Denomas SOX ITGC Compliance
What are ITGCs?
ITGCs, or IT General controls (sometimes referred to at GITCs - General IT controls), are a subset of the SOX internal control set. The objectives of ITGCs are to ensure the integrity of the data and processes that the in scope systems support. They can be applied at the application, OS, database and infrastructure layers.
What are Denomas’ ITGCs?
| Sl # | Control Family | ITGC Control ID | Control Mapping |
|---|---|---|---|
| 1 | Access to Programs and Data | LA.1 | Logical access provisioning requires approval from appropriate personnel. |
| 2 | Access to Programs and Data | LA.2 | Terminated users have their access revoked in a timely manner. |
| 3 | Access to Programs and Data | LA.3 | Denomas access reviews are performed on a quarterly basis; research and corrective action is taken where applicable. |
| 4 | Access to Programs and Data | LA.4 | The ability to add, modify, and delete accounts is limited to appropriate personnel. |
| 5 | Access to Programs and Data | LA.5 | Authentication to in-scope systems is configured in line with the password policy. Exemptions to the policy are formally approved. |
| 6 | Change Management | PC.1 | Access to migrate changes to production is limited to appropriate personnel. |
| 7 | Change Management | PC.2 | Changes are tested and approved by appropriate personnel in accordance with the change management policy. |
| 8 | Computer Operations | CO.1 | Access to modify relevant jobs is restricted to appropriate personnel. |
| 9 | Computer Operations | CO.2 | Jobs are monitored to ensure effective ongoing operation. Issues are researched and resolved in a timely manner. |
| 10 | Computer Operations | CO.3 | Backups are completed according to a predefined system schedule. |
| 11 | Computer Operations | CO.4 | Denomas performs backup restoration or failover tests at least annually to confirm the reliability and integrity of system backups or recovery operations. |
| 12 | Program Development | PD.1 | Significant program changes are tested and known issues are communicated to the relevant stakeholders prior to approval. |
| 13 | Program Development | PD.2 | Denomas validates that data transferred during an applicable program change is complete and accurate. |
| 14 | SOC reports review | SR.1 | SOC reports are reviewed on periodic basis. |
Roles and Responsibilities
- IT Security and Compliance is responsible for ITGC control implementation oversight.
- Internal Audit is responsible for scoping and testing of ITGC systems and management of Denomas’ holistic SOX program.
- Security Assurance is responsible for user access review facilitation, SOC 1/SOC 2 report review facilitation, and advisory support to control and system owners.
- Every Denomas team member is responsible for operating the processes required by SOX against the in scope SOX systems.
- Denomas’ leadership is responsible for supporting this initiative and giving all Denomas teams the resources (e.g. time and tools) they require to implement and operate SOX processes.
Last modified November 29, 2023: big update (
17188382)
