Page 40 - ITGC_Audit Guides
P. 40

both. MFA/2FA means that in addition to entering a password, a user must enter a token or a
                   passkey that refreshes periodically (e.g., a one-time multi-digit number or “token” is sent to a remote
                   user’s mobile phone that must be used to complete a user’s access to an organization’s system).

                   Remote Access: Virtual Private Network (VPN)
                   A VPN extends a private network across a public network and enables users to send and receive
                   data as if they were connected over a private network. It provides the benefits of functionality,
                   security, and management characteristics of a private network. Organizations should ensure that
                   all VPN access is verified and authenticated to prevent unauthorized remote access to the
                   organization’s network (e.g., MFA).

                   Remote access inherently presumes an insecure Layer 2 through 4 connection. When using a
                   VPN, before data is sent, the session layer (Layer 5) provides an encrypted “tunnel” to transfer
                   data. This is an important security measure for the organization, in the event a non-employee
                   gains access to the data, the entire encapsulated contents, and in some cases even the
                   transmission information, are encrypted. The internal system receiving these connections and
                   decrypting the contents are called point of presence (PoP). Due to their role, PoP servers should
                   never be attached to the internet. The most common way to achieve PoP service is by using a
                   VPN to encrypt traffic between the host and the internal network point of presence.

                   Remote Access: Virtual Desktop
                   Virtual desktop protocols such as Microsoft’s Remote Desktop Protocol (RDP) give users a
                   graphical interface to connect one system (computer) to another over a network connection. The
                   primary use of virtual desktop protocols is to provide technical support and to administer servers
                   that do not have a keyboard/video monitor/mouse attached to them, allowing administrators to
                   operate and maintain servers in a data center.

                   Both computers must have the same virtual desktop protocol software installed to use this
                   function. To access another computer, a remote user must have both the IP address and the
                   ability to authenticate (e.g., login, offer a security token). For security purposes, virtual desktop
                   protocol software connections are often blocked at the perimeter firewall or in the DMZ.

























                   32 — theiia.org
   35   36   37   38   39   40   41   42   43   44   45