent of new user access privileges, according to the
user's job requirements.

Employee job function change process is in place - Application owners

are notified of employees who have changed roles and responsibilities
ITGC.13
or transferred, and access privileges of such employees are changed
to reflect their new responsibilities according to company policy.

Terminated employee off-boarding process is in place - Application

owners are notified of employees who have been terminated, and
ITGC.14
access privileges of such employees are disabled according to
company policy.
 Third parties provides privacy obligation - Third-party service contracts
ITGC.15 address the risks, security controls and procedures for information
systems and networks in the contract between the parties

Changes in software are documented - Change Management Request

ITGC.16.1
and Design

Database change management process is maintained - Change

ITGC.16.2
Management Request and Design
 Development methodologies and processes are in place - Change
ITGC.16.3
Management Request and Design

Deployment to production should be approved manually - Final

approval (“go/no-go” authorization) is obtained from appropriate user
ITGC.17
management prior to the programs or systems being used in
production.

Permissions for approving merge requests are restricted - Controls are

ITGC.18 in place to restrict migration of programs to production only by
authorized individuals
 QA processes are in place - Users perform acceptance testing of
programs and systems in a protected environment separate from
production before the acquired, developed, or modified programs or
ITGC.19.1
systems are implemented. Acquired, developed, and modified
application systems, databases, software, and hardware are tested by
IT prior to implementation.

Security code review is performed - Users perform acceptance testing

of programs and systems in a protected environment separate from
production before the acquired, developed, or modified programs or
ITGC.19.2
systems are implemented. Acquired, developed, and modified
application systems, databases, software, and hardware are tested by
IT prior to implementation.

Establish and maintain an information security policy - An information

ITGC.2 security policy exists and has been approved by an appropriate level
of executive management.
 Physical Access to sensitive areas is restricted - Physical access to
ITGC.20 sensitive areas are reviewed and approved by management on a
periodic basis.

Infrastructure Monitor tools and metrics are in place - IT security

ITGC.21.1 administration monitors and logs security activity, and identified
security violations are reported to senior management.

Security Monitor tools are in place - IT security administration monitors

ITGC.21.2 and logs security activity, and identified security violations are
reported to senior management.
 Database restoration tests are performed periodically - Full system
ITGC.23
restore tests are performed at least annually on all critical systems.

Databases are regularly automatically backed up - Data retention tools

ITGC.24 have been implemented to manage the backup and retention data
plan and schedule according to the backup and retention policy.

Backup and disaster recovery plan policy is documented and followed

- Policies and procedures have been implemented to ensure that IT
ITGC.25.1 operations (operations, jobs, job failures, interfaces, backups,
restoration) are appropriately managed. Policies are updated at least
annually.
 Data Retention and deletion Policy is documented and followed -
Policies and procedures have been implemented to ensure that IT
ITGC.25.2 operations (operations, jobs, job failures, interfaces, backups,
restoration) are appropriately managed. Policies are updated at least
annually.

Change management policy is documented and followed - Policies

and procedures have been implemented to ensure that IT operations
(operations, jobs, job failures, interfaces, backups, restoration) are
ITGC.25.3 appropriately managed. Policies are updated at least annually.
Policies and procedures exist for managing system change,
acquisition, development, modification and maintenance. Policies are
reviewed and updated annually.

List of third-party sub-processors and defined process to review list on

periodic basis - A regular review of security, availability and
ITGC.26
processing integrity is performed for service level agreements and
related contracts with third-party service providers.
 HR Security Policy is documented and followed - Security policies and
procedures have been established for application systems, databases,
ITGC.3.1
network and communication software, and systems software. Policies
are reviewed and updated at least annually.

Physical access policy is documented and followed - Security policies

and procedures have been established for application systems,
ITGC.3.10
databases, network and communication software, and systems
software. Policies are reviewed and updated at least annually.

