Technology requires an infrastructure in which to operate, ranging from communication networks for linking technologies to each other and the rest of the entity, to the computing resources for applications to operate, to the electricity to power the technology. The technology infrastructure can be complex. It may be shared by different business units within the entity (e.g., a shared service center) or outsourced either to third-party service organizations or to location-independent technology services (e.g., cloud computing). These complexities present risks that need to be understood and addressed. Given the broad range of possible changes in the use of technology likely to continue into the future, the organization needs to track these changes and assess and respond to the new risks.

Control activities support the completeness, accuracy, and availability of technology processing. Whether the infrastructure is batch scheduling for a mainframe computer, real-time processing in a client/server environment, mobile wireless devices, or a sophisticated communications network, the technology is actively checked for problems and corrective action taken when needed. Maintaining technology often includes backup and recovery procedures, as well as disaster recovery plans, depending on the risks and consequences of a full or partial outage.

Security management includes sub-processes and control activities over who and what has access to an entity's technology, including who has the ability to execute transactions. They generally cover access rights at the data, operating system (system software), network, application, and physical layers. Security controls over access protects an entity from inappropriate access and unauthorized use of the system and supports segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or a simple error (e.g., a well-intentioned employee using a vacationing colleague's account to get work done, and executing a transaction erroneously or deleting a file because he or she is not properly trained in the work).

Security threats can come from both internal and external sources. The external threat is particularly important for entities that depend on telecommunications networks and the Internet. Technology users, customers, and malicious parties may be halfway around the world or down the hall. The many potential uses of technology and points of entry underscore the importance of security management. External threats have become prevalent in today's highly interconnected business environments, and continual effort is required to address these risks.

Internal threats may come from former or disgruntled employees who pose unique risks because they may be both motivated to work against the entity and better equipped to succeed in carrying out a malicious act because they have greater access and knowledge of the entity's security management systems and processes.

User access to technology is generally controlled through authentication control activities where a unique user identification or token is authenticated against an approved list. Technology general controls are designed to allow only authorized users on an approved list. These control activities generally employ a policy of restricting authorized users to the applications or functions commensurate with their job responsibilities and supporting an appropriate segregation of duties. Control activities are used to check requests for access against the approved list. Other control activities are in place to update access when employees change job functions or leave the entity. A periodic review of access rights against the policy is often used to check if access remains appropriate. Access also needs to be controlled when different technology elements are connected to each other.

Technology general controls support the acquisition, development, and maintenance of technology. For example, a technology development methodology ^{fn 23} provides a structure for system design and implementation, outlining specific phases, documentation requirements, approvals, and checkpoints with controls over the acquisition, development, and maintenance of technology. The methodology provides appropriate controls over changes to technology, which may involve requiring authorization of change requests, verifying the entity's legal right to use the technology in the manner in which it is being employed, reviewing the changes, approvals, and testing results, and implementing protocols to determine whether changes are made properly.

In some companies the development methodology covers the continuum from large development projects to the smallest changes. In other companies there is one distinct process for developing new technology and a separate process for change management. In either case, a change management process will be in place to track changes from initiation to final disposition. Changes may arise as a result of a problem in the technology that needs to be fixed or a request from the user community.

The technology general controls included in a development methodology will vary depending on the risks of the technology initiative. A large or complex development initiative will generally have greater risks than a small or simple initiative. The extent and rigor of the controls over the initiative should be sized accordingly.

One alternative to in-house development is the use of packaged software. Technology vendors provide flexible, integrated systems allowing customization through the use of built-in options. Many technology development methodologies address the acquisition of vendor packages as a development alternative and include the necessary steps to provide control over their selection and implementation. Once selected and implemented, technology general controls outlined above would also apply to the ongoing development and maintenance of technology,

Another alternative is outsourcing. While in principle the same considerations apply whether controls are performed internally or by an outsourced service provider, outsourcing presents unique risks and often requires selecting and developing additional controls over the completeness, accuracy, and validity of information submitted to and received from the outsourced service provider.