Page 122 - Courses
P. 122
IT Essentials — Assessing Infrastructure and Networks
Some versions of these protocols have an additional security through encryption, signified by the
letter “S,” such as SFTP, FTP via Secure Shell connection (SSH), or HTTPS. It is important for an
organization to understand the applicable secure protocol requirements in relation to regulations,
policies, and governing standards (e.g., NIST, Payment Card Industry [PCI] Data Security Standard
[DSS]).
Many IT professionals often speak in terms of the protocols implementing the functions required by
the layer. A list of some of the protocols used at each layer is also offered as “protocols (or media)
implementing this layer.” The example protocols are not exhaustive, but may help identify
information resources or equivalencies and provide context. The Open System Interconnection
Model (OSI) Seven-layer Model shows some of the common protocols used at each layer.
For example, web services are performed at the Hypertext Transfer protocol Secure (HTTP) layer
(layer 7). In addition, when network components (described on the next screen) are discussed, they
are often identified as “performing” at a specific layer.
Network Defense
To fully comprehend network security as it relates to a network’s components and architecture, the
concept of layered defense or defense in depth must be understood. This concept focuses on the
premise that no single point of failure should cause the total compromise of security.
Layered Defense In Depth
Source: IIA GTAG: “IT Essentials for Internal Auditors”
Layered Defense or Defense In Depth
Network defense ensures there are multiple layers of controls before a potential intruder can access
sensitive information. These layers of controls usually exist across a network, servers, applications,
Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.
