General IT Controls

The next type of general controls are called logical controls. Logical controls concern how someone accesses the system, not their physical access to the system, but rather how they gain access to the system (i.e., how they log in). Remember, logic means logging in. An organization wants to ensure that only authorized individuals can access the system, which is the purpose of logical controls.

An aspect of logical controls is ensuring that employees are properly set up in the IT system. For instance, when a low-level employee is hired, the organization needs to ensure their credentials only give them access to low-level files. Once someone is promoted, their permissions need to be updated. Similarly, when someone is terminated, their permissions need to be removed.

Types of access can include create access, where someone can create a new document; read-only access, where they can read but not change a document; update access, which allows them to edit the document; and delete access, which permits them to delete the document.

A type of logical control is a firewall, which controls incoming and outgoing network activity. For example, a firewall detects when an unauthorized source is trying to access the system and blocks that individual from gaining access. Another type of logical control is encryption, which is the process of converting data into unrecognizable code.

Let’s say a customer purchases a product from your website. They enter their credit card information, which is then sent to the credit card company for processing. While the credit card information is in transit from your network to the credit card company, it is vulnerable to hacking, which is why the information should be encrypted.

Another significant IT security tool is the use of a Virtual Private Network (VPN). This is an encrypted communication tunnel that allows remote users to access the company’s network. For example, if an employee is working from home, a VPN provides a private tunnel, helping to prevent hacking, which could occur if someone were to access their network.

Next, there is multi-factor authorization, which requires someone to do more than merely enter a password to gain access to a system. Maybe after they enter their password, they receive a text to their phone with a login code. They then have to enter the code into the system to log in. This process helps prevent someone from wrongfully accessing a system with only a password.

The next logical control is called a digital signature. A digital signature differs from an e-signature. A digital signature is a cryptographic message used to validate the authenticity of a document and to indicate that no changes have been made. Think of it as electronic fingerprints. It demonstrates who has actually accessed the document.

Next, we have an e-signature, which is simply when someone electronically signs a document.

Lastly, let’s discuss passwords. Passwords are a crucial part of logical controls. The longer and more complex the password is, the more effective it will be at preventing someone from accessing an unauthorized account. Passwords should also be changed regularly