Remote Access Control Policy - Security policies and procedures have

been established for application systems, databases, network and
ITGC.3.11
communication software, and systems software. Policies are reviewed
and updated at least annually.
 SDLC policy is documented and followed - Security policies and
procedures have been established for application systems, databases,
ITGC.3.12
network and communication software, and systems software. Policies
are reviewed and updated at least annually.

Mobile Device Policy is documented and followed - Security policies

and procedures have been established for application systems,
ITGC.3.13
databases, network and communication software, and systems
software. Policies are reviewed and updated at least annually.

Data classification, labeling and handling policy is documented and

followed - Security policies and procedures have been established for
ITGC.3.14 application systems, databases, network and communication
software, and systems software. Policies are reviewed and updated at
least annually.
 Monitoring policy is documented and followed - Security policies and
procedures have been established for application systems, databases,
ITGC.3.15
network and communication software, and systems software. Policies
are reviewed and updated at least annually.

Incident response policy is documented and followed - Security

policies and procedures have been established for application
ITGC.3.16 systems, databases, network and communication software, and
systems software. Policies are reviewed and updated at least
annually.

Data Transfer Policy is maintained and followed - Security policies and

procedures have been established for application systems, databases,
ITGC.3.17
network and communication software, and systems software. Policies
are reviewed and updated at least annually.
 Data breach Response Policy is documented and followed - Security
policies and procedures have been established for application
ITGC.3.18 systems, databases, network and communication software, and
systems software. Policies are reviewed and updated at least
annually.

Set of security policies and procedures are documented ,maintained

and published to employees - Security policies and procedures have
ITGC.3.2 been established for application systems, databases, network and
communication software, and systems software. Policies are reviewed
and updated at least annually.

Vendor risk management policy is documented - Security policies and

procedures have been established for application systems, databases,
ITGC.3.3
network and communication software, and systems software. Policies
are reviewed and updated at least annually.
 Access control policy is documented and followed - Security policies
and procedures have been established for application systems,
ITGC.3.4
databases, network and communication software, and systems
software. Policies are reviewed and updated at least annually.

Asset Management Policy is documented and followed - Security

policies and procedures have been established for application
ITGC.3.5 systems, databases, network and communication software, and
systems software. Policies are reviewed and updated at least
annually.

Encryption and Key Management Policy is documented and followed -

Security policies and procedures have been established for
ITGC.3.6 application systems, databases, network and communication
software, and systems software. Policies are reviewed and updated at
least annually.
 Internal employees signed on an Acceptable Use of Policy - Security
policies and procedures have been established for application
ITGC.3.7 systems, databases, network and communication software, and
systems software. Policies are reviewed and updated at least
annually.

Malware Detection and Response policy - Security policies and

procedures have been established for application systems, databases,
ITGC.3.8
network and communication software, and systems software. Policies
are reviewed and updated at least annually.

Password policy is documented and followed - Security policies and

procedures have been established for application systems, databases,
ITGC.3.9
network and communication software, and systems software. Policies
are reviewed and updated at least annually.
 Support metrics are defined and communicated - A framework is
ITGC.4 defined to establish key performance indicators to manage service
level agreements, both internally and externally.

Vendors/business partners risks mapping is reviewed periodically and

before engagement - IT management determines that, before
ITGC.5 selection, potential third parties are properly qualified through an
assessment of their capability to deliver the required service and a
review of their financial viability

Strong password policy is enforced - The identity of users (both local

and remote) is authenticated through passwords, in compliance with
ITGC.6 entity security policies. The use of passwords incorporates policies on
periodic change, confidentiality, and password format (e.g., password
length, alphanumeric content)
 Production and development environments are segregated -
Application systems, databases, software, and hardware are
ITGC.7 developed, modified and tested in an environment separate from the
production environment. Access to the development and production
environments is appropriately restricted.

Database access restriction is reviewed - Access to financial folders

ITGC.8.1
and data is limited to appropriate personnel.

