IT Essentials — Assessing Infrastructure and Networks

                 Ensuring that physical access to routers is restricted. Routers usually have remote access
                   capabilities for the devices themselves. These should be secured with strong passwords and
                   monitored for failed login attempts.
                 Verifying that remote users are required to use two-factor authentication.

            Ensuring patch maintenance. Ensuring the latest security patches and firmware updates are
            installed on network components (e.g., firewalls, routers, printers, and Voice over Internet Protocol
            (VoIP) phones).

            Ensuring appropriate management of third-party network risks. This is applicable if network
            management is outsourced, in which case IT must ensure the vendor’s security programs are robust,
            efficient, effective, and accessible.

            Other areas to consider include project-related and third-party provider risks. For example, project-
            related risks include insufficient budget, resources, project management, user acceptance, and
            technical skills. For project-related risks, the internal auditor should analyze issues related to project
            delivery and user acceptance.

            Examples of third-party provider risks include financial stability of the managed service provider,
            scalability, misconfiguration of network resources, data breaches, regulatory compliance, network
            reliability, and insider threats. For third-party provider risks, the internal auditor should analyze the
            service providers network stability (found in the service-level agreement (SLA) and compliance
            reporting), financial strength, System and Organization Controls (SOC) reports to review IT controls,
            data breach and regulatory fines and penalties history, and contract provisions, including the
            existence of a right to audit clause.

            The inventory of IT infrastructure components reveals basic information about the environment’s
            vulnerabilities. For example, business systems and networks connected to the internet are exposed
            to threats that do not exist for self-contained systems and networks. Because internet connectivity is
            an essential element of most business systems and networks, organizations must make certain that
            their systems and network architectures include fundamental controls that ensure basic security.
            The complete inventory of the organization’s IT hardware, software, network, and data components
            forms the foundation for assessing the vulnerabilities within the IT infrastructure.

            System architecture schematics reveal the implementation of infrastructure components and how
            they interconnect with other components inside and outside the organization. To the information
            security expert, the inventory and architecture of IT infrastructure components, including the
            placement of security controls and technologies, reveal potential vulnerabilities. Unfortunately,
            information about a system or network also can reveal vulnerabilities to a potential attacker, so
            access to such information must be restricted to only those people who need it. A properly
            configured system and network environment will minimize the amount of information it provides to
            would-be attackers, and an environment that appears secure presents a less attractive target to
            attackers.



            Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.