Page 153 - Courses
P. 153

Logical Security: The Network Layer

            The allow list is a list of items that users are allowed to access. For example, commonly used
            industry websites would be on the allow list. Allow lists can also be part of a firewall configuration.
            They often begin with a “deny all” strategy for internet and application access. Access is then
            granted as the sites and applications are deemed essential.

            System security design is based on one of two very important principles: 1) least privilege permission
            (deny all), and 2) allow all permission. A system built under least privilege has a default of no initial
            system access granted, and the administrator must assign all permissions. In contrast, the allow all
            philosophy grants all users total access, and the administrator must restrict unnecessary access
            during system configuration.

            Concerns with Privileged or Super User Accounts

            There are common concerns associated with privileged or super user accounts:
            •  Not appropriately separating user and administrator actions by establishing and requiring two
               UserIDs.
            •  Developing processes for authenticating privileged users throughout all software layers (i.e.,
               network, OS, database, and application).
            •  Ensuring terminated privileged and super users are timely revoked from emergency ID’s and
               administrative consoles, as well as Microsoft’s Active Directory System (ADS).
            •  Ensuring that transferred employees have their prior access removed, and that access for the
               new roles is provided in a timely manner.
            •  Restricting access to system, installation, and emergency privileged accounts, and safeguarding
               passwords for these accounts.
            •  Monitoring users with privileged access capability.
            •  Ensuring proper set-up of general system security settings.

            Control Objectives for Privileged and Super Users

            Common logical security control objectives for privileged and super users:
            •  General system security settings are appropriate.
            •  Password settings are appropriate and more complex than user accounts with frequent
               expirations.
            •  Granting of privileged and super user accounts is limited to appropriate individuals on a need-to-
               know basis.
            •  Access to emergency IDs, administrative functionality, system resources, data at rest, scanning,
               and utilities is limited to appropriate individuals.
            •  Logical access is authorized and appropriately established.
            •  The logical access process is logged and monitored, and logs are retained based on regulatory
               guidelines.

            Network Layer Security Concepts

            LAN


            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   148   149   150   151   152   153   154   155   156   157   158