Access to customer personal data is restricted - Access to financial

ITGC.8.2
folders and data is limited to appropriate personnel.
 Source control branch access restriction - Access to financial folders
ITGC.8.3
and data is limited to appropriate personnel

Production environment access permissions is restricted - Access to

ITGC.9 the development and production environments is appropriately
restricted.
Expected Evidence

* Records of all customer support tickets - Customer support tickets including initial response time, urgent
classification, severity level and owner proving initial response time was in accordance to the SLA
* SLA procedure document - SLA procedure document defining response time to customer issues and
uptime requirements

* Sensitive SaaS applications user list and permissions - Sensitive SaaS application users list and
permissions showing only authorized users have access to these applications
* Cloud accounts users and permissions - Cloud accounts users and permissions showing only authorized
users have access to production
* User access permissions review summary document - A signed document summarizing access
permissions review, including super users / privileged users, by each relevant stakeholder in the
databases, production servers, CI/CD tools and SaaS and Finance applications, including finance folders

* Development and CI/CD tools access permissions configuration - Access permissions settings for
development tools including source control tool, change management tool, CI/CD build tool. The
configuration allows only authorized users to have access to administrative operations
* Change management meeting minutes - Documents outlining subjects discussed, meetings outcomes,
decision logs and produced tasks
* Change management meeting invitations - Email invitations to change management meetings

* Security and operational requirements considerations - Security and operation requirements are being
taken into consideration when a feature developed

* Onboarding checklists of employees - Sample of onboarding checklists for selected employees

* A new employee checklist/material template - Onboarding checklist / material template
* Onboarding notification tickets regarding new employee sent from HR to IT - New employee onboarding
notification tickets sent from HR to IT, requesting the grant of access permissions to company's resources
* List of new employees - List of new employees hired during the audit period
* Access request and provisioning ticket - Example of requesting access ticket sent by the user, approved
by the manager and performed by the helpdesk

* Employee job function change notification ticket - Job function change tickets which are sent to IT
regarding employees whose job functions have been changed during the audit period.Job function change
tickets are to be provided from the Human Resources (HR) system or any other system used for that
matter
* List of employees that had their job function changed - List of employees that had their job function
changed during the audit period

* Access permission list to sensitive SaaS applications - Access permission list to SaaS applications
proving terminated employees has no longer access to these resources
* Terminated employee off-boarding checklist - Employee off-boarding checklist for terminated employees,
including the off-boarding tasks to be performed for a leaving employee such as IT credentials
deprovisioning and equipment disposal. The filled off-boarding checklists can be gathered from the HR or
ticketing system, or be provided as a standalone documents, for terminated employees
* Access permission list to production environments - Access permission active user list proving terminated
employees has no longer access to production
* Terminated employee list - List of terminated employee during the audit period
* Third party signed contracts and privacy compliance reports - Third-party signed contracts or compliance
reports providing third-party entities that need access to the company's private data are committed to
privacy requirements regarding the company

* Change management closed tickets - List of software development closed tickets during the audit period
* Linked tickets and pull requests - Log of changes documentation tickets in the change management tool
and their linkage to pull requests from the source control tool
* SDLC workflow - SDLC workflow from the change management tool showing the flow of software
development processes in the company

* Database change scripts - Scripts responsible for applying database changes

* Product feature backlog - List of product feature backlog of planned features and prioritization

* CI/CD tool configuration - Configuration of the CI/CD tool that requires a manual step before a new
version it deployed to production

* List of users with approval permissions - List of users with permissions to approve pull requests merge
* Automatic and manual test results - Logs of automatic acceptance test runs and their results from the
CI/CD tool proving that every build has gone through acceptance testing and halted when tests failed or
manual log of tests and their results
* Configuration of automatic test enforcement - Configuration of automatic tests enforcement for every
build, including failing the build process when tests fail

