Page 156 - Courses
P. 156

Logical Security: The Network Layer

                   •  Regular access review of physical keys and badge permissions.

            Suggested Audit Procedures

            The following provides high-level suggested audit procedures (not ADS specific but general network
            concepts):

            Default Passwords
            •  Ask network personnel about procedures for installation of new network devices and changing
               default passwords.
            •  For a sample of network devices, have network personnel attempt to log into network devices
               using vendor-supplied default passwords.

            Wiring Closets (which may contain routers, switches, telecommunications equipment, and wiring
            distribution frames):
            •  Ensure periodic review of access to wiring closets occurs.
            •  Review user access list to wiring closets for appropriateness.
            •  If physical management of wiring closet access occurs, ensure the master building keys are
               restricted.
            •  If wiring closets are protected by a system, review a sample of logs to validate that only
               authorized personnel have accessed wiring closets. Also, review logs for trends or anomalies
               (e.g., the same user accessing wiring closets an abnormal number of times or after hours).

            TOPIC 2: NETWORK SEGMENTATION


            Network Segmentation

            Segmentation could be used to simplify a complicated network or to provide additional security
            layers over specific services or data. Examples include:
            •  Isolation of importing financial transactions from various banks, such that the isolated network
               segment would only allow outbound communication to specific network sites and allow only
               downloading of data. This isolation, along with encryption, reduces the likelihood of an intrusion
               from external environments, and if a download contains malware (that is not identified by end-
               point software), then the malware is less likely to transfer to other parts of the network.
            •  Isolation of part of the network to process credit card transactions in order to meet Payment
               Card Industry (PCI) requirements.
            •  Isolation of a segment of the network that is utilized for storing and processing customer data.

                         Networks can be segmented by using either physical or logical separations.

            Physical Separation
            A physical separation occurs through use of a physical device such as a switch or router. Physical
            separation is useful for organizations with confidential data. An example of a physically separated
            network is displayed.
            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   151   152   153   154   155   156   157   158   159   160   161