as a trusted source by networks, because they have legitimate login credentials. A way to overcome that
            problem is to put a second firewall between the network and back-end systems to filter who gains
            access to critical systems such as financial reporting systems.

            One major control is to patch vulnerabilities with due diligence.

            Potential intruder types are constantly studying and attempting to break into systems, probing for
            weaknesses in software and technologies. Vendors become aware of these vulnerabilities and issue
            patches to keep “bad guys” from breaking into systems. Entities need to have sound policies and
            procedures to be aware of relevant patches, and to effectively and timely implement them to reduce the
            risks associated with those vulnerabilities. The current preference is to build automated systems to
            respond to alerts and automatically update patches to the system.

            Another major control area is encryption of data at rest or in transit (for example, over the internet) when
            that data is extremely sensitive (for example, payroll data or credit card data) or there is a high risk of
            interception in communications. Encryption tools have various strengths, and encryption is not always
            needed or the only control solution — for example, VPNs can securely transmit data over the internet.

            Putting a combination of effective tools and controls into place for protection of networks is referred to as
            “hardening” the system. Some other controls to implement would include controls in the following areas:

              Buffer overflow
              Adware or spyware
              Antivirus
              Certain internet ports
              Intrusion detection.
            Intrusion detection uses patterns of known exploitation to try to recognize an unauthorized attack, or
            intrusion. Intrusion detection systems are vitally important for entities that have a lot of public exposure,
            name recognition, or other factor that attracts malicious attacks by these types of cybercriminals.

            A key to providing reasonable assurance over network security is to have a current, well-documented
            network diagram. Trust is more easily seen and addressed with this diagram than without it. Best
            practices generally state that infosec begins with this diagram.


            Network access controls
            Access controls are based on limited or restricted access. That is, each person or group of persons is
            granted the least amount of privileges on the network as possible. For example, Active Directory
            (Microsoft) provides settings to establish access rights to individuals or groups, and do so with a
            relatively high degree of granularity. Access rights would include privileges for access to applications,
            folders, files, and other objects. Regardless of the tool or methodology, the CITP would examine and
            evaluate network access control based on the principle of restricted access.









            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-16