* Source code vulnerability scans report - Source code vulnerability scan reports presenting found issues
* Source code vulnerability scan configuration - Source code vulnerability scan configuration

* Information security policy document - Information security policy document outlining the information
security program of your company
* Unauthorized access attempts are notified - Unauthorized access attempts are notified by email to
security team
* List of users who have access to sensitive areas - User list holding users who have access to sensitive
areas

* Infrastructure monitoring alerts - Infrastructure monitoring alerts sent to relevant stakeholder

* Infrastructure monitoring tool dashboard report - Infrastructure monitoring tool dashboard report proving
existence of a dedicated monitoring tool
* Application logging is configured multi-region - Application logging is configured to be operating on all
infrastructure regions to ensure monitoring and metrics coverage
* Servers have monitoring configuration enabled - Servers have monitoring configuration enabled for
events and metrics monitoring
* Audit trail logging is configured multi-region and cross-account - Audit trail logging is configured to be
operating on all infrastructure regions and accounts to ensure monitoring coverage
* Audit logs configuration - User audit trail activity configuration of environment's services and resources
* Infrastructure monitoring metrics - Infrastructure monitoring metrics (CPU, storage, performance)
* Infrastructure monitoring alert rules configuration - Infrastructure monitoring tool configuration of
predefined rules for alerts sent to relevant stakeholders
* Load balancers have access logs configuration enabled - Load balancers have access logs configuration
enabled to log network access and provide access control visibility
* Audit trail triggered alerts listings sample - Sample of user audit logs triggered alerts, upon the
identification of an anomaly showing alerts are defined and reviewed

* Security monitoring alerts - Security monitoring tool alerts sent to relevant stakeholder
* Security monitoring tool dashboard report - Security monitoring tool dashboard report proving existence
of a dedicated tool
* Security monitoring tool alert rules configuration - Monitoring tool configuration of predefined rules for
alerts sent to relevant stakeholders
* Database backup restoration results - Database backup restoration results showing a successful process
of database backup restoration

* Database backup list - Database backup list showing that backups are performed regularly
* Database automatic backup schedule configuration - Configuration of database automatic backup in the
production environment including backup schedule and data retention

* Backup and disaster recovery policy document - Backup and disaster recovery policy document that
details the company data backup and disaster recovery plan
* Disaster Recovery (DR) drill documentation - Documentation of the disaster recovery process performed
to fully restore the production environment, including production databases and servers. The
documentation should include the steps taken to fully restore the environment, including commands or
scripts that were run, and show that after completing the recovery process, database and server status is
available/running
* Data Retention and Deletion Policy - Data Retention and Deletion policy outlines how long information
(with emphasis on personal data) must be kept and how to dispose of the information when it's no longer
needed.

* Change management policy document - Change management policy document outlining how the
organization designs, handles and carry out changes in the organization, infrastructure, product and
software

* Sub-Processor list - Sub-Processor list

* Business roadmap meetings minutes - Sample of business roadmap meetings minutes
* Business roadmap meetings invitations - Email invitations to business roadmap meetings

* Physical security policy - Physical security policy outlines the physical security measures in order to
prevent unauthorized physical access, damage and interference to the organization’s information and
information processing facilities. The policy should include clear desk and clear screen policy

* Remote access control policy - Remote access control policy outlining and defining acceptable methods
of remotely connecting to the internal network
* SDLC policy document - SDLC policy document outlining the company strategic directions towards
software development processes, including secure software development

* Mobile device policy - Mobile device policy

* Document classification example - A sample of document classification with inherent / watermark labeling
* Data classification and handling policy document - A data classification and handling policy outlining a
framework for classifying and handling data to ensure that the appropriate degree of protection is applied
to all data held by the organization
* Monitoring and audit policy document - Monitoring and audit policy document that defines the company's
strategic directions for performing business monitoring and internal audit

* Incident response policy document - Incident response policy document that defines how the company
and personnel evaluates, escalates and resolves security incidents

