Page 153 - Courses
P. 153
Logical Security: The Network Layer
The allow list is a list of items that users are allowed to access. For example, commonly used
industry websites would be on the allow list. Allow lists can also be part of a firewall configuration.
They often begin with a “deny all” strategy for internet and application access. Access is then
granted as the sites and applications are deemed essential.
System security design is based on one of two very important principles: 1) least privilege permission
(deny all), and 2) allow all permission. A system built under least privilege has a default of no initial
system access granted, and the administrator must assign all permissions. In contrast, the allow all
philosophy grants all users total access, and the administrator must restrict unnecessary access
during system configuration.
Concerns with Privileged or Super User Accounts
There are common concerns associated with privileged or super user accounts:
• Not appropriately separating user and administrator actions by establishing and requiring two
UserIDs.
• Developing processes for authenticating privileged users throughout all software layers (i.e.,
network, OS, database, and application).
• Ensuring terminated privileged and super users are timely revoked from emergency ID’s and
administrative consoles, as well as Microsoft’s Active Directory System (ADS).
• Ensuring that transferred employees have their prior access removed, and that access for the
new roles is provided in a timely manner.
• Restricting access to system, installation, and emergency privileged accounts, and safeguarding
passwords for these accounts.
• Monitoring users with privileged access capability.
• Ensuring proper set-up of general system security settings.
Control Objectives for Privileged and Super Users
Common logical security control objectives for privileged and super users:
• General system security settings are appropriate.
• Password settings are appropriate and more complex than user accounts with frequent
expirations.
• Granting of privileged and super user accounts is limited to appropriate individuals on a need-to-
know basis.
• Access to emergency IDs, administrative functionality, system resources, data at rest, scanning,
and utilities is limited to appropriate individuals.
• Logical access is authorized and appropriately established.
• The logical access process is logged and monitored, and logs are retained based on regulatory
guidelines.
Network Layer Security Concepts
LAN
Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.