Page 28 - ITGC_Audit Guides
P. 28
Infrastructure is a key component for an internal auditor to understand for all IT-related
engagements. There are numerous challenges/risks related to an organization’s IT infrastructure
that can include but are not limited to:
Configuration – where the operating systems and the associated applications (enterprise
and end-user) are not configured securely, vulnerabilities can exist.
Security –
o Inadequate development or management of security exceptions can allow for device
obsolescence.
o Poor or fragmented encryption or access management can allow excessive access,
especially when the key does not change after the individual being assigned the key
is no longer in a position to need access. Additionally, there is a risk of data exposure
when the key expires and a new key is not assigned in a timely manner.
o Devices added to the network without proper hardening (securing) can increase the
risk of compromise due to open protocols, default passwords, and lack of monitoring.
o Stale or generic security training increases the risk that users will succumb to social
engineering tactics.
o BYOD can lead to data leakage of devices on the network when internal processes
are not followed properly.
o Missing, outdated, or improperly placed rules can
Resource
allow bad actors to circumvent controls such as
For more information on patch
access control lists (ACLs) and firewall rules.
management, see IIA GTAG, “IT
Conformity – industry recognized frameworks, standards, Change Management: Critical for
or methodologies may not be followed, introducing Organizational Success, 3
rd
potential regulatory or compliance risk.
Edition.”
Patches – if patches are not applied to critical systems, it
can introduce the IT infrastructure to vulnerabilities and security issues.
20 — theiia.org