* Data Transfer Policy - Data Transfer policy outlining the guidelines for transporting physical media or
digital media is defined
* Data Breach Policy - Data breach policy

* Set of signed information security policies and procedures - Set of signed information security policies
and procedures available to employees
* A link to the policies and procedures in the internal portal - A link for the internal portal showing that the
policies are available to all company's employees

* Vendor risk management policy document - Vendor risk management policy document that defines how
the company evaluates, engages, and provisions new and existing vendors
* Access control policy - Access control policy outlining how the company designs and manages access
controls

* Asset management policy - Asset management policy outlining the process of receiving, tagging,
documenting, and eventually disposing of the organization's main assets and resource including the
ownership of these assets

* Encryption policy - Encryption policy outline the organization management approach towards the use of
cryptographic controls including key management across the organization's resource and information
* Acceptable use policy - A document outlining expectations from employees behavior towards different
entities

* A malware detection and response policy - A malware detection and response policy outline principles to
prevent malware from entering the company environment, to identify and report on malware or suspected
malware attacks, and to define appropriate actions to eliminate and recover from malware related incidents

* Password policy document - Password policy outlining how the company designs and manages
passwords
* Support metrics dashboard report - Support metrics dashboard report taken from the support software
* Support metrics report notification - A notification with support metrics report sent to relevant
stakeholders

* Vendor risk assessment documentation - Vendor risk assessment reports and documentation for current
and new vendors, including documentation of their compliance reports (SOC 2, etc.) and controls

* Sensitive Saas tools' password policy configuration - Password policy configurations for sensitive SaaS
tools proving a strong password policy is enforced
* Cloud accounts password policy configuration - Password policy configurations for cloud providers
proving a strong password policy is enforced
* PII is used only in production environments - PII is used only in the production environment to prevent
malicious threat actors to gain unauthorized access. Exceptions when necessary should be strictly limited,
defined, and controlled followed by deletion of that data after use
* Cloud accounts users and permissions - Cloud accounts users and permissions showing only authorized
users have access to production
* Test data is removed before system go to production - Test data may give away information about the
functioning of an application or system and is an easy target for unauthorized individuals to exploit to gain
access to systems. Possession of such information could facilitate the compromise of the system and
related account data

* Database access configuration and permissions - Database access user list and permissions proving that
only authorized users has access to the database
* Databases are not publicly accessible - Databases are configured to deny public access from external
networks and allow access originating from the private network
* Databases are configured with IAM authentication - Databases are configured with IAM authentication to
link IAM users and roles with database access

* Consent is obtained from end-users - Consent obtained from end-user prior to collection or disclosure of
personal information to third-party sub-processors
* Change of subcontractor PII processor - In the case of having general written authorization, inform the
customer of any intended changes concerning the addition or replacement of subcontractors to process
PII, thereby giving the customer the opportunity to object to such changes
* Production branches are protected - Production branches are protected in the source control tools
* Source control branch access permissions - Access permissions settings for production related branches

* IAM policies are attached only to groups or roles - Users have no IAM policies directly attached to them,
rather inherit policies from groups and roles
* Users have no IAM policies that allow full administrative privileges - Users have no IAM policies that allow
full administrative privileges, to reduce attach surface and conform to the least privileges principle
* Cloud accounts users and permissions - Cloud accounts users and permissions showing only authorized
users have access to production
Standard Hierarchy Frequency

* Computer Operations and Access to Programs and Data > Define and Manage Service Level >
Ongoing
ITGC.1

* Information Security > User Access Review, Super user access, Sensitive Data Access >
Quarterly
ITGC.10.1

* Information Security > User Access Review, Super user access, Sensitive Data Access >
Ongoing
ITGC.10.2
* Program Development and Program Change > Change Management Request and Design >
Ongoing
ITGC.11.1

* Program Development and Program Change > Change Management Request and Design >
Ongoing
ITGC.11.2

