Page 41 - ITGC_Audit Guides
P. 41

Network Defense

                   To fully comprehend network security as it
                   relates to a network’s components and         Figure 16: Layered Defense-in-depth Model
                   architecture, the concept of layered defense or
                   defense-in-depth must be understood (Figure                                 Application
                                                                                               and Data
                   16). This concept focuses on the premise that                               Security
                   no single point of failure should cause the total                           Host Security
                   compromise of security.
                                                                                               Network
                                                                                               Security
                   Layered Defense or Defense-in-depth
                                                                                               Physical
                   This concept ensures there are multiple layers                              Security
                   of controls before a potential intruder can                                 Policy and
                                                                                               Procedures
                   access sensitive information. Usually, these
                   layers of controls exist across a network,
                   servers, applications, and databases. This
                   concept also ensures that appropriate physical
                   controls are in place. The overall concept is
                   governed by appropriate policies and         Source: The Institute of Internal Auditors.
                   procedures.
                   The concept of defense-in-depth is similar to how castles were protected during medieval times,
                   when multiple controls or barriers protected the crown jewels as well as the inhabitants. A similar
                   philosophy exists today to define cyber controls across various layers of the cyber environment.
                      The internet is outside of the castle gate.

                      The castle gate is the firewall rule (outward facing).
                      The walls, moat, and courtyard are the DMZ.
                      Watchtowers are security IDS/IPS, DLP, email, and web gateways.

                      The inner door to the castle is the internal-facing firewall.
                      The rooms of the castle are the segmented network.

                   Network Challenges and Risks


                   Networks have many components and each organization will have a unique network structure.
                   Having an effective network can significantly impact an organization’s operations. An internal
                   auditor’s understanding of the network architecture is key to understanding the risks and
                   challenges associated with the networks.

                   There are numerous challenges/risks related to an organization’s network that internal auditors
                   should be aware of, which can include but are not limited to:

                      Ensuring proper identification of all external-facing services provided by the organization.
                      Ensuring sufficient network security.








                   33 — theiia.org
   36   37   38   39   40   41   42   43   44   45   46