Well its 30 days free trial actually, but still its a very useful software for those working with a lot of documentation, policy and procedures. For more information you can visit their main site or directly download (29MB) from download.com

The web-based Policy & Procedure Manager provides your staff with instant access to your organization's policies and procedures. It notifies those who are required to read specific documents and tracks who has read them. You can use the software to create, review, approve, and archive all of your documents, not just policies and procedures.

Download Free IT Risk Assessment Templates, this template is created using NIST-SP 800:30 standard for Risk Management Guide for Information Technology Systems. Covering some basic process during IT Risk Assessment that include: System Characterization, Threat Identification Vulnerability Identification, Control Analysis, Likelihood Determination,

This NIST Guidelines covers:
1. IT Risk Management
2. IT Risk Assessment
3. IT Risk Mitigations

Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems1 to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk.

So basically what is the simplest approach for ITGC? do we should check every changes and modification in our application and infrastructure? or do we should only focus to significant one? The simplest approach is by using minimum requirement by the government/regulation. So here is some scope of ITGC based on Sarbanes Oxley Section 404

Program Development Program Change
Acquire or develop application software The organization's system development life cycle (SDLC) includes security, availability and processing integrity requirements of the organization.

Acquire or develop application software An adequate SDLC methodology has been established to serve as a basis for controlling development and maintenance activities, and the SDLC methodology is consistent with business and end-user strategies and objectives.

Logical Access
Ensure systems security An information security policy exists and has been approved by an appropriate level of executive management.

ISO27002 recommends that an organization’s user registration process should cover the following:
1. Unique user identifications (IDs) should be issued so that users can be linked to, and made responsible for, their actions.

2. The user’s access rights should be documented and describe what assets and systems the user is allowed to access.

3. System owners should authorize proposed users to use the system, and the access rights document should also be authorized by the individual’s line manager, to ensure that it is appropriate.