* Information Security > New User Creation > ITGC.12.1 Ongoing

* Information Security > New User Creation > ITGC.12.2 Ongoing

* Information Security > User Access Change > ITGC.13 Ongoing

* Information Security > User Termination > ITGC.14 Ongoing

* Computer Operations and Access to Programs and Data > Manage Third Party Services >
Ongoing
ITGC.15

* Program Development and Program Change > Change Management Request and Design >
Ongoing
ITGC.16.1

* Change Management > Change Management Request and Design > ITGC.16.2 Ongoing
* Change Management > Change Management Request and Design > ITGC.16.3 Ongoing

* Change Management > “Go/No-Go” Authorization > ITGC.17 Ongoing

* Program Development and Program Change > Manage changes > ITGC.18 Ongoing
* Program Development and Program Change > Unit and acceptance testing > ITGC.19.1 Ongoing

* Program Development and Program Change > Unit and acceptance testing > ITGC.19.2 Ongoing

* Information Security > Information Security Policies > ITGC.2 Annually

* Data Center and Network Operations > Physical Access > ITGC.20 Ongoing

* Computer Operations and Access to Programs and Data > Ensure Systems Security >
Ongoing
ITGC.21.1

* Computer Operations and Access to Programs and Data > Ensure Systems Security >
Ongoing
ITGC.21.2
* Data Center and Network Operations > Data/System Restoration > ITGC.23 Annually

* Data Center and Network Operations > Backup Management > ITGC.24 Daily

* Data Center and Network Operations > Operation Policies > ITGC.25.1 Annually
* Data Center and Network Operations > Operation Policies > ITGC.25.2 Ongoing

* Program Development and Program Change > Operation Policies;Change Management

Ongoing
Policies > ITGC.25.3

* Computer Operations and Access to Programs and Data > Manage Third Party Services >
Ongoing
ITGC.26
* Information Security > Information Security Policies > ITGC.3.1 Ongoing

* Information Security > Information Security Policies > ITGC.3.10 Ongoing

* Information Security > Information Security Policies > ITGC.3.11 Ongoing

* Information Security > Information Security Policies > ITGC.3.12 Annually

* Information Security > Information Security Policies > ITGC.3.13 Ongoing

* Information Security > Information Security Policies > ITGC.3.14 Ongoing

* Information Security > Information Security Policies > ITGC.3.15 Ongoing

* Information Security > Information Security Policies > ITGC.3.16 Ongoing

* Information Security > Information Security Policies > ITGC.3.17 Ongoing

* Information Security > Information Security Policies > ITGC.3.18 Ongoing

* Information Security > Information Security Policies > ITGC.3.2 Annually

* Information Security > Information Security Policies > ITGC.3.3 Ongoing

* Information Security > Information Security Policies > ITGC.3.4 Ongoing

* Information Security > Information Security Policies > ITGC.3.5 Ongoing

* Information Security > Information Security Policies > ITGC.3.6 Ongoing

* Information Security > Information Security Policies > ITGC.3.7 Ongoing

* Information Security > Information Security Policies > ITGC.3.8 Ongoing

* Information Security > Information Security Policies > ITGC.3.9 Ongoing

* Computer Operations and Access to Programs and Data > Define and Manage Service Level >
Ongoing
ITGC.4

* Computer Operations and Access to Programs and Data > Manage Third Party Services >
Annually
ITGC.5

* Information Security > Password Policies > ITGC.6 Ongoing

* Program Development and Program Change > Separation of Environments;Segregation of
Ongoing
Duties (SoD) > ITGC.7

* Information Security > Sensitive Data Access > ITGC.8.1 Ongoing

* Information Security > Sensitive Data Access > ITGC.8.2 Ongoing

* Information Security > Sensitive Data Access > ITGC.8.3 Ongoing

* Program Development and Program Change > Segregation of Duties (SoD) > ITGC.9 Ongoing