In the field of information security, enterprise infosec pros have one straightforward objective: Keep confidential information protected from unauthorized individuals, while ensuring the data retains its integrity and is available to those that need it. 

In order to accomplish this, we as security practitioners design and implement a range of internal controls that provide structure to how data is stored, managed, transmitted and ultimately destroyed. While many organizations are subject to periodic validation and certification of these internal controls, all organizations can take steps to ensure their internal controls are comprehensive, efficient and most importantly, effective.  These steps, which we’ll discuss in this tip, can go a long way toward not only instilling good governance, but also ensuring compliance with related laws and regulations, such as PCI DSS.

Internal controls checklist
There are four key areas that organizations should consider when evaluating their internal controls for data security:

• Control ownership
• Risk alignment
• Monitoring and testing
• Control limitations

Control ownership – One of the central tenants of control strength is ensuring there is clear ownership. As more organizations have moved toward internal control libraries, (where controls are standardized and centralized and then applied across business