IT Essentials — Assessing Infrastructure and Networks

            and databases. This concept also ensures that appropriate physical controls are in place. The overall
            concept is governed by appropriate policies and procedures.

            The concept of defense in depth is similar to how castles were protected during medieval times,
            when multiple controls or barriers protected the crown jewels as well as the inhabitants. A similar
            philosophy exists today to define cyber controls across various layers of the cyber environment.
                 The internet is outside of the castle gate.
                 The castle gate is the firewall rule (outward facing).
                 The walls, moat, and courtyard are the demilitarized zone (DMZ).
                 Watchtowers are security Intrusion Detection Solution / Intrusion Prevention Solution
                   (IDS/IPS), Data Loss Prevention (DLP), also known as Data Leakage Prevention, email, and
                   web gateways.
                 The inner door to the castle is the internal-facing firewall.
                 The room has a door with a lock, and there is a locked treasure chest inside.

            Remote Network Access and Virtual Private Networks

            We recently started working from home and are following the telecommuting policy. We were told
            that our computers might not be able to support the remote format. What is the correct way to
            connect to the corporate network from home?

            We have always had these capabilities for disaster recovery purposes, but only offered remote
            access to our executives and sales team. A couple years ago, we researched numerous remote
            access options and made a selection based on factors, including security requirements, user
            expectations, technical capabilities, and business needs. The need to access corporate networks is a
            result of today’s workforce becoming more mobile; to remain productive, users require constant
            network access. This may even require connection from an unsecure public network, such as a
            public access point.

            A majority of solutions deployed by organizations that utilize remote working require some form of
            security to ensure that remote connections are secure. The security controls are usually in the form
            of multi-function authentication (MFA) (sometimes referred to as two-factor authentication (2FA)) or
            encryption, or both. MFA/2FA means that in addition to entering a password, a user must enter a
            token verification code or passkey that refreshes periodically (e.g., a one-time multi-digit number
            (token) is sent to a remote user’s mobile phone that must be used to complete a user’s access to an
            organization’s system).

            Remote access to a company network is achieved via Virtual private network (VPN). A VPN extends a
            private network across a public network and enables users to send and receive data as if they were
            connected over a private network. It provides the benefits of functionality, security, and
            management characteristics of a private network. Organizations should ensure that all VPN access is
            verified and authenticated to prevent unauthorized remote access to the organization’s network
            (e.g., Multi-function authentication).




            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.