Page 152 - Courses
P. 152

Logical Security: The Network Layer

            TOPIC 1: OVERVIEW

            Introduction

            An organization’s internal network includes one or more Local Area Networks (LANs). Microsoft’s
            Active Directory System (ADS) provides network management services, including services that define
            user and device access rights, verify credentials at login, and retain data regarding the members
            (users and devices) belonging to a domain. Each network can contain one or more domains, all
            supported by one active directory (AD). This unit will focus primarily on the organization’s LAN
            including an overview of basic components and appliances.

            Learning Objectives

            •  Distinguish characteristics of privileged access.
            •  Identify common network concepts and terminology.
            •  Describe basic network architecture.

            Logical Security Control Components

            Components of logical security control include the following:
            •  Authentication – Manner in which the user logs into the system.
            •  Authorization – Manner in which the user gets approved to access a system.
            •  Access Management – Assignment of initial and updated access; provides a level of separation of
               duties (SoD).
            •  Auditing and Follow-Up – Includes periodic review of user access capability and analyzing logged
               events for trends or anomalies.
            •  Identification - Manner in which each user is uniquely identified.

            Access and Security

            Assigned access is based on either data classification (e.g., public, sensitive, corporate restricted, or
            confidential) or functionality (e.g., treasury, ordering, receiving, or journal entry activities).

            There are three important terms you need to be familiar with that relate to access and security:
            hardening, deny list, and allow list. Hardening means reducing risks and threats by reducing areas of
            vulnerability, often through removal of non-essential functions, changing default passwords, and
            maintaining an up-to-date operating system (OS) configuration.

            The deny list is a list of items that users are not allowed to access. For example, pornographic
            websites would be on the deny list. Deny lists can also be part of a firewall configuration. They often
            begin with an “allow all” strategy for internet and application access. This access is then restricted
            as the sites and applications are deemed unacceptable.




            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   147   148   149   150   151   152   153   154   155   156   157