IT Essentials — Assessing Infrastructure and Networks

            Infrastructure Challenges and Risks

            An organization’s infrastructure is the backbone of its IT operations. When set up well, it can help
            maximize efficiency. When not optimized, it can introduce unnecessary risks and challenges. It is
            imperative that internal auditors understand the infrastructure on all IT-related engagements. There
            are numerous challenges and risks related to an organization’s IT infrastructure, including but not
            limited to:

            Configuration — vulnerabilities can exist where the OSs and the associated applications (enterprise
            and end-user) are not configured securely.

            Security —
                 Inadequate development or management of security exceptions can allow for device
                   obsolescence.
                 Poor or fragmented encryption or access management can allow excessive access, especially
                   when the key does not change after the individual being assigned the key is no longer in a
                   position to need access. Additionally, there is a risk of data exposure when the key expires
                   and a new key is not assigned in a timely manner.
                 Improper hardening (securing) of devices added to the network can increase the risk of
                   compromise due to open protocols, default passwords, and lack of monitoring.
                 Stale or generic security training increases the risk that users will succumb to social
                   engineering tactics.
                 Missing, outdated, or improperly placed rules can allow bad actors to circumvent controls
                   such as access control lists (ACLs) and firewall rules.

            Conformity — industry recognized frameworks, standards, or methodologies may not be followed,
            introducing potential regulatory or compliance risk.

            Patches — if patches are not applied to critical systems, it can introduce the IT infrastructure to
            vulnerabilities and security issues.

             TOPIC 4: DEFINING A NETWORK

            The simplest definition of a network in the IT context is a means of connecting two or more
            computers for the purposes of sharing information. A network generally has three key
            characteristics: topology, architecture, and protocols. This unit explains each and offers examples. It
            also introduces concepts, including the layered service model, remote network access, and network
            defense.

            There are three main types of networks:
                 Local area networks (LANs).
                 Metropolitan area networks (MANs).
                 Wide area networks (WANs).



            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.